150,000 reads of my Scribd documents

I have uploaded about 200 documents to Scribd over the last few years and the number of reads has just passed 150,000. You can see the categories here. The top 5 documents, each with over 3000 reads each are

• A Data Centric Security Model (almost 6,000 reads)
• The Core Components of the Entrust PKI v5
• BA IT Security Awareness presentation.
• How to Organize Email
• How much is enough? A Risk Management Approach to Computer Security

Just over 100,000 reads of my Scribd documents

Just a note to say that the total number of read of my documents on Scribd just passed 100,000! The categories are given below,  mostly PDFs and a few PowerPoint presentations.

• Cryptography
• Data Breach
• General Risk
• IT Risk
• Malware
• Passwords
• Privacy and Anonymity
• Quant Reasoning
• Security
• Whitelisting
• Written By Me

The ISACA Risk IT Framework rising on Scribd

Under the Quick Links list at the top left of the No Tricks homepage, you can now access my document collection at Scribd, which contains about 100 interesting documents on risk, security and analytical methods.

The most popular document by far is the ISACA Risk IT Framework, which since I published it on Scribd almost a year ago, has received just over 4,000 visits and 1000 downloads. It was recently selected by the Scribd administrators to be moved to their Rising List page. The document is not too long at 94-pages and really develops a solid framework for developing and deploying an enterprise IT Risk program.

How to write an Information Security Policy

Nice 9-page advice from the UK Department of Trade and Industry.

Six Myths in Assessing Risk

Great 1-page summary with graphics from business advisory firm Corporate Executive Board

1. The biggest risk my company faces is financial risk
2. My company is safe because we review risks and
   prioritize mitigation efforts annually
3. We are good at risk-sensing because we have invested in
   3 enterprise risk management (ERM) systems
4. We are well protected because we have a strong
   quantitative model to measure risk
5. Our risk assessment is comprehensive because we
   account for likelihood and impact
6. We can sense and protect business better because we manage risks at the business unit (BU) level

End of Month Roundup, Jan 2010

Well I have to say that I still have not got back into the swing of blogging after Christmas. January has already come and gone with a only a single post to show, and I am grateful for the 1,500 visitors this month. There is a great deal going on in security, and I am collecting materials for posts that I imagine will come next month.

This is the first post written on my new netbook, and I finally succumbed to the purchase after many months of indecision. The post-Christmas sales finally got me. I also purchased a copy Ultra Recall for capturing and editing web content, and added some plug-ins to Windows Live Writer for improved editing and content linking. You may also have noticed the site enhancements provided by Apture that provide compact previews of linked content without having to navigate away from the current the page.

One of the built-in previewers is for Scribd content and I have added quite a few documents of late, clearing out pdfs that have been languishing on my hard drive, in need of review. My latest uploads include

• State of Enterprise IT Security and Emerging, Jonathon Penn, Forrester
• How to Organize Email
• How to Secure Windows and Your Privacy -- with Free Software
• Rainbow Tables Explained
• A Probabilistic Model for Cyber Attacks and Protection
• A Status Report on the P versus NP Question
• On the Entropy of Arcfour (RC4) keys

The last document is a copy of a 1998 IBM technical report on RC4 (then only referred to as Arcfour), examining the randomness of initial state and the cost of recovering the key through backtracking.

This time last year I had started another blog which I had hoped would be more informal and easier to write (less time per post), and also give me some exposure to Wordpress blogging tools. Quite quickly it became too hard to maintain both blogs and I ended up more or less abandoning the new blog and transferring some content over to No Tricks

• Moore's Lore and Attention Crash
• The Restaurant at the end of the Web
• Twitter as your Personal Content Proxy
• Social Media Data in Flight and at Rest
• Scoble's Law of Twitter

It seems that I was just as interested in Scribd a year ago as I am today with

• Data Centric Security Model hot on Scribd
• Entropy and Anonymity article featured on Scribd
• Some books on Scribd
• Publishing on Scribd

but there was still time for a few other posts as well

• Google's Storm in a Teacup
• Downadup's Password Cracking List
• Algebraic Group Visualization

Let’s hope I am back to full strength blogging next month.

Recent Uploads to Scribd, Dec 17

Here are my recent document uploads to Scribd

• Threat Classification, Web Application Security Consortium
• Statistical-based approach to password guessing
• Clobbering the Cloud
  
• NIST Statistical Test Suite
• 2009 Key Management Report from True Catalyst
• iPhone Privacy presentation from Nicolas Seriot
  

Quadratic Football Revisited

Just on a year ago now (almost a birthday!) I posted about the birthday paradox, with a review of general results and then some remarks on erroneous conclusions from DNA matching. In the post there is a subheading called Quadratic Football, referring to the facts that the median of the birthday paradox distribution is 23, the same as the number of players on pitch for a football match (two teams of 11 plus the referee), and this number is surprisingly small due to the quadratic (growing as the square) number of possible birthday matches.

I recently uploaded Methods for studying coincidences to Scribd and found an auto-linked document that presents a small study of birthday coincidences in actual British football fixtures. The conclusion – good agreement between theory and practice. This short paper is well-worth a read.

Recent uploads to Scribd

I have been going through some interesting documents I have been collecting, and added them to Scribd. The topics vary but basically security and (IT) risk one way or the other.

• Methods for studying coincidences
• Tornado modelling
• FSA on Data Security controls
• Hotel Network security in the US
• GAO report on Pandemic bandwidth risks
• Key findings MS Security Intel report H109
• Entrust whitepaper on quantum crypto and computation
• Facebook: Threats to Privacy
• What led to the financial meltdown?

My Top 10 Security and Risk Uploads to Scribd

I have been reading and uploading to Scribd for several years now. It is really a vast source of documents and its seems that it has been a victim of its own popularity since now so many varied and inconsequential documents are finding their way to to site. The search function is not quite as effective as it was, and as always been true, the site itself is quite slow.

Over the last couple of years I have slowly uploaded just over 40 documents and presentations, mostly in the area of security and risks. For the last few months I have been getting just over 100 hits per day, and about 12 downloads per day. The total number of hits is now getting close to 20,000, and will reach that mark in the next week. Here is a list of the top 10 visited documents that I have uploaded – the number of reads is in parentheses, and documents in bold type are written by me

1. A Data Centric Security Model (1529)

2. ISACA Risk Framework (1498)

3. How much is enough? A Risk Management Approach to Computer Security (1290)

4. Does IT Security Matter? (1127)

5. Entropy Bounds for Traffic Confirmation (886)

6. Risk Analysis of Power Station survival of Cyber (712)

7. Password Authentication on Mac OS X from Dave Dribin (704)

8. An analysis of the Linux Random Number Generator (702)

9. The Core Components of the Entrust PKI v5 (677)

10. Canadian Government 1999 Threat and Risk Assessment Guide (628)

The DataInherit Service – Swiss Secure Internet Escrow

I would like to announce the availability of a new secure internet storage service called DataInherit, co-founded by one of my former Swiss colleagues Tobias Christen. DataInherit is more than secure storage – it is a service for keeping sensitive data and credentials in trusted escrow for defined beneficiaries. This is an implementation of digital inheritance, supporting the ongoing life cycle of digital data. The DataInherit site contains a good explanation of their vision, and you can read more about the DataInherit security architecture on Scribd (document embedded below).

Digital Inheritance

How to Choose a Good Chart

There is a nice 1-page guide to chart selection on Scribd as shown below. Seriously, I can't emphasize enough what a resource I find Scribd to be.

Choosing a Good Chart

Publish at Scribd or explore others: How-to-Guides & Manu flow charts Business

Some security documents on Scribd

Just a note to say that I am collecting some security documents at Scribd - about 20 so far. This includes useful documents that I found on the web, plus several written by myself. My documents include information on the Birthday Paradox, Data Centric Security, Black Swans in IT Security, Entropy Bounds on Traffic Confirmation and a host of other topics that I have blogged about in the last year or so.

In general Scribd is a wonderful source of material for a wide range of topics, including security, risk management, probability, general analysis plus a wealth of information on less technical topics. If anything there are now too many documents, but the pockets of gold are worth the search.

The Black Swan on Scribd

You can get a copy of Taleb's great Black Swan book on Scribd, as well as many reviews and other comments.

The Black Swan - The Impact of the Highly Improbable

Publish at Scribd or explore others: black swan

I have also put my post on Some Black Swans for IT Security onto Scribd as well.

Some Black Swans in IT Security

Publish at Scribd or explore others: Internet & Technolog Research security passwords

Financial Cyber Risk Guide from ANSI

In October last year ANSI released a new guide addressing the financial impact of cyber risks. From the title you may expect lengthy calculation is costing cyber risks but in fact the document is largely a set of question to create a dialogue around cyber risks. This is not a consolation prize. I have written a short summary of the document which you can read from Scribd below. You can also read a quick review from the Security4all blog.

ANSI approach to the financial impact of cyber risk

Publish at Scribd or explore others: Presentations Academic Work financial risk

SOX in Pictures

A few years ago now I worked on a project where we were considering to what extent it was possible to automate the parsing of laws and regulations to produce compliant instructions for IT Operations.

An initial step was to read SOX and hand-parse the text by stripping it of general verbiage, leaving only subjects acting on objects through actions. You can see some of the resulting diagrams below at Scribd.

Parsing SOX into Pictures

Publish at Scribd or explore others: Presentations Academic Work parsing SOX

Data Centric Security Model hot on Scribd

My paper on Data Centric Security has made it to the hotlist on Scribd, which means that the paper is getting quite a few hits of late. I blogged about this work in one of my first posts to No Tricks back in September 2007. If you Google the topic further you will find that IBM has taken the idea a lot further since this initial work, and I believe that a whole consulting practice has been established around this concept.

A Data Centric Security Model

Publish at Scribd or explore others: Academic Work security data centric securit

Entropy and Anonymity article featured on Scribd

My paper on the entropy of traffic confirmation attacks, which I blogged about here, has been selected as a featured article on Scribd. There have been 120 new hits as a result, which is quite a few more than the orginal post received.

Entropy Bounds for Traffic Confirmation

Publish at Scribd or explore others: Essays Academic Work traffic confirmation technologyinternet

Some books on Scribd

As I mentioned in my last post, there is a lot of very interesting and detailed content of all types being uploaded to Scribd. According to Wikipedia,

Scribd is a document sharing website. It houses 'more than 2 million documents' and 'drew more than 21 million unique visitors in May 2008, little more than a year after launching, and claims 1.5 million registered users.' The site was initially funded with $12,000 funding from Y Combinator, but has since received over $3.7 million from Redpoint Ventures and The Kinsey Hills Group.

You can even find whole books on the site. Here are some interesting documents that I found from a hour or so of searching

• Probability for Dummies
• Simulation and Monte Carlo with Applications
• Podcast Business Models
• Excel 2007 for Scientists
• Risk Analysis: Theory and Practice

I think I will drop my Safari account as I now have enough reading for far more than foreseeable future. I also uploaded a paper that I co-wrote on Data Centric Security
A Data Centric Security Model

Publish at Scribd or explore others: Computer Science Technology security data centric securit

Publishing on Scribd

Scribd is a great publishing site for PDFs and PPTs on a wide variety of topics. I have not visited the site lately, but it seems that the Scribd document repository has reached critical mass, and practically anything can be found there now. In fact, even too much. I have started to put of few documents there myself, and will later post a few of the interesting links I have found.

Shamir's Third Law and other Tales from the Crypt

Publish at Scribd or explore others: Computer Science Technology cryptography cold boot attack