Did Facebook Manipulate Your Emotions? Not Really. But Journalists and the Blogosphere Are!

There has been substantial outrage by vocal journalists and Internet denizens since Saturday over the disclosure that Facebook and social scientists from 3 universities collaborated to tweak Facebook’s algorithms to adjust the emotional content of a subset of users’ news feeds for a week in 2012. Interestingly, it wasn’t until 12 days after The Wall Street Journal published a story that didn’t touch on the ethical aspect of the research that others became angry. And that was 6 days after it was covered by the Cornell Chronicle. I pondered the ethical aspect and the implied informed consent in a couple of tweets the same day the WSJ article was published, but my wording wasn’t incendiary, it was approaching midnight, and my social influence on Twitter is fairly limited.

I am an avid reader of research in the areas of psychology, sociology, social media, and behavioral economics so I was intrigued and began reading the research paper. I keyed in on the researchers’ position that the users’ agreement to Facebook’s Data Use Policy constitutes informed consent.

IWC was adapted to run on the Hadoop Map/Reduce system (11) and in the News Feed filtering system, such that no text was seen by the researchers. As such, it was consistent with Facebook’s Data Use Policy, to which all users agree prior to creating an account on Facebook, constituting informed consent for this research.

Let’s refer to the Data Use Policy. I’ve been kind enough to link directly to the full version of it. To find it, go to facebook.com, click “Terms” at the bottom of the page, click “Data Use Policy”, click “Information we receive and how it is used”, scroll down to the “How we use the information we receive” section, and after reading through content containing 1,751 other words, you’ll see:

“[we may use the information we receive about you] for internal operations, including troubleshooting, data analysis, testing, research and service improvement.”

Only a tiny percentage of people read websites’ terms of service and privacy policies. And most sites’ relevant documents aren’t as verbose and overwhelming as Facebook’s. Regardless, the use of the single word “research” is ambiguous and to say that constitutes “informed consent” is rather disingenuous and it’s a slippery slope. Where is the line drawn? Would it be OK to correct misspellings, punctuation, and grammar errors? Would it be OK to display a false relationship status for your significant other (it’s complicated!) to gauge your reaction? At least so long as it’s in the name of research?

The Facebook data scientist who was involved in the research, Adam D. I. Kramer, has since said that Facebook has been working on improving its internal review practices. I hope they will consider adopting the Common Rule or something comparable that fits their needs and meets user expectations, adopting transparency about the process and the results. I appreciate that telling the users they were selected to participate in the study (especially if allowed to opt-out) could result in at least one type of bias, poisoning the validity of the results. But there’s little reason they couldn’t have been told afterwards. It’s been more than 2 years since the research. Will they be told now?

Kramer also said:

The goal of all of our research at Facebook is to learn how to provide a better service.

Though Facebook benefits from the research, the research wasn’t intended to allow Facebook to learn how to provide a better service. It was funded by the Army and a private foundation, presumably to determine how exposure to online content influences readers’ emotions. Based on the conclusions drawn, should we expect Facebook to censor, filter, limit, or alter content that it expects may have an adverse impact on our moods?

But what’s lost in the outrage is that the research itself is flawed. Highly flawed. It didn’t actually measure emotions or mood – it was a linguistic analysis of word counts of negative and positive words as a proxy for sentiment. It was based on counting the number of positive words and negative words in the users’ news feeds. The tool, LIWC2007, is a great tool for analyzing lengthy texts like books, but it is not designed to analyse short text like the text typically found in Facebook content. Its usefulness for the types of messages found in Facebook News Feeds is highly suspect.

LIWC2007 simply scans for appearance of a pool of almost 4,500 words and word stems and increments a specific category counter if a match is found. Let’s assume the categories are “negative emotion” and “positive emotion” (it’s actually somewhat more complex than this, but for this discussion this will suffice). In the sentence “I’m not pleased with my happiness.” the words “pleased” and “happiness” will increment the positive emotion counter twice and the word “not” will increment the negative emotion counter once. So a sentence which is clearly negative will not be rated that way. And never mind the sentiment expressed by emoticons, images, and emoji which are much more commonly used in News Feeds than longer texts elsewhere. Sarcasm, slang, abbreviations, quoting of others, and other factors also complicate matters.

And if that’s not enough, the statistical significance of the impact which was discovered is rather insignificant.

When positive posts were reduced inthe News Feed, the percentage of positive words in people’sstatus updates decreased by B = − 0.1% compared with control[t(310,044) = − 5.63, P < 0.001, Cohen’s d = 0.02], whereas thepercentage of words that were negative increased by B = 0.04%(t = 2.71, P = 0.007, d = 0.001). Conversely, when negative postswere reduced, the percent of words that were negative decreasedby B = −0.07% [t(310,541) = −5.51, P < 0.001, d = 0.02] and the percentage of words that were positive, conversely, increased by B = 0.06% (t = 2.19, P < 0.003, d = 0.008).

In other words, a decrease in positive words in a user’s News Feed caused an average of a 0.1% decrease in positive words in the user’s status updates and a 0.04% increase in negative words. A decrease in negative words in a user’s News Feed caused an average of a 0.07% decrease in negative words in the user’s status updates and a 0.06% increase in positive words. That’s hardly significant.

I strongly encourage you to read the full research paper and draw your own conclusions.

5th Annual Security Twits NCAA Tourney Bracket Contest

For the 5th year in a row, I have created an NCAA basketball tournament bracket contest on Yahoo for members of the information security community. The winner gets bragging rights until next year. The scoring format is a traditional 1/2/4/8/16/32 format with a twist – a bonus equal to the difference in seeds for each game in which you pick a lower-seeded winner.

To participate:

  1. Go to the tournament page.
  2. After logging, click “Join a Private Pool”.
  3. Enter Pool ID 223387.
  4. Enter the password.

Since you’re a member of the information security community, I can’t just give you the password, right? You’ll have to guess it. It consists of lower case letters and numbers, with no spaces…and all 3 parts of the passwords are information security related.

  1. Part 1 – First word of HVAC company whose stolen credentials led to a pretty big breach of a pretty big retailer in 2013 during the most important shopping period for retailers
  2. Part 2 – Date support for a version of Windows ends in 2014 (MMDD format)
  3. Part 3 – Name of malware allegedly discovered in 2013 which may use microphones and speakers to infect air-gapped computers

In case you’re still scratching your head…and are willing to admit it, DM me on Twitter…or send me smoke signals and I’ll tell you the password.

Your final picks must be submitted by Thursday, March 20 at 01:00 AM EDT (the 4 play-in games earlier in the week aren’t part of the contest).

The fine print:

And did I mention you have to be a member of the information security community to enter? To be eligible to win, I must be able to verify that you’re a member of the information security community. No more than 1 entry per person. Compromising the commissioner’s computer, compromising the commissioner’s account and exploiting vulnerabilities in Yahoo to do anything to affect the outcome of the contest are strictly prohibited. ;-)

I’ll post updates here and on Twitter periodically.

(ISC)² Board Election – Candidates’ Responses Concerning Member Engagement & Transparency

I am one of the ~90,000 members of (ISC)². Though I’m active in the information security community, saying that I’m active in (ISC)² would be an inaccurate characterization. I maintain my CISSP certification by abiding by the code of ethics, maintaining my CPEs, and paying an annual maintenance fee of $85. Like many of my peers I’ve had conversations with over the last couple of years, I feel that there are opportunities for (ISC)² leadership to better engage its members and govern the organization more transparently. In order to make a more informed decision before casting my ballot in the (ISC)² Board election, I tried to reach out to all of the candidates on the Board slate, as well as those running write-in campaigns, to ask a couple of questions concerning engagement and transparency. I was pleased that 9 of the 11 responded and I’m appreciative that they took the time to write such thoughtful responses.

My email to the candidates is below, followed by the responses of those who explicitly stated that they were willing to have me publish them. I am waiting to hear back from a few to get their explicit permission to share. All of the responses are posted verbatim, with minor editing for formatting and to remove text giving permission to re-post, offers to elaborate, salutations, etc. I successfully made contact with David Kennedy, Doug Andre, Flemming Faber, Freddy Tan, Howard Schmidt, Jennifer Minella, Kiebler Melo, Richard Nealon, Rik Ferguson, and Tony Vargas. I’ve been unable to reach Greg Mazzone. If anyone is able to share his email address or put him in touch with me, I’d appreciate it. With the exception of Flemming Faber, the rest have responded to my questions and All but David Kennedy, Flemming Faber, Freddy Tan and Kiebler Melo have given explicit permission to share their responses. I’m following up with those 323 to ask whether they’ll give permission to share their responses. I’ll add additional candidates’ responses if/when permission is granted.

My inquiry:

I’ve reviewed the information you’ve shared online concerning your (ISC)² candidacy and I’m excited about what you hope to accomplish if elected. As a CISSP and active member of the information security community, I want to make an informed decision before voting this month. Though a candidate’s platform is important to me, I am also very interested in member engagement and transparency and believe that these are areas of great opportunity for you and fellow candidates.

Would you mind sharing how you intend to engage the members of (ISC)² during your term? And how you will address transparency so that (ISC)² members have better visibility into the vision, direction, progress, and challenges of the (ISC)² Board?

With your permission, I’d also like to share your response via the Web so that fellow members of (ISC)² can consider it before voting. I am attempting to reach all candidates to give them all an opportunity to answer these questions and asking that they consider allowing me to share the responses with others via the Web.

And thanks for your current and past service to the information security community.

David Kennedy’s response:

For me, transparency is everything. I think some of the issues in the past
around ISC2 has been around the sharing of information and making it more
of a community driven consortium and continuing to move the marker in
security. This is something that I believe openly in and have always been
an advocate of keeping people informed because ultimately, I was voted in
by the same people. I don’t claim to know everything or what will be
perfect, but having community driven transparency and support helps with
the direction and objectives in making sure ISC2 is moving on the right
path with the INFOSEC community. With any group, the CISSP is just a
certification, but the organization should be one that focuses on the
betterment of the INFOSEC industry as a whole. That’s my goal and the
reason for running. I think I can add and help to that direction because I
am a community driven and centric individual. All of my open source
projects, DerbyCon, and others are all designed to take inputs in from the
community and work as one cohesive group. ISC2 is a great avenue to get
the right message out to folks and really steer the community in a
direction to where we can get proactive with security. It’s exciting for
me and something that I look forward to if everyone will have me

To address some of your questions below, specifically I will have clear
objectives that I want to meet and communicate those with ISC2 members and
ask for advise. Tracking those will be important and clear goals of
meeting those needs to be established. I want to make sure that the
direction I take is that of others and the community, that’s the most
important piece to making all of this work.

Doug Andre’s response:

As a single Board member, I would intend to engage membership more in social media, forums, focus groups and chapter meetings. I would also try and push (ISC)2 to communicate in a similar fashion as the masses often do not go to a single website anymore to get information, so mobility is a key factor. I do not feel the BOD has done a good job communicating with members and some type communication channel with the membership should be created, but there would have to be some type of controls in place as the BOD would not have the bandwidth to answer the flood of emails or tweets. I have been harping on better use of the Chapters through the strategy work, so maybe utilizing the Chapters to filter membership needs, wants, and gripes could be a good way to filter the workload and actually vet what the membership is communicating. It would be bad to go down a path based on the views of a vocal minority that had not been vetted with a majority of the membership and I think the Chapters would be a good way to do that. I would also like to see (ISC)2 make better use of technology in communicating with membership. The organization does a lot of face to face communication currently at Conferences and member forums across the globe, but I would like to see better use of virtual communication or “town halls” so to speak using technology such as Google Live or something similar. Travel dollars are scarce and members often are not able to travel to these conferences and forums, so a better way of communicating with them needs to be investigated.

I also agree with you in that the BOD needs to be transparent with the membership. As Chairman of the BOD Strategy Committee, I was successful in collaborating with my fellow BOD committee members in getting a new member focused strategy adjudicated. This strategy has 3-5 year goals and objectives and focus on transitioning (ISC)2 from a certification organization to a membership organization while preserving certification capabilities and value. From a transparency perspective, should I be re-elected to another term, I would advocate publishing the Goals and desired outcomes to the membership and in addition,implementing a balanced scorecard approach (or something similar) by developing membership focused metrics that would allow for (ISC)2 to measure where they are as an organization in achieving the goals and desired outcomes. This would allow membership to see where (ISC)2 is going and gauge progress. As part of the process (ISC)2 would need to survey the membership every other year or so to gauge a pulse as what their wants and desires are for services, certifications, training etc. The data from those surveys would then need to be analyzed for the next round of strategy work to develop new 5 yr. goals and associated outcomes. (ISC)2 needs to strive to provide an unparalleled membership across all offerings including Chapters that sets (ISC)2 apart in content, delivery, and format.

Howard Schmidt’s response:

As to the communications with members, I see this a Multi tiered. One individually where a member would like to make a comment, ask a question or give a perspective that they see from an individual member perspective. All of the normal communications methods are available, LinkedIn, email, Facebook message, etc. I also attend a number of events where members can meet individually with me either as a group of indivually. I see no shortage of opportunies to engage and do not shy away from doing so.

On the transparency issue, this is a bit more challenging as this is not often an indivuall board member’s sole decision ( in this thread me). My default way of doing business is the more transparent the board operates the more value there is for the members and better support, even in areas where there may be disagreement. Often how much transparency is determined by the attorney, current policy ( which should be able to be changed) or vote of the board. In those cases the only thing I can do is to argue for transparency to be the default and not to use it to get around being accountable or making one’s position known. This is always a difficult way of doing governance but should be a priority and embraced not only by me but everyone on the board who exercises their responsibility of servicing the membership while providing the governance we are committed to do.

Jennifer Minella’s response:

Engagement is a difficult one, only because I’m not yet familiar with the inner workings of (ISC)2 and the board. I want to be careful about promising what I will “do” and make sure the promise is of what I will push hard for, and changes and program I will advocate for. It’s important to understand how the machine operates before one starts turning its nobs. I also don’t want to promise a lawn mower can make you buttered toast.

The first part of what seems to be in the largest state of disrepair is the (ISC)2’s communications to and from members. With around 100,000 members worldwide, I understand the immense challenges of communications; language, culture differences, diverse concentration of members, variances in priorities by region, inconsistent expectations of appropriate levels of engagement and formality. All that being said, I think doing nothing is not the right answer. If the perception (or even the reality) is that (ISC)2 is more interested in its future certifying members than its current members, there are still myriad ways for (ISC)2 to better communicate with, listen to, utilize and engage with its existing, AMF-paying 90k+ members. Sure, we get press releases and member updates, but there’s no soul, no face, no personality, and no system in place (that I know of) for member requests to filter up to the directing board. Sending press releases and member announcements by email is more of an alerting system than a communication method. We members are screaming in the dark, and no one hears our cries. We can do better.

Good communication can fix a lot of things, but that communication has to be of high quality, interesting, consistent, meaningful and two-way. Obviously with 90k+ members, the communication has to be structured, but not necessarily formal. Here are some ideas on specific ways to improve communication:

  • Monitoring the pulse. I envision something tiered that would include structured monitoring of online and in-person groups. That would include watching LinkedIn, twitter, Facebook, G+, forums (official ISC2-cert forums and maybe the top 1-2 unofficial forums per region).
  • Structured aggregated input. Plus, structured communication from chapters, regions, committee teams and any live gatherings at events; member receptions, conferences, social events. Also, a more difficult program but possibly the highest ROI, may be to have more formalized regional groups and ways for each region to communicate more closely with members local to them, and then of course filter and feed key points from those interactions back up to the board. This would be a bolt-on to the existing regional advisory councils.
  • Focus groups. Fully engage representative membership in focus groups and put in place a support system and communication process for them. I know (ISC)2 has a mechanism in place for this now, but I don’t think it’s communicated or explained well.
  • Surveys, polling, trend analysis. That sort of intelligence gathering should be for the purpose of keeping a pulse on the active membership, acknowledging where there are member pain points, and facilitating a way to gather enough input to identify trends and member needs. All this would be in addition to updates to the more structured feedback systems – member surveys and polls, as an example. Most surveys are constructed completely backwards, and trending data is not kept or analyzed. I think that’s an easy fix.
  • An “Insiders” communique. For those interested in the inner workings and tasks of (ISC)2 I’d propose an “ISC2 Insiders” communiqué, maybe in the form of a monthly or quarterly e-newsletter. Something of this nature would let curious members know about impending updates or programs, interesting projects, personnel changes and more. The logo changes, in my opinion, would have been a great example of a good insiders’ communication.
  • Getting more personal. (ISC)2 is a nameless, faceless blob to most members. The board needs to lighten its iron fist with external communications, facilitate and encourage structured communication and let the members really get to know the people running this massive organization. When you put a face and a soul behind a directive, it’s more meaningful, and frankly it makes that dose of medicine a bit easier to swallow.
  • Member QA meetings.
    I’d love to see virtual online web meetings with the board, and with the various committees and advisory groups; these would be closed and available to active members only. It would give the teams time to discuss projects, goals, objectives, and offer a conduit for members to ask questions. If not all questions can be answered, the comments are captured by the moderator and followed-up on later with the member(s).
  • Various programs. I could quite literally write a small book on ways I think we can improve communication within (ISC)2. I’m going to turn my attention instead to the next question of transparency.

And now for the transparency part. At the risk of alienating a few people, I’ll say I firmly believe that many (but not all) of the transparency issues can be fixed simply with better communication. Many of the things I hear people complain about are based on incorrect information, inability to access the information, and/or a severe deficit of facts resulting from poor communication. Let me push aside those items that can be fixed with communication and we’ll say they’ll sort themselves out as communications improve. If we focus then on the remaining places where I think we need more transparency, I’d suggest starting with these tasks:

  • Share early, share often. I don’t know the reasons behind it, but ISC2 is slow to share information to its members, and frequently news is hitting the stands before we (members) are privy to it. This ties closely in with communication, but I think ISC2 needs to let loose a bit and realize the importance of timely news to its members.
  • Embrace conflict. Even if ISC2 is afraid members will disagree with a decision or a plan, it’s okay; we still need to share the message with them. Not everyone gets to have a say, but we can embrace the conflict by addressing it openly and letting everyone vent their frustrations, learn why the changes were made, and have a support system to move forward. If you look at other major companies, the ones rated with the highest customer loyalty are those that put programs in place to willingly listen to negative feedback and let the members/customers know at least their voices were heard.
  • Take off the cloak. I have no clue what goes on with the (ISC)2 board, its committees or advisory councils, and I bet most other members don’t either. In fact, I don’t even know how many committees it has, who the chairperson is of each, nor how many members sit on the committee. (ISC)2 is not-for-profit subject to strict guidelines and bylaws, but that’s no cause to conceal its daily operations. Members have a right to understand how the organization is run, and not be shunned by the board for asking questions around the subject. It’s time to take off the cloak and show the faces of all involved in running the organization. After all, the members elect the board. The board appoints the chairpersons, the chairpersons (it’s my understanding) fill the committees with their own appointees. That’s a handy piece of information; by virtue of voting for the board of directors, you’re effectively using that choice to influence the chairpersons and committee members.
  • Share more. Similar to share early, share often is share more. We know there are limitations to what (ISC)2 is allowed to share about members, member status, and ethics decisions. But, there’s no reason the organization can’t share sanitized, aggregated data. If you can’t publish the names, what harm would it do to publish the number of CISSPs that had their certification revoked due to an ethics violation last year? I’d like to find a way to share MORE data with members without compromising the privacy laws (ISC)2 is following globally. Again, we can do better here.

Lastly, I want to address a large issue you didn’t ask about, and that’s how to add credibility back to the CISSP and similar certifications. I’m adding it here, because I get asked this almost daily; how do we restore value to the CISSP certification? The question stems from the realization that applicants without the proper experience are earning the CISSP, the feeling that the CISSP has been marketed to the wrong crowds, and that there is no way to distinguish long-term information security professionals from a newly certified pro.

I don’t claim to be an expert in certifications, certifying bodies, or credentialing, but here are some ideas I’ve had, many of which are the result of conversations with peers and colleagues in the past 5 years or so. Thank you Austin, Mark, Jim, Rick. Tom and many others for sharing ideas and sparking thoughts.

  • Create tiered certifications based on experience. Instead of only having an Associate CISSP and a full CISSP, perhaps we can demonstrate added value to both certification holders and employers by creating tiers based on longevity and experience in an information security role (or other specific portions/numbers of the domains). Perhaps a CISSP-I has up to 10 years of experience, while a CISSP-III has 30.
  • Layer security clearances over the CISSP for added value to DoD consumers and certified members. (ISC)2 could add value with an option for background checks (by a 3rd party) for security clearances. Due to volume, the fees would be less than a typical background check, making it more affordable for the certification holder or his/her employer.
  • Clarify professional experience requirements. I also think ISC2 should clarify the type of work that would qualify as being in the domains. For example, I’ve recently seen several examples of someone that was a PC bench technician for 2 of the required 5 years of professional experience. I tried to make a case for that falling in two of the domains, but I haven’t been successful.
  • Enforce endorser ethics and implement some punishment or warning for endorsers that sign off on CISSP candidates that do not have the required professional experience.
  • Outline certification requirements for HR groups and work with organizations to properly apply CISSP and other certification requirements for the appropriate job types. Too often, we see sales people or systems admins with CISSP certifications. They have every right to have the cert (as long as they have the requisite professional experience) but more often than not, they acquired the certification because some hiring manager listed it as a requirement when other experience would have been more appropriate for their job. If (ISC)2’s vision is to “Inspire a safe and secure cyber world” and the mission is to “Support and provide members and constituents with credentials, resources, and leadership to secure information and deliver value to society” then they/we should start here. Make sure the credentials and credential requirements are used for the greater good of organizations and society, and not diluted.

Richard Nealon’s response:

Same caveat that I said recently – this is not the view of either management or board of (ISC)2. It’s just the personal view of Richard Nealon, security professional.

Member engagement:

As I see it, there are two parties to engagement. Both have to be fully committed, and there has to be open dialog between both sides. It’s never easy for either side, and we always have to continue to work to make it better.

I’d argue that while the board is elected by the members, it’s not their role to engage directly with the members. Their job, and the job that should be expected of them, is simply:

  1. To provide governance (fiduciary and oversight) to ensure the continued survival of the organisation on behalf of the members, so that value of their certification is maintained

Now this might sound very straightforward on first reading, but some of the tasks that align to that include:

  • developing strategy to ensure the organisation meets the needs of the members and constituents
  • managing executive management to ensure that they have challenging goals and objectives that align with strategy, and ensuring that they meet these
  • ensuring succession for executive management and themselves
  • agreeing organisational budgets and ensuring that these are managed tightly
  • deciding on ethical issues arising

The dialog part (i.e. the issues that members have with the way that they think they’re served by the organisation) really needs to take place between the members and management. I know that you think I’m copping out here, but that’s the long and short of it. The board shouldn’t get involved in operational management – that’s why we have a professional management team in place.

I got involved with (ISC)2 way back in the late nineties, when I had sat an exam that had questions relating to the Rainbow books, the Boston fire regulations, etc. on it. I wrote to management at the time complaining that many questions on the exam had no relevance to an international candidate and didn’t get a response. I wrote again. I didn’t get a response again. I was introduced to a (ISC)2 volunteer who was involved in test development at a conference, and I backed them into a corner and let rip. I subsequently got invited to a test development workshop and became a volunteer from then on. I’m happy now that questions are international; that they’re a test of security knowledge and experience and not ones ability to read complex english; that they are translated into many languages; that they are properly formed and not negatively phrased.

What I’m trying to say here, is that engagement has to be two-way. If we want to change the way the organisation works, we have to be prepared to get down and dirty. We have to be prepared to contribute, and we have to find a way to get our point across and make it sensibly.

There’s nothing to be gained by saying the same thing over and over again, in the same way, on the same channel, but just shouting louder. My belief is, that once they go past the age of two, it’s not my intention to spoon feed anyone. I’ll continue to support my charges through their teenage years, but once they reach adulthood they need to take personal responsibility and accountability for their actions.

How do we effect change at work – we build a business case, we justify the change, we suggest how it could be implemented, and we outline the outcome, and we present it to our boss. Sometimes it gets accepted, and sometimes it doesn’t (maybe because the time isn’t quite right).
My approach to this (and it very much depends on how strongly I feel about the change) is, either:

  • let it go. It wasn’t the right time, and perhaps an opportunity will come around again, or
  • look at the case, and see why it wasn’t accepted. See if it can be looked at from a different angle, or if there’s a compromise that might be acceptable, and start all over again

Not tell my boss that he’s a jerk, that he doesn’t know what he’s talking about, and go over his head. In doing so, I loose all credibility, and the next time I go to him with an idea, what’s going to happen?

One of the key ways for me to drive member engagement is to provide mechanisms for them to volunteer with the organisation at whatever level they are comfortable with. I feel, that it’s only when we have personal time and effort invested, that we really benefit. There are challenges in being able to manage this, but I’m really encouraged by the efforts of members all over the world in really getting involved in the chapters and working hard to provide a conduit for the profession as a whole in their local communities. I’m similarly heartened by the continued success and growth of Safe and Secure program and it’s recent progress in areas of the world that are non-English speaking. Not only do these types of initiatives serve society, but for me they have the added benefit of engaging the members.

Communications have come up a lot in discussions. Yes they could be greatly improved. This is recognised by members, management, and board. All I can say to this is that we continue (all of us) to improve.

transparency – vision, progress, challenge of the board:

Not quite sure how to answer this. Vision and mission of the organisation has changed in the last two years. However, in the immortal words of Michael Caine “Not a lot of people know that!”

It has been communicated. Yes, it needs to be communicated better. It needs to be reenforced better. We have to align our operational objectives to it. It needs to be embedded in our culture. Lots of work still on this one.

The thing that I found interesting in the recent debate was the ignorance (and i don’t mean that word in a bad way) of some of the detail that available about the organisation by some of the most vocal critics.

The presence of the 990s; the fact that the (Isc)2 Foundation was a separate entity from (isc)2; the change in the mission of the organisation away from ‘education and certification’ to ‘member focus’ – these all seemed to be news to almost everyone. This is all publicly available information, and yet we don’t seem interested enough to seek it out? The call for transparency is all very well, but there’s an argument to say that the organisation is fully transparent – just that folk choose not to look.

I’m personally happy with the new vision and mission. It means much more to me as a member and as a security professional. The old mission seems better aligned to a commercial organisation, whereas this feels good to me as a not-for-profit membership organisation.

In terms of progress, the board can’t really take credit for any of it. Management are the ones that drive the operational change that you see – chapters, CBT, the Foundation, new credentials, etc. The board simply ensure they have sound cases, make the means available to them, and provide the ‘second set of eyes’ to make sure that they are using resources wisely, and meeting hard targets and objectives set for them.

Finally challenges for the board. I addressed this in a post to the forum last night.

  • fragmentation of the profession into specialisations
  • an ageing profession not being fuelled by young talent
  • lack of gender diversity
  • how (ISC)2 can best represent the profession
  • what (ISC)2 have to do to be considered the go-to place for the profession
  • how (ISC)2 can distinguish itself from the CISSP brand
  • ensuring strong succession plans exist for board and executive management

Rick Ferguson’s response:

Of course the first part of my term as a member of the board of ISC2 is necessarily going to be spent familiarising myself with “how it looks right now”, there is little point in attempting to repair something unless you understand the nature of it. Hopefully that period will not be a prolonged one. I am a strong believer in the power of social networks, particularly Twitter, outcomes, when it it is done right, can be both immediate and fulfilling. ISC2 it seems is still rooted in emails for communication and many of these, I am sure, go straight into most members’ trash. Very few of the current board members have an active social presence, with the vibrant and vocal security community, engaging 24/7, that’s both an oversight and a shame. Most importantly ISC2 itself has to have ears as well as a mouth, listening to the membership is not something that seems particularly developed. Many members do not have time for local chapters or formal meeting structures, we are all busy security practitioners, so engaging with online communities and helping to generate more energy and pride in being a part of ISC2 is key.

In terms of transparency, there may be some strictures of which I am unaware (but would certainly fight to change), but I firmly believe that minutes of the board of directors meetings should be published and archived for members to review at leisure. Far too many organisations do not publish board meeting minutes, regardless of the fact that they are ostensibly there to serve the membership. I am certain that a fair percentage of the “image problem” that ISC2 suffers from is simply a result of a lack of communication, rather than a lack of will. Making public the beliefs and stances of the members of the board, will not only allow their track records to speak for themselves, but also give more members an insight into there the organisation is headed and crucially, why.

Of course I will have a lot to learn and the curve will be steep, there is far more to success with ISC2 than the two simple areas I have outlined. I will be there to listen and learn as well as to advise and to steer and I will gladly make my views and decisions a matter of public record, in order that I may be guided by the membership itself.

Tony Vargas’ response:

Better transparency for (ISC)2 is something that I know Jennifer and I are both very passionate about. I believe quarterly operational review updates (similar to financial conference calls for public companies) would be one way to achieve better transparency for (ISC)2. The quarterly operational reviews would be video recorded so that anyone could watch them. I think a combination of quarterly reviews and video would help make (ISC)2 more transparent, which in turn would make members feel more comfortable with the organization. The quarterly reviews would show what programs are working and which programs could use additional member support. Members would be able to provide feedback to all of the videos and potentially may be able to provide questions in real-time. I believe it is hard for members to want to engage with the organization if they don’t know what programs the organization has created for it’s members, yet I believe these ideas would help with some of the transparency issues.

To further address the transparency issues, I’d work to setup a number of “Inside (ISC)2″ videos of the people working at (ISC)2 to showcase their thoughts on the programs and challenges they face being able to provide for the membership. I think by people seeing the people who work at (ISC)2 in a video would help bring a face to the organization. Also, (ISC)2 I believe consists of around 80 people. Eighty people to support an organization of over 90,000 members is a big task and I think that by seeing videos of the staff and the member projects they are working on will help make the members feel closer to the organization, which I believe will make the members more willing to work with the organization. I also would work to lead a set of “(ISC)2 Board of Directors videos” with the goal of helping people feel closer to the board. Additionally, at any conference I attend I would personally be open to chatting with any member about how we could make the organization better.

I believe that through better transparency, (ISC)2 members will want to become more engaged. I feel that it’s hard for people to want to work with and trust an organization if they don’t have a good understanding of the organization an it’s programs. I believe once people know more about the organization, how it works, programs it offers, initiatives, etc. that (ISC)2 members will be more engaged to partner and work with (ISC)2.

My Next Chapter – I’m Joining Altria

I’m excited to announce that I’ve accepted a position with Altria Group in Richmond, Virginia as an IT security architect and consultant in its enterprise IT Risk Management group beginning April 22nd. For those unfamiliar with Altria (previously known as Philip Morris), it’s a Fortune 200 company headquartered in Richmond which owns several tobacco companies and a winery, owns a financial services company, and has a 29% stake in SABMiller. I was impressed by what I learned of the organization’s culture and leadership and I decided the role was a great fit. Collaborating with IT and business colleagues on a range of information security risk management projects should be a lot of fun.

Over the next few weeks I’ll be honoring my commitments to complete client projects and coordinating the move to Richmond. I’ve enjoyed my time in San Antonio immensely and I will miss my regular face-to-face interaction with the local information security community. I met a lot of great people during my 2 1/2 years in the Alamo City and via my involvement with ISSA, the South Texas Security Leaders Forum, the Texas CISO Council, SAHA, and BSidesSanAntonio, as well as at local and regional events.

I’d like to thank my friends, family, and colleagues who were there for me while I focused on consulting independently through my company Befriend and explored other options. I’m grateful for those of you who provided guidance, served as a sounding board, partnered with me on consulting projects, let me know about prospective opportunities, and offered me positions with your companies. I have a great family and great friends and information security truly is a caring and collegial community.

My wife and I look forward to our return to Richmond. It will be nice to be so much closer to our family members in Richmond and elsewhere in Virginia. I’m going to miss working from my balcony in shorts and routine visits to the pool (and the loss of access to my wife’s employer Whataburger will be bittersweet), but life involves tradeoffs and I’m ready for the next chapter. :-) I’ll still be consulting through Befriend (albeit it on a more limited basis) and research, talks, and projects are underway so 2013 should be an interesting and exciting year!

4th Annual Security Twits NCAA Tourney Bracket Contest

I created an NCAA basketball tournament bracket contest on Yahoo for members of the information security community. The winner gets bragging rights until next year. The scoring format is a traditional 1/2/4/8/16/32 format with a twist – a bonus equal to the difference in seeds for each game in which you pick a lower-seeded winner.

To participate:

  1. Go to the tournament page.
  2. After logging, click “Join Group”.
  3. Enter Group ID 137592.
  4. Enter the password.

Since you’re a member of the information security community, I can’t just give you the password, right? You’ll have to guess it. It consists of lower case letters and numbers, with no spaces…and all 3 parts of the passwords are information security related.

  1. Part 1 – The cyber espionage group in Mandiant’s report published last month
  2. Part 2 – Pseudonym of hacker sentenced to 41 months in prison for exploiting an AT&T website vulnerability
  3. Part 3 – Default port number of the service that makes you want to bash your head against the wall because SSH is a superior alternative

In case you’re still scratching your head…and are willing to admit it, DM me on Twitter…or send me smoke signals and I’ll tell you the password.

Your final picks must be submitted by Thursday, March 21 at 12:15 PM EDT (the 4 play-in games earlier in the week aren’t part of the contest).

The fine print:

And did I mention you have to be a member of the information security community to enter? To be eligible to win, I must be able to verify that you’re a member of the information security community. No more than 1 entry per person. Compromising the commissioner’s computer, compromising the commissioner’s account and exploiting vulnerabilities in Yahoo to do anything to affect the outcome of the contest are strictly prohibited. ;-)

I’ll post updates here and on Twitter periodically.

Why I Canceled my RSA Presentation

I was ecstatic when RSA contacted me to let me know that my presentation “Crunching the Top 10,000 Websites’ Password Policies and Controls” was accepted for the RSA Conference 2013. This was the first time I’d submitted to RSA so I was honored. Unfortunately I chose to cancel the presentation earlier this week. I’d like to explan why. But first, here’s the abstract:

Website authentication systems are constantly under attack, resulting in disclosure of password databases, compromise of accounts and exposure of sensitive data. This session will discuss a project to gather, assess and rate password policies and controls from the top 10,000 websites (according to Alexa Traffic Rank) by leveraging community volunteers and Amazon Mechanical Turk.

The project relied on a large number of other individuals to gather data which I aggregated for analysis. In January I discovered that some of the data was inaccurate. I was not particularly concerned since that was a tradeoff of the data collection method for a subset of the data and long term I had a mechanism to flag which data had and had not been validated. I began my analysis and then checked some more of the data and discovered even more invalid data and determined the percentage of data that was likely bad was at an unacceptable level. At that point I became concerned that the results of the analysis might be substantially off. I discussed with one of the RSA staff and I proposed taking a few more days to see if I could work on identifying the bad data, recollecting it, and analyzing the results. Ultimately there just wasn’t enough time. As a result I let RSA know earlier this week that I’d need to cancel the talk.

I could have given it, but the analysis would have been light and I believe that the talk would not have met the expectations of attendees. I am continuing the research and it will be presented at a future date. Apologies to RSA and conference attendees.

Create Legal Software and Face Prison and Coercion by Prosecutor to Hack Clients

New York authorities have charged Robert Stuart with promoting gambling in New York, alleging that his company’s online gaming software was used by others for illegal betting in New York. Stuart was not accused of making bets or taking bets – he was charged with creating software that allowed others to. Extension Software, Stuart’s company, only had clients outside of the US and Stuart claims that it’s only being used in places where it’s legal to be used.

Stuart alleges that the District Attorney’s office tried to coerce him into a plea agreement requiring him to modify his company’s software by adding a backdoor to gain access to the usernames and passwords of gamblers and bookmakers, then distribute it to his clients. He further alleges that authorities expected him to use the backdoor and retrieve the information on their behalf.

Though authorities claim there is nothing illegal with what was proposed, deployment of a backdoor would be a violation of the Computer Fraud and Abuse Act without a US court order and permission in the various countries in which Extension Software’s clients operate. Equally troubling, unless there’s evidence that Stuart or Extension Software employees were aware that the software was being used for illegal gambling by New York residents and didn’t take measures to stop it, the case would set a precedent with rippling effects.

Should the developers of free and commercial software which may be used for illegal purposes be concerned? What about the free and commercially licensed versions of Metasploit? Could Rapid7 and contributing members of the Metasploit community be held liable for criminal use of Metasploit? What about John Matherly’s SHODAN? A hearing in Stuart’s case is scheduled for Tuesday, January 8th. I’ll be staying tuned.

The Wrong Way to Steal Obama’s AV Equipment and Laptop

A Richmond, Virginia man was arrested this week for the 2011 theft of a commercial truck from a Richmond-area hotel parking lot. Eric Brown was probably happy to discover the truck contained audiovisual equipment and a laptop, but when he discovered the Presidential Seal on the equipment he should have realized the Obama administration and law enforcement would give the matter proper attention. Instead he sold the laptop which belonged to the Department of Defense, kept the AV equipment without removing the Presidential Seal, bragged about the equipment he kept, and was seen in possession of it.

In a bit of irony, the arrest occurred on Election Day. No word on whether Mr. Brown cast his ballot for (or against) Obama before he was arrested.

The PayPal 0-day Exploit and Leak That Wasn’t

Late yesterday, Anonymous announced that PayPal had been hacked during a series of attacks against it and other organizations in celebration of Guy Fawkes Day (November 5th). I tried to access the alleged dump file an hour later, but it was unavailable. Media began reporting PayPal was exploited by a 0-day, but provided no additional detail.

I’m always skeptical of alleged leaks until I have an opportunity to review the leak data, the affected organization confirms the leak, there’s strong evidence the leak occurred, or someone I trust confirms a leak. The head of PR at PayPal said there was no evidence to validate the claim and that PayPal was investigating, but that’s common so soon after an alleged publicized incident. I asked the Twitterverse if the leak was legit, and got some interesting public and private feedback (primarily shared skepticism), but no confirmation of the leak.

After being pointed towards Darren Pauli’s November 1st article about security researcher Neil Smith’s interaction with PayPal about his disclosure of security vulnerabilities and discovery of the exposure of confidential customer data, I gave more credence to the report of the alleged leak, but was still skeptical. Then I was pointed to a post on BlackHatWorld, which stated:

“They do all just look like a dump of transaction records from any company…
It’s fake… Look at this table ../4e5ff957d5
Why would PayPal store AllPay information? lool

AllPay provides bill payment collection, prepaid card, card production, legal, and print / design services (two of these are not like the others!). Perhaps the 27,935 customer records which were leaked belong to (wait for it…wait for it!) AllPay. Then again, perhaps not. It’s unlikely since they’re [cough, cough]:

Fully compliant with the Payment Card Industry Data Security Standard (PCI DSS)

Today, @PayPal stated:

Please know @paypal was not attacked by #Anonymous original story has been corrected http://bit.ly/SmB7bG

PayPal was not attacked by Anonymous? Perhaps their data wasn’t the data that was allegedly leaked, but I assure you they’ve been *attacked* by members of Anonymous. If I was responsible for PR at PayPal, I wouldn’t have worded it that way. And what of the PayPal 0-day? It turns out that the PayPal 0-day referred to may really have been a ZPanel hosting control panel 0-day, which was incorrectly described as PayPal by Cyber War News. And the dump file? Hack the Planet (HTP) has claiming responsibility and says that it’s not affiliated with Anonymous.

Yet Anonymous continues to report that they hacked PayPal. Maybe there’s more to the story. I’ll sit back and wait for the media to report it. Until then I’ll remain a skeptic. And I won’t count on the media to get the facts right…at least right away. ;-)

World’s #1 Hacker Charms Ricki Lake and Her Audience

Yesterday @iameltonjohn commented that she had spotted Gregory Evans giving women advice on the Ricki Lake Show so I watched the episode later in the day. Here’s a clip that includes most of his time on screen (thanks to @Cephurs for locating it so I didn’t have to use my longer, poorly recorded clip).


Prior to the commercial break before his appearance late in the show, Ricki stated “Coming up, an ex-hacker, turned online private investigator Gregory Evans.” Gregory has a colorful past. He is a convicted felon, a plagiarist, and the self-proclaimed Worlds No. 1 Hacker (missing apostrophe his, not mine). Though he has been listed as a charlatan on Attrition.org since July 2007 (with a comprehensive update in April 2010) and was further exposed by the CBS affiliate in Atlanta in February 2011, he still manages to occasionally appear in the media as an expert.

The episode concerned women who had fallen for online dating scams. Interestingly, Ricki even mentioned that she dated a guy she met on Match.com for 6 weeks before discovering he wasn’t who he seemed. For the uninitiated, his advice probably seems sound.

  1. Scammers never want to talk with you over the phone. The biggest sign that the person you’ve met is a scammer is that they won’t video chat with you.
  2. If you receive a Facebook friend request from someone you don’t know, check to make sure the college they claim to have attended enrolls students of the requester’s gender.
  3. Configure Facebook to not display your friends list to non-friends and to only displaying mutual friends to your friends.
  4. Scammers are going to Match.com and looking for divorcees with kids and money.
  5. Scammers pilfer profiles of young men from old MySpace pages and create profiles on Match.com and Facebook using them to target older women. Close the social media accounts you’re not using.
  6. In an email scam claiming to be from someone you know, look for a reply-to email address that isn’t exactly the same as the from address.
  7. If you suspect an email is a scam, get the IP address from the email headers, paste it into who.is, and check whether the physical address is in the vicinity of where the sender claims to be.

His advice is like low-fat food which is marketed as a healthy option, but actually is low-nutrition and high in calories – if you’re naive you want to gobble it up, but it’s not really good for you. Charisma, it’s what’s for breakfast!

It damages the entire information security field when a charlatan represents himself or herself as an expert to organizations, individuals, and the public at large. If you’re disturbed that the media is consulting, publishing, and broadcasting charlatans like Mr. Evans, make yourself heard. Is it really too much to expect a journalist or producer to spend a minute to perform a cursory search via Google?

If you’d like to provide feedback to the Ricki Lake show you can use their contact form, tweet her at @RickiLake, or tweet her show at @RickiLakeShow. You can also post on her Facebook page and in a discussion thread on her site, below a clip of Mr. Evans. She’s on Pinterest too, but I’m not sure how you can leverage that. ;-) The Ricki Lake Show films in Culver City, California, a short drive from the offices of his new company, Hi-Tech Crime Solutions (formerly LIGATT Security).

Follow me on Twitter!Follow me on Twitter! Subscribe to RSS Feed Follow me on Twitter!