Monthly Archives: August 2006

Linking Brains

Valdis Krebs likes following back links to his work, in which he discovered:

Research reveals how knowledge is accessed within organisations:

  • Employees brains 42 per cent
  • Paper documents 26 per cent
  • Electronic documents 20 per cent
  • Electronic knowledge bases 12 per cent

(Source: The Delphi Group)

The complex knowledge held in people’s brains is what gives an organisation its competitive advantage. It is context sensitive and cannot be codified, written down and stored.

5 Creating a knowledge-sharing culture Government Communication Network

Well, that’s interesting.  What does it mean?

Continue reading

From Monoculture to Virtualization

Gartner says even Microsoft can’t support the cost of monoculture:

Vista will be the last version of Windows that exists in its current, monolithic form, according to Gartner.

Instead, the research firm predicts, Microsoft will be forced to migrate Windows to a modular architecture tied together through hardware-supported virtualisation. "The current, integrated architecture of Microsoft Windows is unsustainable – for enterprises and for Microsoft," wrote Gartner analysts Brian Gammage, Michael Silver and David Mitchell Smith.

Windows Vista the last of its kind By Matthew Broersma, Techworld, 25 August 2006

The dinosaur has gotten too big for its environment, so big it’s become too difficult for enterprises to migrate from one release to another, and it’s too hard for Microsoft to release regular updates, or even patches. So what’s an overgrown dinosaur to do?

Continue reading

Terrorism as Theater

Security theater is not real security, but terrorism is theater. And the terrorists seem to be pretty good producers. They’ve got us so scared passengers are insisting on throwing people off airplanes because they “look Middle Eastern,” one man got thrown off a plane (at the airport, I hope) for reciting prayers, cosmetics, dogs, and smoke detectors are getting people investigated for terrorism, and of course we’re all putting up with ever-more-intrusive airport security that accomplishes little. Airport security recently ratched up after a plot to down international flights in which none of the plotters had even bought tickets.

Bruce Schneier spells it out:

I’d like everyone to take a deep breath and listen for a minute.

The point of terrorism is to cause terror, sometimes to further a political goal and sometimes out of sheer hatred. The people terrorists kill are not the targets; they are collateral damage. And blowing up planes, trains, markets or buses is not the goal; those are just tactics. The real targets of terrorism are the rest of us: the billions of us who are not killed but are terrorized because of the killing. The real point of terrorism is not the act itself, but our reaction to the act.

What the Terrorists Want, Bruce Schneier, Schneier on Security, August 24, 2006

In other words, terrorism is theater; what they do isn’t their goal; it’s an act that is intended to provoke an emotional response in the audience. And we the audience are overreacting just like the terrorists want. They don’t even have to blow anything up to get us to take off our shoes, leave our toothpaste at home, and snitch on our fellow passengers for looking different from us. Continue reading

Metcalfe’s Law and Net Neutrality

Metcalfe’s Law is a hot topic of discussion right now, because of a paper in IEEE Spectrum that says:
Remarkably enough, though the quaint nostrums of the dot-com era are gone, Metcalfe’s Law remains, adding a touch of scientific respectability to a new wave of investment that is being contemplated, the Bubble 2.0, which appears to be inspired by the success of Google. That’s dangerous because, as we will demonstrate, the law is wrong. If there is to be a new, broadband-inspired period of telecommunications growth, it is essential that the mistakes of the 1990s not be reprised.

Metcalfe’s Law is Wrong Bob Briscoe, Andrew Odlyzko, and Benjamin Tilly, IEEE Spectrum, July 2006

Continue reading

Hammering Wasps

William Gibson nails (so to speak) the problem of conventional warfare against assymetrical warfare. He manages to say it all in his blog post title:
Hammer, Meet Wasp’s Nest
Then he explains why certain countries (U.S., Israel, U.K.) keep trying to solve a fourth generational warfare problem with conventional cold war solutions:
Myself, I keep going back to my no doubt sloppy and imperfect understanding of Thomas S. Kuhn’s The Structure Of Scientific Revolutions. If the theory of “fourth generation war” is viewed as a new paradigm (and it seems to me to meet the criteria) then this is more than a failure of perception on the part of neoconservatives.

HAMMER, MEET WASP’S NEST William Gibson, Saturday, July 29, 2006

Gibson quotes Wikipedia’s writeup on Kuhn’s idea of paradigm shifts to describe how the mindsets before and after a paradigm shift are not compatible or even commensurate. They don’t use the same metrics; they don’t even agree on what are the right questions to ask; they can’t be translated. Continue reading

Why Sen. Tubes Matters

The blogosphere and even the press have made hay out of Sen. Ted Stevens’ explanation of the Internet as a system of tubes. It’s funny, but does it really matter?


For example, a bill – the Financial Data Protection Act of 2005 (H.R. 3997) – being considered by the House of Representatives would let the breached company decide whether it should notify customers of a breach; the company would need to notify customers only if it felt the data was going to be misused to cause them financial harm, not under any other conditions. Under this proposal, we will hear less about companies that are sloppy with data. With friends like these in Congress, it might be better to let them continue to fail to deal with the issue and keep the state laws in effect.

Congress fails to grasp security risk ‘Net Insider By Scott Bradner, Network World, 08/14/06

After millions of identities, ranging from those of credit card users to those of most active duty U.S. military personnnel, have been lost or stolen over the last few years, and the only reason we know about most of those breaches is that a California law requires affected companies to report them to the people whose identities they compromised, the best Congress can propose is to let the affected companies decide whether to notify. Continue reading

Why not Biomass?

Here’s an interesting question:
Many American farmers are asking why Brazil, Cuba and African nations are taking the lead in biomass technologies. In Brazil, three-quarters of new cars run on a mix of biofuel and petrol. Cuba is currently experimenting and furthering the advancement of biofuels for much of their economy. Last month in the African nation of Senegal, they formed the African Non-Petroleum Producers Association (PANPP). This organization’s primary goal is to develop alternative energy sources, namely biomass. ‘Our continent,’ said the Senegalese president Abdoulaye Wade, ‘should have as its vocation to become the primary world supplier of biofuels.’ As Jatropha, a wild shrub from Mali, is being used to make biodiesel to run generators and water pumps and other African nations are experimenting with crops to produce biofuels, surely American political leaders can also play a more active role in the use of cleaner energy by using biomass. America is home to one of the greatest and richest landforms in the world that produces tremendous amounts of plant life, the Great Plains. But still the question remains, ‘Why is the funding and technical research surrounding the possibilities of biomass not a priority?’

Biomass And The Birth Of A New Populist MovementM., Sun 20 Aug 2006, Article by Correspondent Beverly Darling.

Less dependance on oil, more prosperity for the homeland, fewer terrorists, less risk of war, what’s not to like? So why isn’t it happening?


Broad-based US federal IT security failure

U.S. DoD seems to have noticed a problem:
The lead story contains an important notification by Major General Lord of broad-based US federal IT security failure. As senior officials discover how bad federal security really is, they have begun looking for solutions (some are also looking for scapegoats.) The first and most important change they will make is to begin cutting budgets for policy and report writers, and transfer budget and responsibility to operational technical security projects and professionals who can actually protect their systems. The transformation has already begun. If you have soft skills (policy writing, security awareness, risk assessment, C&A report writing, etc.) and want to have great, long-term job prospects in security, it makes sense to move quickly to add hands-on technical skills so you can lead the teams of people who will be needed to turn the tide against the attackers.

–Alan Paller, SANS NewsBites Vol. 8 Num. 65

I hope some of the new DoD employees and contractors also look up from traditional security to risk management. Continue reading

Slade Review

Rob Slade has reviewed my book:
There are three threads that are repeated again and again in the book: diversity, insurance, and mapping of the Internet. But there is much more: Quarterman does not address the standard picture of risk management, since he is pointing out that the Internet throws our usual tools for quantified risk analysis into disarray. Instead he notes areas that have been neglected, because of the difficulty of fitting them into standard models, and proposes new, if somewhat vague, risk paradigms. This is not a text that can be used as a reference for ordinary threat analysis, but should be thoroughly studied by anyone involved with information (and particularly communications) protection for a large company, anyone involved with the Internet in a big way, and anyone responsible for business risks in a rapidly changing environment.
Who am I to argue?


Toys and Laptops

While I applaud the UK spooks who foiled the recent airline plot based in Britain, some of the reaction is getting a bit extreme and inconsistent:

An Alaska Airlines flight was evacuated on landing at Los Angeles International Airport on Monday after the flight crew became suspicious of a toy found on board.

Alaska Airlines Flight 281 from Guadalajara, Mexico, landed normally at LAX but taxied to a remote part of the airport, where passengers were quickly taken off while police using bomb-sniffing dogs investigated, an FBI spokesman said.

"The device was identified as a type of toy transmitter and a thorough search of the plane and cargo hold for explosives came up negative," he said.

Jet evacuated at LAX after toy spooks crew Mon Aug 14, 2006 7:58pm ET135, Reuters

OK, that makes some sense, given that Improvised Explosive Devices (IEDs) in Iraq are being set off by anything from a cell phone to a water hose (fill it with water and the pressure of a truck driving over it flips a switch).

Continue reading