Daniel Karrenberg shows an animation related to RIPE Atlas,
RIPE’s new active measurement project using USB-powered dongles scattered around the Internet.
Video by jsq at RIPE 61 in Rome, Italy, 15 Nov 2010. His slides, the RIPE Atlas home page, and the conference will put up video of all the talks within about a day.
-jsq
PS: My talk is 11AM Rome time tomorrow, Tuesday 16 Nov.
In RIPE Labs, here’s a paper on
Internet Cloud Layers for Economic Incentives for Internet Security
by the IIAR Project (I’m the lead author).
Anti-spam blocklists and law enforcement are some Internet organizational
layers attempting to deal with the plague of spam, so far reaching
a standoff where most users don’t see most spam, yet service providers
spend large amounts of computing and people resources blocking it.
The root of the ecrime problem is not technology: it is money.Continue reading
Internet security is in a position similar to that of safety in the medical industry. Many doctors have an opinion like this one,
quoted by
Kent Bottles:
“Only 33% of my patients with diabetes have glycated hemoglobin levels that are at goal. Only 44% have cholesterol levels at goal. A measly 26% have blood pressure at goal. All my grades are well below my institution’s targets.” And she says, “I don’t even bother checking the results anymore. I just quietly push the reports under my pile of unread journals, phone messages, insurance forms, and prior authorizations.”
Meanwhile, according to the CDC, 99,000 people die in the U.S. per year because of health-care associated infections. That is equivalent of an airliner crash every day. It’s three times the rate of deaths by automobile accidents.
The basic medical error problems
observed by Dennis Quaid when his twin babies almost died
due to repeated massive medically-administered overdoses
and due to software problems such as
ably analysed by Nancy Leveson
for the infamous 1980s Therac-25 cancer-radiation device
are not in any way unique to computing in medicine.
The solutions to those problems are analogous to some of the solutions
IT security needs: measurements plus
six or seven layers of aggregation, analysis, and distribution.
As Gardiner Harris reported in the New York Times, August 20, 2010, another problem is that intravenous and feeding tubes are not distinguished by shape or color: Continue reading
What does
Nancy Leveson’s
classic
analysis of the
Therac-25 recommend?
(“An Investigation of the Therac-25 Accidents,”
by Nancy Leveson, University of Washington and
Clark S. Turner, University of California, Irvine,
IEEE Computer, Vol. 26, No. 7, July 1993, pp. 18-41.)
“Inadequate Investigation or Followup on Accident Reports. Every company building safety-critical systems should have audit trails and analysis procedures that are applied whenever any hint of a problem is found that might lead to an accident.” p. 47The lesson being that you have to have built-in audit, reporting, transparency, and user visibility for reputation.“Government Oversight and Standards. Once the FDA got involved in the Therac-25, their response was impressive, especially considering how little experience they had with similar problems in computer-controlled medical devices. Since the Therac-25 events, the FDA has moved to improve the reporting system and to augment their procedures and guidelines to include software. The input and pressure from the user group was also important in getting the machine fixed and provides an important lesson to users in other industries.” pp. 48-49
Which is exactly what Dennis Quaid is asking for.
Remember, most of those 99,000 deaths a year from medical errors aren’t due to control of complicated therapy equipment: Continue reading
While sitting in a small room perusing a book from the bottom of the stack, The Dilbert Future, I idly looked again at Scott Adam’s prediction #2:
In the future, all barriers to entry will go away and companies will be forced to form what I call “confusopolies”.OK, good snark. But look at the list of industries he identified as already being confusopolies:Confusopoly: A group of companies with similar products who intentionally confuse customers instead of competing on price.
And the other four are the source of the currrent economic meltdown, precisely because they sold products that customers couldn’t understand. Worse, they didn’t even understand them!
It gets better. What industry does he predict will become a confusopoly next? Electricity! And this was in 1998, before Enron engineered confusing California into an electricity-price budget crisis.
For risk management, perhaps it’s worth considering that simply selling something the customer can understand can rank way up there. Certainly for the customer’s risk. And given how much the FIRE companies drank their own Kool-Aid, apparently it’s good risk management for the company itself. Especially given that the Internet now gives the customer more capability to find out what’s going on behind a confusopoly and more ability to vote with their feet.
To actually make a product the customer wants, and then provide good customer service: how old-fashioned! And how less risky and more profitable in the long term.
Adam quotes a 30 year old book about computer security and
notes that the IRS then and now doesn’t adequately protect taxpayers’
information and promises to do better.
His quote that I like best, though is:
Top management people in large corporations fear that publicity about internal fraud could well affect their companies’ trading positions on the stock market, hold the corporation up to public ridicule, and cause all sorts of turmoil… (Computer Capers, page 72)That’s why corporations fear a breach reporting reputation system. That’s also why we need one.— Computer Capers: Tales of electronic thievery, embezzlement, and fraud, by Thomas Whiteside, Ty Crowell Co., 1978
-jsq ~
Why not bootstrap a Fortune 500 Secure Coding Initiative to drive better products, services and share best practices in the software security space?Yes, if the customers demanded it, that might make some difference, and the vendors do pay the most attention to the biggest customers. Of course the biggest customer is the U.S. government, and they seem more interested in CYA than in actual security. And I’m a bit jaded on “best practices” due to reading Black Swans. But regardless of the specific form of better such a group demanded, demanding better security might make some difference.— Secure Coding Advocacy Group, Gunnar Peterson, 1 Raindrop, 23 October 2007
Maybe they could also demand risk management, which would including having watchers watching ipsos custodes. Not just in the circular never-ending hamster wheel of death style, but for actual improvemment.
-jsq
Shades of SOX complaints: the U.S. GAO
reports that
the Federal Information Security Management Act (FISMA)
is failing:
When we go out and conduct our security control reviews at federal agencies, we often find serious and significant vulnerabilities in systems that have been certified and accredited. Part of it, I think, is just that agencies may be focusing on just trying to get the systems certified and accredited but not effectively implementing the processes that the certification and accreditation is supposed to reflect.
— Q&A: Federal info security isn’t just about FISMA compliance, auditor says, Most agencies still have security gaps, according to Gregory Wilshusen, by Jaikumar Vijayan Computerworld, June 14, 2007
Sounds like they haven’t implemented numerous simple security measures that were known before FISMA, they don’t have processes to do so, and they don’t adequately report what they’re doing, even with FISMA. What to do?
Continue reading
Bruce Schneier examines the notorious sippy cup incident in which
a mother was told she couldn’t take a cup of water for her infant
through airport security, and gets right to the point:
Why is it that we all — myself included — believe these stories? Why are we so quick to assume that the TSA is a bunch of jack-booted thugs, officious and arbitrary and drunk with power?Yes, why is that? Continue reading— TSA and the Sippy Cup Incident, Bruce Schneier, Schneier on Security, 18 June 2007