here’s an interesting point in a review of
Nassim Nicholas Taleb’s book on that subject:
Why do we base the study of chance on the world of games? Casinos,
after all, have rules that preclude the truly shocking. And why do
we attach such importance to statistics when they tell us so little
about what is to come? A single set of data can lead you down two very
different paths. More maddeningly still, when faced with a Black Swan
we often grossly underestimate or overestimate its significance. Take
technology. The founder of IBM predicted that the world would need no
more than a handful of computers, and nobody saw that the laser would
be used to mend retinas.
If a casino sees a black swan (a really big winner), it’s likely to
escort that person off the premises permanently, and maybe have a
few words with whichever card dealer or one-armed-bandit programmer
let that happen.
If ordinary people hear somebody saying a really destructive
event is likely to happen, they’re likely to
call him a mad dog, no matter how good his data.
Yet black swans happen.
While by their nature they’re hard to predict precisely as to time or place,
it’s good risk management to admit they can happen and to have a plan for
A ROW IS BREWING between a bunch of bloggers who took cash from Microsoft
marketing outfit and stodgy old media types who take their bribes in
less obvious ways.
The row started on Friday when the ValleyWag revealed how some “star
boggers” had taken some cash from Federated Media to repeat some Microsoft
sloganeering in copy on their websites.
Michael Arrington tells all how his Techcrunch site became
“people-ready”. Gigaom’s Om Malik talks about when a business becomes
“people ready”. Others named and shamed include Paul Kedrosky
and Matt Marshall of Venture Beat, as well as Fred Wilson, the
blogger-investor. Ads with the Volish motto appear on the blogger’s site.
Former RIAA target Tanya Andersen has sued several major record labels, the parent company of RIAA investigative arm MediaSentry, and the RIAA’s Settlement Support Center for malicious prosecution, a development first reported by P2P litigation attorney Ray Beckerman of Vandenberg & Feliu. Earlier this month, Andersen and the RIAA agreed to dismiss the case against her with prejudice, making her the prevailing party and
eligible for attorneys fees.
The lawsuit was filed in the US District Court for the District of Oregon late last week and accuses the RIAA of a number of misdeeds, including invasion of privacy, libel and slander, and deceptive business practices.
This testimony summarizes several key actions that federal agencies need
to complete or take to strengthen their management of the wildland fire
program, including the need to (1) develop a long-term, cohesive strategy
to reduce fuels and address wildland fire problems and (2) improve the
management of their efforts to contain the costs of preparing for and
responding to wildland fires.
For cost-containment efforts to be effective, the agencies need to
integrate cost-containment goals with the other goals of the wildland
fire program–such as protecting life, resources, and property–and to
recognize that trade-offs will be needed to meet desired goals within
the context of fiscal constraints.
…most metrics that we security folks come up with are well boring are
effectively useless to upper management. At best they are focused on
technical management such as the CIO and CSO. Like much of the rest of
our industry, we metrics folks have again failed to relate our services
to the business at large.
You need metrics that are comparable across companies,
that subsume enough information to be interesting,
and that are easy to explain to executives.
Something like the Apdex performance measurements.
Performance and security are more intertwined than most security
people yet realize.
And network performance people have been dealing with selling their
measurements to management for some time now.
Security folks might want to see how it’s already been done.
Shades of SOX complaints: the U.S. GAO
the Federal Information Security Management Act (FISMA)
When we go out and conduct our security control reviews at federal agencies,
we often find serious and significant vulnerabilities in systems that
have been certified and accredited.
Part of it, I think, is just that agencies may be focusing on just
trying to get the systems certified and accredited but not effectively
implementing the processes that the certification and accreditation is
supposed to reflect.
they haven’t implemented numerous simple security measures that were known
before FISMA, they don’t have processes to do so, and they don’t adequately
report what they’re doing, even with FISMA.
What to do?
Congress is investigating Homeland Security’s internal insecurity:
…hearing, the GAO witnesses will also describe an investigation they
conducted on a specific DHS network that is "riddled with significant
information security control weaknesses that place sensitive and
personally identifiable information at increased risk of unauthorized
The subcommittee also plans to air some of its concerns with the DHS
OneNet project, which is aimed at consolidating all of the agency’s
information networks under one roof, and to question a perceived lack
of IT security funding by Charbo.
Homeland Security to detail IT attacks
Hearing will reveal findings of agency’s internal investigation into risk of system attacks and other online threats,
By Matt Hines
June 15, 2007
Who could have predicted that putting all information networks under one
roof would make them vulnerable to attack?
That would have been like predicting that making all DHS and DoD computers
run one operating system would make them vulnerable to attack.
Coordinated detection and response is the logical conclusion to defense
in depth security architecture. I think the reason that we have standards
for authentication, authorization, and encryption is because these are
the things that people typically focus on at design time. Monitoring and
auditing are seen as runtime operational acitivities, but if there were
standards based ways to communicate security information and events, then
there would be an opportunity for the tooling and processes to improve,
which is ultimately what we need.
If people know about security breaches, maybe there’s incentive for
the companies whose customers they are or the governments whose
constituents they are to do something about them,
so this is good news:
New Hampshire, one of a handful of U.S. states that require breaches
involving personal information to be reported to the state as well as
to affected individuals, has made at least some breach notices it has
received available on the net.