Monthly Archives: April 2007

Ignore What’s Hard to Measure?

Interesting point in Spire Security Viewpoint about measuring important security metrics:
In my mind, this is an endorsement of the Donn Parker approach to risk management which is to not manage risk. It is like suggesting that a fundamental truth about the universe can simply be ignored.

There is one glaring problem with this line of reasoning – it is impossible to ignore loss expectancy and asset valuation in risk management.

This is as fundamental a problem as we have in information security today.

On Value and Loss, by Pete Lindstrom, Spire Security Viewpoint, 18 April 2007

Even advertising can’t get away without some sort of measurements of its effectiveness. If marketing came to the CEO and said “I want to spend X more for this program” and had no metrics to back up what sales, profit, good will, or something that that program had generated last year, nor any prediction for what it might generate this coming year, probably no more money would be forthcoming. Yet IT security operates like that. Continue reading

Tea Time in America (Business Time in India)

Gartner is shocked! shocked, I tell you! to discover that there is offshoring from the U.S. to India and China.

This is a wake-up call. Unfortunately, it’s a wake-up call coming at tea-time. Apparently, Gartner doesn’t get the phone calls and emails from offshoring companies I do — about four cold-calls and a half-dozen emails per week. They also stagger easier than I do. Sixteen percent is very good. It is not staggering.

Gartner Discovers Offshoring, mordaxus, Emergent Chaos, 25 April 2007

Sounds like Gartner is about as perceptive as the U.S. press in general was about weapons of mass destruction in Iraq.

A college student who turned in their papers after the test was over would probably flunk. It doesn’t seem like good risk management for analysts or countries, either.


Shipping Network Diversion?

Sometimes it’s refreshing to look at other kinds of networks:
The Rhine River, Europe’s most busy waterway, will remain completely blocked for traffic at least until March 29, after M/V Excelsior lost 31 containers. No diversion is possible for about 200 ships arriving per day, which have to anchor at the Rhine banks. The financial loss for the masters, many of which own their inland freighters, is way up in the millions. Salvage of the 31 lost containers is made difficult by lack of equipment, there are not enough cranes & diver ships to work on more than 1 or maybe 2 sunk containers at a time. As officialls stated, a crack in the hull of chartered M/V Excelsior opend during a turn maneuver, being responsible for the list & loss of the containers.

Container Vessel In Jeopardy, Stephan Edel, The Cargo Letter March 28 2007, Seen in “Boxing Up the Rhine” by Countryman & McDaniel – The Logistics – Customs Broker Attorneys.

For Internet problems there’s usually at least some way to route around, replace a server, etc. Except, of course, for the last mile, provided by the telco and cableco duopoly.



Casey Chesnut claims to have used AI to reliably crack CAPTCHA. I don’t know whether he really did; he doesn’t provide his code to try, nor any other evidence except websites where he’s posted comments, which of course he could have done by eyeballing their CAPTCHAs. But if he didn’t, somebody probably will soon. What then?

Seems to me like yet another example of how technological security will fail eventually, and then risk management is needed. In this case, part of the risk management may be reworking how comments work yet again.


More SSN Exposures

Well, and I just signed up for a federal tree planting program:

The Social Security numbers of tens of thousands of people who received loans or other financial assistance from two Agriculture Department programs were disclosed for years in a publicly available database, raising concerns about identity theft and other privacy violations.

Officials at the Agriculture Department and the Census Bureau, which maintains the database, were evidently unaware that the Social Security numbers were accessible in the database until they were notified last week by a farmer from Illinois, who stumbled across the database on the Internet.

“I was bored, and typed the name of my farm into Google to see what was out there,” said Marsha Bergmeier, president of Mohr Family Farms in Fairmount, Ill.

U.S. Database Exposes Social Security Numbers By RON NIXON, New York Times, April 20, 2007

And she found not only her own farm and social security number on the web, but also 30,000 others. The Agriculture Dept. says probably 100,000 to 150,000 people are at risk. Ah, I see they’ve narrowed it to 38,700 people.

Continue reading

Abandoning the Vista Ship

Dell started supplying Linux (without Windows) to its customers a while ago. Now it’s started supplying XP instead of Vista. What does that mean?
What happened is the OEMs revolted in the background and forced Microsoft’s hand. This is a big neon sign above MeII saying ‘FAILURE’. Blink blink blink. OK, MeII won’t fail, they have OEMs whipped and threatened into a corner, it will sell, but you can almost hear the defectors marching toward Linux. This is a watershed.

Microsoft admits Vista failure, By Charlie Demerjian in Beijing, The Inquirer, Saturday 21 April 2007, 12:20

Demerjian says another big sign is that Gates went to China and announced a $3 price for Vista, down from about $300. Continue reading

Yahoo! Sued about China Again

A year ago, someone lodged a complaint against Yahoo! in Hong Kong regarding jailed activist Shi Tao. This month, there’s another suit against Yahoo! for revealing user information to the Chinese government, this time in a U.S. court:

A suit filed in federal court in San Francisco on Wednesday by the wife of Wang Xiaoning accuses Yahoo of “aiding and abetting” torture and human rights violations by linking her husband and others to e-mail and online comments.

Yahoo sued in US court for giving user data to China, Sydney Morning Herald, April 20, 2007

The previous suit noted that Yahoo! operates as a Hong Kong company, so it’s not clear whether it actually had to go by mainland Chinese rules instead of Hong Kong ones. Continue reading

Easy Management v. Monoculture

Why would any government want to mandate monoculture, anyway?
The long-term goal for the Air Force is to have real-time standard configuration management. Heitkamp said right now Air Force software ensures that a laptop or PC connected to the network has the standard configuration every 90 minutes. The service by 2008 hopes to have the real-time enforcement running, he said.

“We are fairly good now, but we will be much better next year,” Heitkamp said. “Moving to a standard desktop is about governance and policy, not technology. Our vision is real-time desktop management.”

Ease of management. What could be wrong with that? Continue reading

Truth is a Property of Networks

Dave Weinberger types out of a drug- and fatigue-induced haze:

Truth is a property of networks.

I can only guess at what I mean, starting with the obvious: Rather than thinking that truth is a relationship between the propositions we believe and the way the world is, such that the propositions represent the world, in the networked world the truth is argued for and connected via links. For all but the most mundane of truths, the network of conversations gives us more shades, nuances, and reasons to believe. Which leads me to think that if truth isn’t an emergent property of networks, then understanding is.

Networked truth, Dave Weinberger, Joho the Blog, 13 April 2007

I think he’s right, except it’s not either/or: it’s both.

Continue reading

Sentimental Education

Regarding Blogger Civility, I’d like to add that where there are real threats, of course the person threatened should complain, and if the threatener can be tracked down, there are already laws that apply. Also, some people think that technical subjects aren’t contentious enough to provoke threats; those people apparently haven’t yet gotten crazy rants from people who incorporate technology into their conspiracy theories, or who fear technology because it might help people oppose their favorite policies, or who don’t like technology because they’ve always been afraid of people who understand it, or who don’t like women/gays/blacks/whites/southerners/foreigners/whatever participating in it. And there are people who think the blogosphere is unusual in harboring threats; those people apparently don’t get out much. I wonder what sort of mail somebody like Condoleeza Rice or Hillary Clinton or Barack Obama or John McCain gets?

Anyway, the idea of a blogger code of conduct reminds me of something else:

A technique to detect favorable and unfavorable opinions toward specific subjects (such as organizations and their products) within large numbers of documents offers enormous opportunities for various applications. It would provide powerful functionality for competitive analysis, marketing analysis, and detection of unfavorable rumors for risk management.

Overview, Sentiment Analysis, IBM Tokyo Research Lab, accessed 13 April 2007

Yet another artificial intelligence scheme; ho hum. Or is it?

Continue reading