Monthly Archives: June 2007

Chance is Not Games

dice1.jpg Speaking of Black Swans, here’s an interesting point in a review of Nassim Nicholas Taleb’s book on that subject:

Why do we base the study of chance on the world of games? Casinos, after all, have rules that preclude the truly shocking. And why do we attach such importance to statistics when they tell us so little about what is to come? A single set of data can lead you down two very different paths. More maddeningly still, when faced with a Black Swan we often grossly underestimate or overestimate its significance. Take technology. The founder of IBM predicted that the world would need no more than a handful of computers, and nobody saw that the laser would be used to mend retinas.

The perils of prediction, From The Economist print edition, May 31st 2007

If a casino sees a black swan (a really big winner), it’s likely to escort that person off the premises permanently, and maybe have a few words with whichever card dealer or one-armed-bandit programmer let that happen. If ordinary people hear somebody saying a really destructive event is likely to happen, they’re likely to call him a mad dog, no matter how good his data.

Yet black swans happen. While by their nature they’re hard to predict precisely as to time or place, it’s good risk management to admit they can happen and to have a plan for that eventuality.



I’ve often wondered if this was happening:
A ROW IS BREWING between a bunch of bloggers who took cash from Microsoft marketing outfit and stodgy old media types who take their bribes in less obvious ways.

The row started on Friday when the ValleyWag revealed how some “star boggers” had taken some cash from Federated Media to repeat some Microsoft sloganeering in copy on their websites.

Michael Arrington tells all how his Techcrunch site became “people-ready”. Gigaom’s Om Malik talks about when a business becomes “people ready”. Others named and shamed include Paul Kedrosky and Matt Marshall of Venture Beat, as well as Fred Wilson, the blogger-investor. Ads with the Volish motto appear on the blogger’s site.

Boggers embroiled in Volish bribery kerfuffle, Old media lecture the new, By Nick Farrell, The Inquirer, Monday 25 June 2007, 14:02

Well, wonder no more.


RIAA Blowback

tanya_andersen.jpg Sometimes suing your customers produces blowback:
Former RIAA target Tanya Andersen has sued several major record labels, the parent company of RIAA investigative arm MediaSentry, and the RIAA’s Settlement Support Center for malicious prosecution, a development first reported by P2P litigation attorney Ray Beckerman of Vandenberg & Feliu. Earlier this month, Andersen and the RIAA agreed to dismiss the case against her with prejudice, making her the prevailing party and eligible for attorneys fees.

The lawsuit was filed in the US District Court for the District of Oregon late last week and accuses the RIAA of a number of misdeeds, including invasion of privacy, libel and slander, and deceptive business practices.

Exonerated defendant sues RIAA for malicious prosecution By Eric Bangeman, Ars Technica, June 25, 2007 – 04:40PM CT

Does it help a company or an industry’s reputation when its customers sue back? Is this good risk management?


Wildfire Myopia

smoke.gif It looks like technological security isn’t the only kind disorganized in government. The latest GAO report about wildfires seems like more smoke than fire:

This testimony summarizes several key actions that federal agencies need to complete or take to strengthen their management of the wildland fire program, including the need to (1) develop a long-term, cohesive strategy to reduce fuels and address wildland fire problems and (2) improve the management of their efforts to contain the costs of preparing for and responding to wildland fires.

For cost-containment efforts to be effective, the agencies need to integrate cost-containment goals with the other goals of the wildland fire program–such as protecting life, resources, and property–and to recognize that trade-offs will be needed to meet desired goals within the context of fiscal constraints.

Wildland Fire Management: A Cohesive Strategy and Clear Cost-Containment Goals Are Needed for Federal Agencies to Manage Wildland Fire Activities Effectively, GAO-07-1017T, U.S. General Accounting Office, June 19, 2007

How about a strategy for integrating wildfire planning into subdivision planning, or cost allocations from homeowner wildfire insurance?

Continue reading

Usable Metrics

measure.jpg It’s not enough just to measure:
…most metrics that we security folks come up with are well boring are effectively useless to upper management. At best they are focused on technical management such as the CIO and CSO. Like much of the rest of our industry, we metrics folks have again failed to relate our services to the business at large.

Attacking Metrics by arthur, Emergent Chaos, 20 June 2007

You need metrics that are comparable across companies, that subsume enough information to be interesting, and that are easy to explain to executives. Something like the Apdex performance measurements. Performance and security are more intertwined than most security people yet realize. And network performance people have been dealing with selling their measurements to management for some time now. Security folks might want to see how it’s already been done.


FISMA Failing

Shades of SOX complaints: the U.S. GAO reports that the Federal Information Security Management Act (FISMA) is failing:

When we go out and conduct our security control reviews at federal agencies, we often find serious and significant vulnerabilities in systems that have been certified and accredited. Part of it, I think, is just that agencies may be focusing on just trying to get the systems certified and accredited but not effectively implementing the processes that the certification and accreditation is supposed to reflect.

Q&A: Federal info security isn’t just about FISMA compliance, auditor says, Most agencies still have security gaps, according to Gregory Wilshusen, by Jaikumar Vijayan Computerworld, June 14, 2007

Sounds like they haven’t implemented numerous simple security measures that were known before FISMA, they don’t have processes to do so, and they don’t adequately report what they’re doing, even with FISMA. What to do?

Continue reading

TSA Transparency?

Bruce Schneier examines the notorious sippy cup incident in which a mother was told she couldn’t take a cup of water for her infant through airport security, and gets right to the point:
Why is it that we all — myself included — believe these stories? Why are we so quick to assume that the TSA is a bunch of jack-booted thugs, officious and arbitrary and drunk with power?

TSA and the Sippy Cup Incident, Bruce Schneier, Schneier on Security, 18 June 2007

Yes, why is that? Continue reading

Homeland Insecurity

Congress is investigating Homeland Security’s internal insecurity:

…hearing, the GAO witnesses will also describe an investigation they conducted on a specific DHS network that is "riddled with significant information security control weaknesses that place sensitive and personally identifiable information at increased risk of unauthorized disclosure."

The subcommittee also plans to air some of its concerns with the DHS OneNet project, which is aimed at consolidating all of the agency’s information networks under one roof, and to question a perceived lack of IT security funding by Charbo.

Homeland Security to detail IT attacks Hearing will reveal findings of agency’s internal investigation into risk of system attacks and other online threats, By Matt Hines InfoWorld, June 15, 2007

Who could have predicted that putting all information networks under one roof would make them vulnerable to attack? That would have been like predicting that making all DHS and DoD computers run one operating system would make them vulnerable to attack.


PS: Seen via Fergie’s Tech Blog


pueblo_bonito_aerial_chaco_canyon.jpg Gunnar usually says it better than I did:
Coordinated detection and response is the logical conclusion to defense in depth security architecture. I think the reason that we have standards for authentication, authorization, and encryption is because these are the things that people typically focus on at design time. Monitoring and auditing are seen as runtime operational acitivities, but if there were standards based ways to communicate security information and events, then there would be an opportunity for the tooling and processes to improve, which is ultimately what we need.

Building Coordinated Response In – Learning from the Anasazis, Gunnar Peterson, 1 Raindrop, 14 June 2007

Security shouldn’t be a bag of uncoordinated aftermarket tricks. It should be a process that starts with design and continues through operations.


Breach Discovery

bv.jpg If people know about security breaches, maybe there’s incentive for the companies whose customers they are or the governments whose constituents they are to do something about them, so this is good news:

New Hampshire, one of a handful of U.S. states that require breaches involving personal information to be reported to the state as well as to affected individuals, has made at least some breach notices it has received available on the net.

New Hampshire gets it, Chris Walsh, Emergent Chaos, 13 June 2007

Or at least if we know what’s really going on, maybe unfounded scare

Continue reading