A few days ago I promised “tomorrow” a column about the future of data security. Then, just as the electrons were flowing on that DefCon column, I bought on eBay a 1978 GMC Royale motorhome in Bismarck, North Dakota that Channing and I have been trying to bring home ever since. We’ve so far broken down in Fargo, North Dakota (air suspension leak) and Brookings, South Dakota (ignition failure), but are now back on the road headed for California. We met Rick, the tow truck driver who used to be a rodeo bull rider, and Wayne Westerberg, the RV mechanic who gave up his Friday night to get us back on the road. Try Googling Wayne’s name for a surreal component to this adventure, which I’m sure is far from being over.
Back to data security. That DefCon column was about the simple days of hacking and cracking 20 years ago — a time when the only person really making money from data security on the consumer side was probably John McAfee. So much has changed since then. Today billions are lost and stolen through thefts of both data and financial instruments. Data theft is being viewed as a military problems and the term cyber warfare is rampant (more about that in part three of this series, which I’ll write during our next breakdown). What we know for sure is that we can’t go home again: vulnerability will be part of the game as long as we as a culture choose to interact and do business online.
We can’t or won’t give up the Internet and the mobile transition seems at this point inevitable, so how will we, as a culture, come to terms with this mixture of increased vulnerability and decreased privacy?
Insurance.
I am not making this up.
Here’s an interesting document from the White House outlining the advantages of what they are calling cyber insurance not just as a way to compensate people and businesses for their loss of data, but actually as an alternative to government regulation.
It’s important to understand that the larger thrust here is this alternative to regulation. Actual insurance is secondary to behavior modification.
The idea is that all the government has to do is require that organizations get cyber insurance, then rely on the insurance companies to regulate customer behavior or those customers risk being cancelled. If interests are properly aligned this process can work quite efficiently, they argue.
With the U.S. government in a state of political paralysis, I can easily see something like this happening. Since the cyber insurance proposal is coming from the White House while being ruthlessly pro-business, it is likely to get broad bipartisan support.
But we all have to understand that this proposal would take something we’ve been thinking of as a law enforcement or even national security function and make it into a financial service.
Remember those banks that were too big to fail? Now we are going to rely on them to protect our data while at the same time guaranteeing them a profit for doing so.
Am I the only one who finds this unnerving?
Following data security best practices is a good idea and doing so would be the heart of cyber insurance. At the same time it could expose everything about us to the insurers. If we worry about guys down at the FBI wading through our stuff shouldn’t we worry even more if the wader is some entry-level clerk at Prudential?
This might be good news, it might be bad news — I simply don’t know. What I do know is that there’s been little public discourse about it and unless we raise our game and start talking we’ll find a new bureaucracy in place that we don’t understand and that can’t be good.
Bob,
I don’t see the need of some entry-level clerk at Prudential perusing a company’s data to check on its security requirements. That would seem to be more a question of its data security infrastructure and safeguards, not the contents of its confidential data.
I wonder why you purchased a motorhome? Are you going to finish the last part of the Cringely Startup Tour?
Nor is there any need for the FBI/CIA/NSA or anyone else to look at our data or activities, either, yet they still might. My point here, Charles, is that as long as we are buying insurance we’ll be subject to security audits and audits imply access. I don’t think you and I will be getting cyber insurance but I think every business will be required to — the very businesses that have been losing our data right and left.
I’m not intrinsically opposed to such insurance, I just want to better understand what it could mean to my quality of life.
It is not enough to give someone my keys then tell them they aren’t allowed to drive.
What is it with this Dear Leader Obamao guy?
The answer is always to “require that you buy insurance”….whether it be “health” or “data”. Sounds like the Chief Street and Race hustler is a one trick pony does it not?
Save us your racist hate. As Bob mentioned, this is a bipartisan push.
As Bob responded “I’m not intrinsically opposed to such insurance, I just want to better understand what it could mean to my quality of life.” The devil, and the argument, is in the details.
I received a letter from Discover telling me to take a few minutes and give them my annual salary and where I worked. I looked this up on the internet and our government has passed a law that requires credit card companies ensure that they do not allow their customers to over extend their debt. I suspect that I won’t fill in the blanks. If they can’t figure this our from my spending history, then they deserve to go bankrupt.
This is just another in many small steps taken by our government to protect us. Which in the end will restrict our rights. The biggest concern of our founding fathers was for the individual to maintain their freedom of conscience.
“If they can’t figure this our from my spending history, then they deserve to go bankrupt.
This is just another in many small steps taken by our government to protect us.”
I think there are three different issues here.
Firstly, a lot of people have economic mishaps: they lose their jobs, their spouses pack up and leave (you with the kids) etc. What most people do not do is to (even if they can) immediately adjust their spending to match the level of income. In stead, they keep it up as usual, hoping that the problem afflicting their economy is temporary. The prime method of doing this is borrowing money, and the easiest way is to max out your CC.
Secondly, your credit institution asking you a few dumb questions (without any level of checking) is idiocy. I swapped from being a full-time managing director to being a full-time student a few years back. I received no nice severance package so my account has been pretty much empty since then. Even so, my credit limit is still unadjusted – to be frank, my credit level equals seven times my current annual income. Had those companies asked me a few dumb questions, I might not have lied, and their economic risk (which has currently been held at bay only due to me not being a big spender) would have decreased.
Thirdly, I think you’re missing the point. Credit card companies and other lenders being interested about their risk exposure and the pay-ability of their creditors is not something a company should have to be forced to do by the government.
And by the way, it’s not the government protecting you from yourself, it’s the government’s (admittedly feeble) attempt to protect OTHER tax-payers from having to carry the burden of saving financial institutions who have borrowed money to risky lenders.
RGDS,
All I found when Googling the name is a book/movie called “Into the Wild” with “Vince Vaughn as Wayne Westerberg”.
http://en.wikipedia.org/wiki/Into_the_Wild_(film):
“By September, McCandless stops in Carthage, South Dakota to work for a contract harvesting company owned by Wayne Westerberg (Vince Vaughn), but he is forced to leave after Westerberg is arrested for satellite piracy.”
That’s my RV mechanic! He has Sean Penn’s Buick Grand National parked in his garage. We worked on the RV together while Channing and Wayne’s kid did donuts in a golf cart.
Nice. Grand National…fastest production car in 1986.
Can’t wait to see the new art work on this RV. The last one was easy to spot. I hope this one is equally recognizable.
…
BTW Do they have an auto-club for RV’s? Does it work?
No wrap on this RV, which is intended to be a stealth vehicle for my latest project. This one is eight feet shorter, a foot narrower, and has TWICE the horsepower. We’ve been going the speed limit (when it runs) and getting 11 mpg, which is otherworldy RV mileage. AAA offers RV coverage but we use Good Sam, which picked up the tab on that 35 mile tow that would otherwise have cost me $500+.
Uh, huh? The dysfunctional government seems to be making everyone mad. Cyber Insurance??? Let’s start with the purpose of insurance it is to provide assistance in the case of rare events. Car Insurance helps with car accidents which aren’t that rare but the considerable price of the premium reflects this. Home Owner’s/Renter’s insurance helps in case of fire, and life insurance in case of early death which are rare events. But how do we pick rare events that would be covered by cyber insurance? Surely customer financial data getting out in the open would be pretty clearly a case for cyber insurance but this is general liability also it seems like it most often happens to government agencies which wouldn’t carry cyber insurance. But are malware infections covered? they are not rare. If so we have a system more like our broken health care system run by corner cutting insurance companies and price gouging corporate medicine with no real consideration of health.
Take then the PCI compliance farce run by the credit card companies. No small business can legitimately claim to pass so they pay higher transaction fees but the most common form of credit card fraud? Employees stealing credit card data at the time of a transaction. Think an insurance company would do any better? MBA’s don’t have to take computer security courses.
No A) We need to stop vilifying the internet and mobile. We don’t need cyber insurance because of the internet. We needed cyber insurance just as much in the days of mainframes. Insider attacks have been and continue to be the real threats.Sure they have shifted the way we work and made the threats faster but consider the internet has nothing to do with the RFID chip in my passport which can be read and cloned if I take it out of its protective cover. That’s a stupid security decision by people that have no security background. B) Still there is much biting of the proverbial bullet that needs to occur at many levels of government and business. For instance we need to have one time use credit card numbers. Yes one click checkout will be a thing of the past and credit cards will be more expensive to manufacture but this is the real fix for storing credit card numbers. Trying to get retailers to take expensive and questionable measures to secure stored numbers was never going to work. Any MBA could have told you business was going to look at costs and find the cheapest solution not protect credit card numbers of consumers. The real solution is to make the practice of storing such numbers worthless. One time use numbers also actually addresses the common threat of a waiter or retailer skimming the car info and selling it. C) Government does have a role to play. Affirming the right to privacy by adding transparent oversite of spying programs would go a long way. It’s kinda like telling other countries that they should not have nuclear weapons while stock piling them ourselves, doesn’t work so well. Unilateral nuclear arms reduction sets a positive tone if you want other countries to do the same or never build them in the first place. Same thing with privacy and financial data. By better protecting American rights and liberties with transparency government can actually build a bully pulpit.
Or perhaps this is just training us to become better liars.
“Here’s an interesting document from the White House outlining the advantages of what they are calling cyber insurance…At the same time it could expose everything about us to the insurers..shouldn’t we worry even more if the wader is some entry-level clerk at Prudential?
I worry about the high school drop outs at the Booz Allens and the Cass Sunsteins in the White House.
The White House produces interesting documents everday – Obama’s Information Czar, Cass Sunstein wrote a paper about cognitively infiltrating groups: https://www.youtube.com/watch?v=4OIiOztc52g
“Remember those banks that were too big to fail?…Now we are going to rely on them to protect our data while at the same time guaranteeing them a profit for doing so.”
No need to guarantee them a profit – Insider trading will take care of their profits. Haven’t these financial institutions lost trust? Lehman Brothers used an accounting maneuver (Repo 105) to report liabilities as assets. John Oliver notes that the Monopoly game has eliminated the goto jail card and trashes Goldman Sachs over Aluminum price fixing that made billions: https://www.youtube.com/watch?v=eoaGEx01_0E
“Remember those banks that were too big to fail?…Now we are going to rely on them to protect our data while at the same time guaranteeing them a profit for doing so.”
No need to guarantee them a profit – Insider trading will take care of their profits. Haven’t these financial institutions lost trust? Lehman Brothers used an accounting maneuver (Repo 105) to report liabilities as assets. John Oliver notes that the Monopoly game has eliminated the goto jail card and trashes Goldman Sachs over Aluminum price fixing that made billions: https://www.youtube.com/watch?v=eoaGEx01_0E
“Here’s an interesting document from the White House outlining the advantages of what they are calling cyber insurance…At the same time it could expose everything about us to the insurers..shouldn’t we worry even more if the wader is some entry-level clerk at Prudential?
I worry about the high school drop outs at the Booz Allens and the Cass Sunsteins in the White House. The White House produces interesting documents everday – Obama’s Information Czar, Cass Sunstein wrote a paper about cognitively infiltrating groups: https://www.youtube.com/watch?v=4OIiOztc52g
Few if any producers of software will certify their creations from a security perspective. The proof to me has been the numbers and frequency of emergency patches that we end up slapping on our code base to deal with zero-day exploits. I think this attitude started with Microsoft’s shrink-wrapped EULAs which have always spelled out the caveat emptor (buyer beware) “our software is not guaranteed for any purpose” or words to that effect – which most other producers of software have emulated in their own license agreements – including free/open source licenses. Perhaps I’m being unfair to Microsoft – maybe someone else started the insanity – but I don’t think so.
This ‘get out of jail free card’ has lead producers of software I have had contact with to become lazy and thoughtless in the development and implementation of software from a security perspective. When asked about code reviews and secure coding practices, they shrug their shoulders and look at me quizzically – and point out their license agreement does not guarantee merchantability/fitness and so on – though they will provide maintenance (patches) for an annual fee. I don’t have any reason to believe other commercial vendors I have not had dealings with do not do the same when the pressure to deliver overrides the pressure to do it right. This, of course, leads to patches, and perhaps more zero-days as the patches impact other software components in not clearly understood ways. In a way – I’m already paying insurance in the form of these maintenance agreements.
The word from the hacking world is that we will continue to see exploitation of zero-days as long as developers do not address secure programming. I won’t argue that doing that is easy. However, will developers have a choice in a world where billions of dollars in insurance pay-outs are at stake? Assuming I (as a commercial developer) implement my application securely, what about all the pieces of code in between the customer and my server? What about the operating system and support applications on the machine hosting my application? What about the embedded microcode in the chip that implements the higher level abstraction that is the CPU (made in Taiwan or China)? What about those things in all the machines that my application’s traffic traverses as it travels the internet? All of those things have the potential to expose my application or its data to exploitation one way or the other.
Ultimately it comes down to the question, “who do you trust?” Unless you can control the implementation of every piece of software, firmware and hardware your applications reside on, and their communications traverse through – you will not be able to certify your implementation is really secure. Since that is out of the question, how do you take the guesswork out of the decision of what software/products to trust versus what to run away from screaming?
What do you think about this as a possible solution: a certification ‘badge’ that says a particular software or hardware product is certified secure? The product in question would have to have all of its code open for review by independent auditors. It would also be stress tested in a live environment by anyone who cares to try to break the system, with awards for each exploit detected. Upon passing these tests over a given timeframe, it would be awarded the badge. At first, I don’t think many systems will pass the test. But as more do, momentum would grow as purchasers of these systems might get discounts on their insurance, if they use ‘badged’ products in their networks vs. non-badged, and so on…
I think this would drive developers to go back to their engineering roots and really approach systems development with the KISS principle (Keep It Simple Stupid) in mind. I think it would also drive developers to more formally break development capabilities into two areas: systems development vs. applications development – so that the security aspects (e.g. memory allocation/deallocation management – source of many buffer overflow exploits) are abstracted away from the application developers (why is it that applications developers have to reinvent the systems level security wheel every time they create a new app? Doesn’t make sense to me). Finally – due to the need for open access to code and test implementations – it would quickly define who to trust, and who are the snake oil salesmen in the pack.
Will this ‘Cyber Insurance’ drive a sea-change in the way we develop software/systems as above (or some other way)? Or, will developers/service providers become even more lax?
If the government and Dear Leader Obamao require certification of software then you can depend on the fact that this is the start of cartelization of software. Poor clueless Obama only understands raw naked force. A free market for anything is quite apparently against the grain to him. Not enough angle for the government.
I suspect even (and especially) Microsoft to decry the certification of Software, while Open Source will be lukewarm – welcoming it to get better acceptance, but also decrying it as a misnomer to real security (which it will be).
Looks like this was your purchase.
EBAY Item #111117851337
Seller made it sound perfect but obviously it needed work.
Air Suspension Leak and Ignition failure are signs of long term storage.
Wonder how long it sat around.
Any rubber pieces are probably suspect such as bushings and seals.
Best to get that checked out.
Bruce Schneier has been advocating insurance for years.
A grocery store chain here was compromised last winter. The scope of the problem is mind boggling. Every bank has to replace every credit and debit card. The banks, grocer, and their insurance companies are covering the costs and losses. This grocer had good security, met all the PCI rules, and the cyber thieves found a way to get in and do a lot of damage.
…
I am sorry but insurance alone will not be enough. This is now a serious problem. About ninety years ago the US Government established the FBI to combat serious crime problems of the day. This problem deserves nothing less.
…
Our state’s attorney general has announced the stolen funds are out of the reach of the US legal system. This is a serious problem that needs a serious solution. In other areas of trade and business when a government allows fraud some sort of trade restrictions or embargo usually results. Maybe we should start blocking those countries from using the Internet.
I’ve always liked the look of the GMC motor homes but unfortunately 1970s GM products in general had/have very poor reliability. I hope you have a good mechanic who really knows this vintage GM beast inside and out, because you’re really going to need the help. Here’s hoping your new ride proves me wrong.
I was worried about that too. I did a little research on GMC motor homes. In the 70’s and 80’s the big problem was with the emission control systems they added to cars. They were just good enough to pass federal regulations and get the car off of the dealers lot. In many cars (including mine) those emission systems proved to be a problem for their whole life. It looks like GM treated their motor homes as “trucks” which were exempt from the regulations and the engine didn’t need all the extra garbage added to it. If I’m correct then Bob’s motor home should be a LOT more reliable and a lot easier to fix than cars made during that time.
It’s a complex vehicle for the era and of course has lots of RV-specific systems to fail. Too many parts are original, notably both the fridge and the water heater, neither of which look safe enough to even use. They’ll get replaced immediately. But many parts are new including virtually the entire suspension, despite that air leak (now fixed). The ride on this thing is amazing! As a transporter of humans it has 13 seat belts! As a home for humans it can sleep six. Fortunately there are active user groups and lots of aftermarket parts. One of the three big parts suppliers and service centers is Applied GMC in the Bay Area, so that’s not an issue. When we get home the first change will be to upgrade the brakes to disks on all six wheels (stopping is iffy at best). Then I’ll add an aftermarket cruise control because the GM version failed long ago and driving 8-10 hours per day my foot is getting tired. Fuel injection would be nice but Channing and I calculated the payback at 30,000 miles!
I’ll pretend I did not read “stopping is iffy at best.”
Hahahaha! The
old ladybeautiful wife is even getting in on the act!I missed the part where you hate on Obama…dropped packet?
the fridge and heater are the start of it. beware of the oven and furnace, as well. in 20 years trailering, the oven became dangerous enough to cap off, and I was seeing holes in the firebox of the furnace for at least 10 years before we sold the family Forester. gas regulator was not good either, attracted lots of bees due to leaks. you are going to have to go through the appliances with a bottle of soapsuds and glycerin, or buy a commercial leak detector solution. the tank ends are also illegal now and they and the tank regulators will need replacement to get refilled.
trailering/RVing is a nice vacation life. the pigs become maintenance hogs after about 10 years, though.
I must admit, I’m not seeing 20k there, the market for these things is very soft, also, you will not be putting fuel injection on it and getting it smoged in California, as it must be stock (or CA certified, which is not happening). The mailing list/message board is very handy. Get Manny to put his reaction arm system on it, and service the brakes before you decide to go with disks, you should be able to lock all 6 tires with that setup. Get a vacuum pump, you don’t want to try to stop with no vacuum assist, you get one application with the stock setup.
But look around, there is a ton of info on these.
And I don’t know why people are hatting on Obama, he’s just Bush’s 3&4th term, policy wise, by and large.
“…he’s just Bush’s 3&4th term, policy wise, by and large…” If that is true it’s thanks to the Republicans’ opposition in Congress. Obamacare and other government wealth redistribution schemes would not be a part of any conservative agenda.
“Remember those banks that were too big to fail? Now we are going to rely on them to protect our data while at the same time guaranteeing them a profit for doing so.”
Those banks also cannot keep their data secure. For releasing 8MB of modified open source code uploaded to an SVN repo server,Serge Aleynikov remains the only Goldman Sachs employee since the 2008 financial meltdown to have actually served time in prison. Double jeopardy — you can’t be tried for the same thing twice – doesn’t apply when Goldman is after you.
https://www.vanityfair.com/business/2013/09/michael-lewis-goldman-sachs-programmer
Jaime Lalinde interviews Michael Lewis on Goldman Sachs: The Company Would Flourish Under Totalitarian Rule. y Eric Margolis asks, Are We Becoming What We Once Hated?
http://ericmargolis.com/2013/08/are-we-becoming-what-we-once-hated/
I just read the entire story about how Goldman persecuted Serge Aleynikov. Seems if Goldman calls the cops they get instant response at the highest levels.
This is wrong on so many levels.
We’ve already seen with health care where the insurance companies get money while they become agents of the government to do the politicians’ bidding. Here we go again.
Am I hearing the sound of right-wing heads exploding at this idea? The way I see this is that the White House is proposing that private sector create an insurance mechanism to deal with this issue instead of creating regulations. How is this a communist plot?
Hayek, a favorite economist if the right-wing, was very much in favor of insurance and social insurance in particular.
I’m at least interested in idea. It may not be perfect but this may be a way forward as long as the interest of the individual (the person whose information is stolen) is the real beneficiary of this insurance.
Forcing the private sector to create a business that there is no market demand for may not be a communist “plot” but it is a form of communism. When the government makes demands on the private sector it is either to subsidize the business with taxpayer funds or, if a legitimate business with market demand, then the government just wants to take credit for it. (Sort of like Al Gore inventing the Internet.) Either way we shouldn’t give in to the tax-and-spenders.
Ronc -> (Sort of like Al Gore inventing the Internet.)
Oh, really. I’d have thought that a blog about actual technology would be the last place you’d see arrant idiocy like that being promulgated despite, y’know, actual reality.
I agree. But I was merely responding to a comment made previously about right-wing exploding heads and communist plots. As I mentioned below, sometimes the best we can hope for is that the government will take credit for an idea already begun in the private sector, and do nothing else that will ultimately increase taxes, inflation, or both.
Did you read the document that Bob linked to? There is no language that says insurance companies must start offering this insurance. The whitepaper simple floats and idea that using standard insurance mechanisms could be used in lieu of regulations. Companies that play fast and loose with data would pay higher premiums. Those companies that do everything they can to reduce risk get rewarded with low premiums. This sounds a lot like “market forces at work”.
It’s not too surprising coming from an administration that is to the right of Reagan.
Our country desperately needs to tax the wealthy and spend on the poor and middle class. We’ve been ignoring and deferring national interests (like infrastructure) for far too long.
You said “the White House is proposing that private sector create an insurance mechanism to deal with this issue instead of creating regulations”. There is no need for anyone in government to “propose” anything. The market will have done it long before anyone in government has a clue due to the financial incentive. The next step will be for government to “propose” that it must be “affordable”, what should be covered, and then suggest subsidies or mandatory participation, just like with obamacare. The best we can hope for is that the government will take credit for the idea and do nothing else.
ITS even more complex than that,
us government is requiring acess to back doors in skype, windows os ,and other programs like instant messenger , and also encryption keys, ssl codes.
MUCH of the the government surveillance is handled by private contractors with acess to
all sorts of data .
I cannot see how any pc running windows connected to the web could be gauranteed to be secure if its on us soil.
Why don,t the banks, large companys ,financial services companys switch over to ip6 ,
This would make em more secure and harder to hack into ,
since most users ,hackers are on ip5.
maybe bring in a law ,if a company exposes 1000 customers info ,thru bad security practices ,or
lax security on its servers, websites , IT HAS to pay 10,000 dollars to charity ,
eg 10 dollars per customer.
Bob, there seems to be a problem with your RSS link: “This webpage has a redirect loop”.
Also, when trying to add it to a feed reader like Feedly for instance, first it gives an invalid feed error then it shows no articles.
Hello from Brookings!! We’re not mentioned very often on Tech. websites…
Of course the devil is in the details, but by itself insurance against network and data related losses isn’t a bad idea. It’s finally acknowledging that these risks are real and perisitent and addressing them the way we do so many other business risks: by paying someone else to assume the risk for us.
It will take some time for insurance companies to build decent actuarial models and this process is complicated by the fact that companies are so reluctant to share data about security breaches. It’s relatively simple to get data about how many buildings burn down or are damaged by floods. Data related losses are not necessarily visible and companies often try hard to hide them.
It looks like Ark II
Regarding your new motorhome, it’s funny because for several years there has been a older motorhome parked in a lot along side the 101 Fwy in Windsor or Santa Rosa, with your name emblazoned on the side.