Schneier originally pointed me to this story about the rate at which security-related bugs were found in Open Source projects by a static code scanner:

Open source code, much like its commercial counterpart, tends to contain one security exposure for every 1,000 lines of code, according to a program launched by the Department of Homeland Security to review and tighten up open source code’s security.

Popular open source projects, such as Samba, the PHP, Perl, and Tcl dynamic languages used to bind together elements of Web sites, and Amanda, the popular open source backup and recovery software running on half a million servers, were all found to have dozens or hundreds of security exposures and quality defects.

A total of 7,826 open source project defects have been fixed through the Homeland Security review, or one every two hours since it was launched in 2006, according to David Maxwell, open source strategist for Coverity, maker of the source code checking system, the Prevent Software Quality System, that’s being used in the review.

In the comments to the story, people felt that the story was just Open Source bashing because it did not publish statistics for closed-source products such as those from Microsoft, Oracle, or IBM’s closed-source software (in general, IBM is a HUGE contributor to the Open Source code base).

So is this FUD or not? I think not, although I do believe that it falls into the category of “Information that most people lack the baseline level of knowledge to utilize.”

It tells us a lot about both relative code quality and project quality. It allows us to compare both how many security-related bugs (of the types the product can detect!) were written as well as how quickly and thoroughly the projects respond to those reports and correct them.

So rather than writing off data, especially data with limitations, as FUD simply because we may not like the role it plays in an external argument, we must consider what it does tell us, whether or not it improves our greater understanding of the problem it measures, and utilize it as best we can.

So in this case, what do we know and what don’t we know about vulnerabilities? First, we know that all non-trivial software has bugs, some of which fail in a manner which impacts the security (confidentiality, availability, and/or integrity of the application). Some of that software makes its source code freely available to anyone to download, run, review, or modify; some does not.

Historically, code quality and (especially) project team responsiveness of Open Source software has been attacked by commercial (i.e. Closed Source) software vendors as being inferior to commercial software.

Thus, when we look at the findings from the Coverity report, the questions to ask are, “Is Project X’s codebase significantly buggier than average?” and “How responsive is project X on fixing reported (security) bugs?”

The first question allows us to gauge if there is a higher level of inherent risk from using a particular piece of Open Source software. The second allows us to determine if we will be placed at a higher-than-acceptable level of risk during the vulnerability latency window (time from vulnerability announcement to patch availability). The organizations actual level of risk tolerance is, by definition, unique to the organization.

With commercial vendors, if we want to attempt to measure the risk of using a piece of software, we are forced to attempt to reverse-engineer this data by looking at patch count & severity, then wonder how many unpublished vulnerabilities or bugs were also fixed in that patch. In the Open Source world, Coverity has pulled the covers off a portion of that process.

If anything, I would argue that Open Source gains an advantage here, because Coverity is actually providing hard data to work with, which is more than the commercial vendors have been willing to provide.

Despite knowingly perpetrating FUD by writing it, I still have to wonder how commercial Coverity customers are performing versus Open Source on these metrics, and why they wouldn’t publish their results if they were actually better.

And, lest we forget, the reality is that most organizations don’t aggressively or consistently patch security vulnerabilities in anything but operating systems, anyway (which is a post for another day), which weights the decision toward average initial quality and away from project responsiveness–balance your analysis accordingly.

We strive toward metrics, but the reality is that to effectively manage risk, we must exercise good judgement in the face of incomplete knowledge and uncertainty–after all, what is risk but an attempt to quantify future uncertainty?

It took me over half an hour to get to this news release, and that was before most of the United States was awake. TrueCrypt 5.0 has been released and it’s significant:

We are pleased to announce that TrueCrypt 5.0 has been released. Among the new features are the ability to encrypt a system partition or entire system drive (i.e. a drive where Windows is installed) with pre-boot authentication, pipelined operations increasing read/write speed by up to 100%, Mac OS X version, graphical interface for the Linux version, XTS mode, SHA-512, and more.

Up until now, full disk encryption was only an option for enterprises, and all-too-often, not even then. My hat is off to the TrueCrypt team once again.

This boggles my mind…

…election officials shook their heads in disbelief as investigators confirmed 20 ballots in the 49th Ward’s 42nd precinct were cast with inkless pens.

Apparently, the poll workers at 1723 W. Greenleaf Ave. told incredulous voters that the touch-screen stylus was actually an invisible-ink pen to fill out paper ballots, city elections spokesman James Allen said.

“You spend months trying to prepare for every contingency,” Allen said. “Trying to anticipate every possible way people might be confused . . . Then this? Incredible.”

Even the ballot scanner knew better, he said, rejecting all 20 ballots. Each time, the judges overrode the scanner and recorded the vote as blank. By 3 p.m., only five of the 20 voters had been contacted to return to recast their votes.

Amy Carlton, 38, of Rogers Park said that all the judges at the polling place insisted they had been trained in the use of the pens.

“I’ve voted before,” Carlton said. “I was thinking ‘This is crazy.’ But when someone in authority insists, what are you supposed to do?”

Lots of things are disturbing to me about this. The pens are black ink pens that you use to color in the gap in a series of arrows pointing to the candidate you want to vote for. This system has been in place here in Chicago for some time.

First, that someone would be clueless enough to make this sort of mistake. Second, that the officail would stand by their mistake, even as the machine was confirming what their eyes already knew. Third, that people were willing to accept what they clearly knew to be bad data, confirmed by the technology, because an authority figure insisted.

Sure, it’s just stupid on the surface, but it’s also an opportunity for some low level election fraud. People need to have at least a baseline level of knowledge of the system and its procedures, both the judges and the voters. Whatever happened to the concept of an “informed electorate?”

And, yes, the system is simple enough that my cats could vote with it. In fact, seeing as how this is Chicago (”vote early, vote often!), come November they might.

It’s Super Tuesday, so if that applies to you be sure to read up the the races in your primary, then get out and vote today.*

I got to my polling place about 10 minutes after the polls opened at 6am and they had not yet cleared out the initial backlog of early morning voters. It’s a combined polling place for three precincts and there were lines of 3-10 people at each precinct with six booths per precinct. I was ballot #10 in my precinct, and I would estimate that mine was the slowest of the three. By the time I left, the lines were even longer.

Beyond the heavy turnout, I fortunately have nothing to report. We use optical scan ballots in Cook County, which I’ve always found extremely easy to read and use, especially compared to punch cards.

I’ve always wished that I’d gotten to vote once on the old mechanical switch voting machines with the big red lever which closed the curtain, leaving the voter inside with banks of switches like the Wizard of Oz. I know they were vulnerable to all sorts of interesting retail-level vote fraud, but those banks of giant aquamarine machines lined up in my elementary school somehow got burned into my brain. The idea that I would one day get to go in there and flip switches and pull that red lever was one of my greatest aspirations as a child, and that was before I really even understood why it mattered.

And one final reason to get out there today*…if you don’t vote, you don’t get to complain later.

* Offer valid only in participating states and territories of the United States of America.

Voting machine image shamelessly stolen from Bits from Bill

according to BoingBoing,

Analyst reports circulating in the news today indicate that about a million iPhones have been unlocked to operate on networks other than AT&T — and that’s said to be roughly 27% of all the iPhones sold in 2007.

This is quite a dilemma for Apple:

Unlocked iPhones generate 50 percent less revenue and as much as 75 percent less profit than those tethered to service contracts, Sacconaghi said. If 30 percent of the 10 million iPhones Chief Executive Officer Steve Jobs plans to sell this year are unlocked, Apple’s earnings may be lower by about 37 cents a share in each of the next two years, Sacconaghi said.

The story would have us believe that if Apple sells the product that people want (unlocked phones), then they lose significant earnings. This may even be true, but I personally believe that what we’re seeing here is the below-the-waterline hole in the wireless business model. If you consider this list of locations where people are quite willing to pay at least list for iPhones, then I would argue that Apple is throwing away a golden opportunity to grow their global brand presence and continue to drive demand across their product line.

Right now, the iPhone is, hands down, the slickest phone on the market. I’ve either had or gotten to play with pretty much every smart phone out there, and for overall user experience, the iPhone blows them all away in terms of slickness and cool factor. Yes, I’m aware of the numerous criticisms of broken or missing fundamental features, but I don’t know a single iPhone owner who is so irritated by those things that he or she considers it a bad purchase, even at its relatively high price point.

Now the thing that I’m really curious about is if Apple made a good risk decision by following the (U.S.) carriers’ subsidized lock-in business model.

Did they lack sufficient confidence in the strength of their product and brand? Or is this (more likely) a symptom of a “razor and blades” business model, only with a very expensive razor, and if so, what does Apple think are the “blades” of the cell phone market? Were they unsure that they could bring a successful phone to market, given the fiasco of the design-by-committee joint venture with Motorola, the ROKR.

Digital economies built on scarcity are withering and dying–witness the music industry, whose model has collapsed to the point where the middlemen of the Major Labels and the RIAA really have nothing but the threat of lawsuits against customers and a historical monopoly over access to audiences

Given the rate at which people are willing to risk voiding their warranty and “bricking” their phones with a bad firmware hack just to gain functionality that they believe they deserver, I find it hard to believe that Apple wouldn’t have been better off selling an unlocked, unsubsidized device and sold blades based on findability (like iTunes), authenticity (the one upside of walled gardens/captive portals), and patronage (the Cult of Apple) rather than scarcity.

Is this a risky move? Perhaps, but I would argue that the trendlines are on their side, and remind everyone that risk is ultimately the downside of reward, so by limiting their risk, Apple also limited their potential success.

There’s an old saying, We all know what happens when we assume…you make an “ass” out of “u” and “me.”

The analysts at Moody’s have been getting an object lesson in this fact, as noted by Calculated Risk pointing me to an FT story about mortgage defaults:

“There has been a failure in some of the key assumptions which supported our analysis and modelling,” [Ray McDaniel, president of Moody’s] admits. “The information quality deteriorated in a way that was not appreciated by Moody’s or others.” Mortgage borrowers, in other words, did not behave as expected.

How did they behave to break the models? Angry Bear had already answered the question for us when he talked aboutJingle Mail Revisited:

“Yeah, I think in those days, loans were made by your local banker or building and loan associations or savings and loan,” Moran replies. “They were guys you saw in the grocery store. They were on the little league team with you, the PTA, the school. And I think as mortgages became securitized and Wall Street became involved, they became very transactional and there was no relationship built with the borrower and the lender. And I think that makes it easier for someone to see it as an anonymous party at the other end of the transaction and just walk away from it.”

“Just a business decision,” Kroft says.

In other words, borrowers are finally acting rationally when it comes to their housing.

I’d conjecture that borrowers are thinking either that by the time they’re able to afford another house, their credit score will have recovered, or that they’re so far underwater that they’d be better off just cutting their losses and moving on and never expect to “own” (pay rent to the bank instead of the landlord) again.

This is the market reaping what it has sown–making lending decisions which ignored revision to the mean for long-term trends like price, the importance of down payments, the validity of credit scoring models, and every other form of bad risk decision they possibly could–not that they cared, because they were just going to sell the note along to someone else, rather than accept that risk themselves.

If you don’t think risk management is a valid practice, try ignoring it for a while and see what happens.

I’d never heard of the Mall Ninja until my friend Mike E. sent me a link to it. It’s a hilarious extraction of posts on a couple of firearms discussion boards allegedly between two mall security guards with incredibly warped assessments of risk.

For example, the Mall Ninja worries a lot about the dangers of things like getting from his parked car to the safety of his beloved mall:

What scares me is that, although I can fit an extra trauma plate in the front, I cannot fit a second one in back. As of late I have taken to duct-taping a second trauma plate to the area of my back where the heart and vital organs are located. Then I put my vest on.

When it’s the mall security guard, we laugh. But think about how many IT Security practitioners don’t sound entirely unlike this when asked to provide commentary on theoretical system or network vulnerabilities before IT or (even worse) business managers.

Don’t be an IT Security Mall Ninja. If not for you, for me and everyone else who needs to be taken seriously when dealing with IT risk.

Final warning: Do not read the Mall Ninja while drinking hot or snortable liquids. Do not read the mall Ninja in environments where involuntary snickering would be inappropriate or harmful to your marital or employment status. Do not begin reading the Mall Ninja if you have somewhere to be in the next few minutes.