Words matter, or the latest from the Security Industry Association on problematic security terms

I may have accidentally hit upon a post series.

In my previous installment of “Words Matter,” published a little over a month ago on November 12, I described how Simon A. Cole made a distinction between words such as “decision,” “interpretation,” and “findings” when talking about how forensic results are described. The passage of time, and the perceptions that change over time, affect how words are used.

There are other examples of how perceptions change over time. Those of us who were alive in the 1960s may remember how the cigarette advertisement phrase “you’ve come a long way, baby” was initially perceived as a liberating, feminist phrase.

Similarly, those of us who were alive in the 1960s may remember that the Washington Redskins were infamous for being the last NFL team in the modern era to add a black player to its roster. The fact that the Washington Redskins were the Washington REDSKINS was not a matter of concern for most people. (Now is the time for a confession: even today, I own a Washington Redskins keychain and a Washington Redskins cup. But I don’t flaunt my ownership of these items.)

Let’s move to the tech world, in which terms that were OK with most people a few years ago are now questionable. The Security Industry Association has compiled a list of some common security terms which, in the SIA’s view, exhibit “language bias.”

Now I’ll be the first to admit that the SIA’s view is not a universal view. There are a number of people who would reply “get over it” if someone objected to one of these terms. (At the same time, there are a number of people who wonder why these terms were ever adopted in the first place.)

I’ll confess that, with the exception of master/slave, I hadn’t really thought about the offensiveness of these terms. And I wondered if the proposed replacement terms would prove to be clunky and unusable.

Well, in my opinion, the SIA did a pretty good job in proposing some new terms that are workable without being offensive. Take the SIA’s proposed replacement for master/slave, for example. The SIA’s proposal to remove the “language bias” that references slavery in the United States and other nations is to substitute the word “primary” or “commander” for “master,” and “secondary” or “responder” for “slave.” The replacement terms convey the security meaning well.

Here are some other proposed terminology changes from the SIA:

  • Change “blacklist” to “blocklist.” Heck, this is just a one letter change.
  • Change “whitelist” to “allowlist.” Perhaps it seems a teeny bit clumsy on first reading, but this would definitely work.
  • Change “black hat” and “white hat” to “bad hat” and “good hat,” or alternatively to “malicious hacker” and “ethical hacker.” Incidentally, the alternative terminology effectively dodges another issue that is unrelated to race or sex bias, namely whether “hacker” and “malicious hacker” are synonyms.
  • For connectors, change “male” and “female” to “plug” and “socket.” This probably conveys the meaning better than the original terms did.

Now the Security Industry Association is just one entity, and I’m sure that other entities are coming up with other terms that replace the older terms. As of today, Wikipedia lists 11 different replacement pairs for master/slave alone, including primary/secondary (BIND), primary/replica (Amazon and Microsoft, among others), provider/consumer (OpenLDAP), and others. There are also multiple alternatives to blacklist/whitelist, including the aforementioned blocklist/allowlist, and other pairs such as deny list/allow list and block list/allow list (with spaces).

All of these suggestions are going to float around and compete with each other, and various trade associations, governments, and other entities are going to adopt one or more of these, causing people who do business with these associations/governments/entities to adopt them also. And there will be the usual debate in those places where standards, like sausages, are made.

After all of these standards battles are complete, which set of terms will prevail?

That’s easy.

LOS ANGELES – MARCH 14: Guest arrives for the 2019 iHeartRadio Music Awards on March 14, 2019 in Los Angeles, California. (Photo by Glenn Francis/Pacific Pro Digital Photography). By Toglenn (Glenn Francis) – This file has been extracted from another file: Taylor Swift 2 – 2019 by Glenn Francis.jpg, CC BY-SA 4.0, https://commons.wikimedia.org/w/index.php?curid=81523364

The terminology adopted by Taylor Swift will be the terminology that will be adopted by the rest of the world.

Sorry, SIA, but the general population cares much more about what Taylor Swift believes. Perhaps if SIA changed its acronym to TAYLOR, things would be different.

Swift (not to be confused with the Society for Worldwide Interbank Financial Telecommunication) is today’s Oprah Winfrey, and unlike Winfrey is referenced by cybersecurity practitioners.

And she can write a catchy chorus.

(Past illustrations) Improving, or not improving, a company’s Internet presence

(This past illustration describes something that I performed in my career, either for a Bredemarket client, for an employer, or as a volunteer. The entity for which I performed the work, or proposed to perform the work, is not listed for confidentiality reasons.)

By Gestumblindi – http://www.altavista.com, https://en.wikipedia.org/w/index.php?curid=9603268

PROBLEM

A company that had been around for years had obviously not adopted a comprehensive Internet/social media strategy. The company’s website had broken links and outdated information. The company had multiple social media accounts on multiple platforms. On one social media platform, the company’s old account had more followers than the new account, and the old account linked to the company website while the new one did not.

SOLUTION

I sent a cold email to the company, pointing out a few of these errors, and offering to provide them a quote to analyze 68 web and social media pages related to the company and its principals.

After one follow-up email, it was obvious that the company was not interested.

RESULTS

A month later, the company’s website had broken links and outdated information. The company had multiple social media accounts on multiple platforms. On one social media platform, the company’s old account had more followers than the new account, and the old account linked to the company website while the new one did not.

You know you’re a writer when you mispronounce words

I returned to my Bredemarket podcast after a brief absence and recorded this episode late this morning. While recording the episode, I made reference to the Mayo Clinic.

After recording and publishing the episode, I began wondering if I had pronounced “Mayo” correctly. When I spoke the word during the episode, it sounded more like an ancient civilization than a condiment.

By Daniel Schwen – Own work, CC BY-SA 4.0, https://commons.wikimedia.org/w/index.php?curid=7647000

So, because the Internet knows everything, I searched for the proper pronunciation of “Mayo Clinic” and located this YouTube video.

Yep…it’s a condiment.

By jules – rolls royce mayonnaise, CC BY 2.0, https://commons.wikimedia.org/w/index.php?curid=35344899

And this was not a simple five second video. The video is a minute long and constantly repeats “Mayo Clinic,” reminding me over and over of my mistake.

And that, my friends, is how you can identify a writer. Writers can’t pronounce things.

Is “social distancing” socially distant? It depends.

I’m attending a webinar, organized by The Economist and sponsored by Onfido. The webinar’s title is “A whole new (contactless) world: The rise of digital identity.”

The keynote interview just finished, and the interviewee was Anne Chow of AT&T Business.

In the course of the interview, Chow observed that she does not care for the term “social distancing,” and would prefer to use the term “physical distancing.” She noted that our social links are what are keeping us together as we are distant from each other.

However, this is more or less true depending upon who you are. Some people are just fine or mostly fine with electronic interactions with coworkers and others, while others are truly bothered by it.

For example, there are those who are comfortable with Zoom and Teams and Meet and WebEx and all of the other conferencing platforms, as well as asynchronous communications methods (including old fashioned email).

Then there are others. For example, some people refuse to use telehealth and insist on seeing physical doctors, and refuse to use phone trees and start pressing “0” the first chance they get. (And some of them don’t like absentee ballots, but that’s a different issue.)

And it doesn’t matter how good the technologies get, whether you’re talking about 5G (or 6G or 7G), Internet of Things, or Edge Computing. It won’t be the same.

So how do we construct a hybrid world that allows those who need physical interaction to co-exist with those who do not?

Bredemarket’s four goals for 2021 (the 12/4/2020 11:00 am edition)

These goals were subsequently revised on 1/8/2021 at 9:30am.

This is the time of year when companies and people publish end of year posts. Frankly, I don’t really feel like writing an end of year post for 2020, so instead I will share my goals for Bredemarket for 2021.

Goal 1: Help my clients to communicate and reach (and understand) their goals. My chief goal, of course, is to help my clients reach THEIR OWN goals. Bredemarket aims to thoughtfully and strategically provide marketing and writing services that align with client needs.

If I may briefly look back at 2020 in a positive light, I have helped clients establish themselves as subject matter experts, I have helped them to attract customers in the best possible way, and I have helped them to win business. I’m not sure how much additional business I’ve won for any of these firms, but hopefully I’m helping them lay the groundwork for securing future opportunities.

Part of my services involves determining WHAT clients actually need. Some of my clients simply ask for a blog post, but there’s often a need to dig deeper. For example, several small businesspeople and I were recently discussing how to use the “five whys” to elicit underlying needs from clients. What is this deliverable (white paper, blog post on 2021, whatever) supposed to accomplish?

Goal 2: Pursue multiple income streams. This is really an internal goal for Bredemarket, but it affects my approach.

While I know WHAT I want to do—I’m not going to quit marketing and writing and start selling nutritional supplements—I’m exploring HOW I want to do it. In some cases I’m approaching potential clients directly, while in others I’m using one of several intermediaries to do it.

There are advantages and disadvantages to direct vs. intermediary solicitation, but it’s wise to have multiple options. Some options may perform better at some times, while others perform better at other times. We’ll see what happens.

Goal 3: Eat my own iguana food. This very post originated from this particular goal. I’m preparing to pitch clients on writing 2021 blog posts for them, so I thought it best if I wrote my own.

Some of my other recent activities, such as my establishment of LinkedIn Showcase Pages for identity and technology, also satisfy this goal (and originated from another pitch idea).

Goal 4: Have fun. Years ago, when I was working for a large company (it might have been the original pre-Solutions/Mobility Motorola), I told a group of people at work that I was going to “play” with something. Use of the term “play” in relation to work did not sit well with some of the group, who thought I wasn’t taking things seriously. Others in the group knew exactly what I was talking about.

When work is fun, and you can approach it with a sense of play, it not only isn’t work, but you’re more energized about doing it. Obviously not everything can be play, but when there are opportunities to enjoy what I do, I’m going to take advantage of them.

Goal 5: Be prepared to change. This is the point where perceptive readers interject, “But John, the title only mentions FOUR goals! You goofed!”

Consider this fifth goal an added bonus! (And I’m, um, playing with your perceptions…)

If I can briefly refer back to 2020 again, it has been a year of pivots for most of us. For me, I had to pivot early in 2020 when COVID forced my employer to re-evaluated its business lines, then I pivoted again a month later when I had to start working from home, and then I pivoted three months after that, etc., etc. You’ve probably had to pivot a few times yourself.

So I recognize that these goals as of December 4, 2020 at 11:00 am may change as soon as December 5, 2020 at 9:00 am. “But,” as Stuart Smalley would say, “that’s…OK.”

What are YOUR goals for 2021? Oh, and can I help you express them? And what do you want to accomplish by expressing them?

Why?

Why?

Why?

Why?

Why?

Identity assurance levels (IALs) and digital identity

There is more and more talk about digital identity, especially as COVID-19 accelerates the move to contactless and remote transactions. However, there are many types of digital identity, ranging from a Colorado, Louisiana, or Oklahoma digital driver’s license to your Facebook, Google, or Microsoft ID to the online equivalent of my old Radio Shack Battery Club card.

All of these different types of digital identities suggest that some identities are more rigorous than others. For example, I’ve lost track of how many digital identities I’ve created with Google over the years, but if California ever gets around to implementing a digital driver’s license, I’ll only have one of them. (And I won’t be able to get another license in Nevada.)

In this particular case, the government IS here to help.

The U.S. National Institute of Standards and Technology has defined “identity assurance levels” (IALs) that can be used when dealing with digital identities. It’s helpful to review how NIST has defined the IALs. (I’ll define the other acronyms as we go along.)

Assurance in a subscriber’s identity is described using one of three IALs:

IAL1: There is no requirement to link the applicant to a specific real-life identity. Any attributes provided in conjunction with the subject’s activities are self-asserted or should be treated as self-asserted (including attributes a [Credential Service Provider] CSP asserts to an [Relying Party] RP). Self-asserted attributes are neither validated nor verified.

IAL2: Evidence supports the real-world existence of the claimed identity and verifies that the applicant is appropriately associated with this real-world identity. IAL2 introduces the need for either remote or physically-present identity proofing. Attributes could be asserted by CSPs to RPs in support of pseudonymous identity with verified attributes. A CSP that supports IAL2 can support IAL1 transactions if the user consents.

IAL3: Physical presence is required for identity proofing. Identifying attributes must be verified by an authorized and trained CSP representative. As with IAL2, attributes could be asserted by CSPs to RPs in support of pseudonymous identity with verified attributes. A CSP that supports IAL3 can support IAL1 and IAL2 identity attributes if the user consents.

Interestingly, the standard assumes that pseudonymous identity can be proofed…but this requires that SOMEONE know the actual identity.

And in practice, the “physical presence” requirement of IAL3 can be met by either being “in-person,” or in a “supervised remote” case. (This is needed to make sure that I don’t register with someone else’s face, for example.)

So when considering the robustness of any digital identity scheme, it’s necessary to ascertain whether the digital identity can reliably be mapped to a real life identity. This doesn’t necessarily mean that IAL1 is bad per se; in some cases, such as my old Radio Shack Battery Club example, a robust mapping to a real life identity is NOT necessary.

But in other cases, such as a need to gain entrance to a nuclear power plant, that reliable mapping IS essential.

Someone once said that I look like this guy. By US Embassy London – https://www.flickr.com/photos/usembassylondon/27595569992/, Public Domain, https://commons.wikimedia.org/w/index.php?curid=49663171

Biometric writing, and four ways to substantiate a claim of high biometric accuracy

I wanted to illustrate the difference between biometric writing, and SUBSTANTIVE biometric writing.

A particular company recently promoted its release of a facial recognition application. The application was touted as “state-of-the-art,” and the press release mentioned “high accuracy.” However, the press release never supported the state-of-the-art or high accuracy claims.

By Cicero Moraes – Own work, CC BY-SA 4.0, https://commons.wikimedia.org/w/index.php?curid=66803013

Concentrating on the high accuracy claim, there are four methods in which a biometric vendor (facial recognition, fingerprint identification, iris recognition, whatever) can substantiate a high accuracy claim. This particular company did not employ ANY of these methods.

  • The first method is to publicize the accuracy results of a test that you designed and conducted yourself. This method has its drawbacks, since if you’re administering your own test, you have control over the reported results. But it’s better than nothing.
  • The second method is for you to conduct a test that was designed by someone else. An example of such a test is Labeled Faces in the Wild (LFW). There used to be a test called Megaface, but this project has concluded. A test like this is good for research, but there are still issues; for example, if you don’t like the results, you just don’t submit them.
  • The third method is to have an independent third party design AND conduct the test, using test data. A notable example of this method is the Facial Recognition Vendor Test series sponsored by the U.S. National Institute of Standards and Technology. Yet even this test has drawbacks for some people, since the data used to conduct the test is…test data.
  • The fourth method, which could be employed by an entity (such as a government agency) who is looking to purchase a biometric system, is to have the entity design and conduct the test using its own data. Of course, the results of an accuracy test conducted using the biometric data of a local police agency in North America cannot be applied to determine the accuracy of a national passport system in Asia.

So, these are four methods to substantiate a “high accuracy” claim. Each method has its advantages and disadvantages, and it is possible for a vendor to explain WHY it chose one method over the other. (For example, one facial recognition vendor explained that it couldn’t submit its application for NIST FRVT testing because the NIST testing design was not compatible with the way that this vendor’s application worked. For this particular vendor, methods 1 and 4 were better ways to substantiate its accuracy claims.)

But if a company claims “high accuracy” without justifying the claim with ANY of these four methods, then the claim is meaningless. Or, it’s “biometric writing” without substantiation.

Why I created a LinkedIn Showcase Page for Bredemarket

It was Sunday, and I was thinking about something that I wanted to communicate to a potential client in the coming week. The potential client performs work in multiple areas, and had inquired about my assisting in one of those areas.

As I thought about solutions for that one section of the potential client’s website, I began wondering how that material could be repurposed in other channels, including LinkedIn. One solution, I realized, was for the client to set up a special “showcase page” on LinkedIn that was dedicated to this one area. Content from the website could then be repurposed for the showcase page.

If you are unfamiliar with LinkedIn Showcase Pages, they “are extensions of your LinkedIn Page, designed to spotlight individual brands, business units and initiatives.”

A notable example of the use of showcase pages is Adobe. Adobe has a company page, but since Adobe provides a plethora of products and services, it would be a firehose to cover EVERYTHING on the main Adobe page. So Adobe established showcase pages, such as its page for Adobe Experience Cloud, that allowed the company to go into greater detail for that particular topic.

But this doesn’t explain why I just created a showcase page for a Bredemarket customer segment. Actually, there are two reasons.

  • While Bredemarket provides its services to identity firms, technology firms, general business, and nonprofits, it’s no secret that Bredemarket’s most extensive experience is in the identity industry. Because of my experience in biometrics and secure documents, I know the messages that identity firms need to communicate to their customers and to the public at large. Because of this, I thought I’d create a showcase page dedicated solely to the services that Bredemarket can provide to identity firms.
  • There’s another reason why I created the showcase page – the “eating your own dog food” reason. If I’m going to talk about the use of LinkedIn Showcase Pages, wouldn’t it make sense for me to create my own?

So on Sunday I created the Bredemarket Identity Firm Services page on LinkedIn; you can find it at the https://www.linkedin.com/showcase/bredemarket-identity-firm-services/ URL.

And if your interest is specifically in identity, be sure to click the Follow button.

(Past illustrations) Improving a disjointed company Internet presence

(This past illustration describes something that I performed in my career, either for a Bredemarket client, for an employer, or as a volunteer. The entity for which I performed the work, or proposed to perform the work, is not listed for confidentiality reasons.)

By Takeaway – Own work, CC BY-SA 3.0, https://commons.wikimedia.org/w/index.php?curid=33157634

PROBLEM

A single company offered multiple products in multiple markets. Each product had its own web page, and the company itself had a web page.

The company requested that I analyze the products and recommend any necessary revisions to the marketing of the products.

SOLUTION

I analyzed the products and divided them into two groups based upon customer characteristics.

For one group, I recommended that the products in the group be marketed at the company level, and provided specific recommendations regarding how the products in this group be marketed.

For the second group, I recommended that the products in this group continue to be marketed at the product level. Again, I provided specific marketing recommendations for the products in this group.

RESULTS

The company thanked me for my thorough analysis. Unfortunately, due to external events, the company was unable to act on my recommendations at the time that I provided them.

Quantifying the costs of wrongful incarcerations

As many of you already know, the Innocence Project is dedicated to freeing people who have been wrongfully incarcerated. At times, the people are freed after examining or re-examining biometric evidence, such as fingerprint evidence or DNA evidence.

The latter evidence was relevant in the case of Uriah Courtney, who was convicted and sentenced to life in prison for kidnapping and rape based upon eyewitness testimony. At the time of Courtney’s arrest, DNA testing did not return any meaningful results. Eight years later, however, DNA technology had advanced to the point where the perpetrator could be identified—and, as the California Innocence Project noted, the perpetrator wasn’t Uriah Courtney.

I’ve read Innocence Project stories before, and the one that sticks most in my mind was the case of Archie Williams, who was released (based upon fingerprint evidence) after being imprisoned for a quarter century. At the time that Williams’ wrongful conviction was vacated, Vanessa Potkin, director of post-conviction litigation at the Innocence Project, stated, “There is no way to quantify the loss and pain he has endured.”

But that doesn’t mean that people haven’t tried to (somewhat) quantify the loss.

In the Uriah Courtney case, while it’s impossible to quantify the loss to Courtney himself, it is possible to quantify the loss to the state of California. Using data from the California Legislative Analyst’s Office 2018-19 annual costs per California inmate, the California Innocence Project calculated a “cost of wrongful incarceration” of $649,624.

One can quibble with the methodology—after all, the 2018-19 costs presumably overestimate the costs of incarcerating someone who was released from custody on May 9, 2013—but at least it illustrates that a cost of wrongful incarceration CAN be calculated. Add to that the costs of prosecuting the wrong person (including jury duty daily fees), and the costs can be quantified.

To a certain extent.