WIldfire Precedents

I’m having a little difficulty finding historical statistics on wildfires. Here’s someone’s understanding:

My understanding is that the size of this fire is almost unprecedented with the exception being a fire in 1955 that consumed 58,000 acres.

The wind changed today. I can smell the smoke of my neighbor’s land again. The ash is falling again, too. Bitter snows.

The Waycross Wildfire 2, jimmorrow, April 23, 2007

When he wrote that towards the end of April, 55,000 acres had been burnt near Waycross, Georgia.

Continue reading

Passport Friction

Ben Hyde has an interesting bunch of thoughts about verification friction:
We recently got new passports, a project that was at least a dozen times more expensive and tedious than doing my taxes. I once had a web product that failed big-time. A major contributor to that failure was tedium of getting new users through the sign-up process. Each screen they had to step triggered the lost of 10 to 20% of the users. Reducing the friction of that process was key to survival. It is a thousand times easier to get a cell phone or a credit card than it is to get a passport or a learner’s permit. That wasn’t the case two decades ago.

Friction, by Ben Hyde, Ascription is an Anathema to any Enthusiasm, 10 May 2007

He mentions some cases where friction may actually be socially useful, as in making it harder to get liquor and easier to get condoms, or some automobile traffic engineering. Then he gets to the especially interesting part. Continue reading

IT Seat Belts

Over on the ongoing comment thread about IT Security: Unnatural Industry (which started on Schneier on Security and is also on Spire Security Viewpoint and 1 Raindrop), Pete Lindstrom asked a question I hadn’t yet answered:

Why didn’t people sue their banks for fraud? Why did congress need to write a law about behaviour that is already covered by contract law and fraud?

Well, I think that’s mostly a question about personalities, customs, and precedents.

Continue reading

REAL ID Blues

Fergie notes that apparently all those complaints to DHS had some effect:

Senate Judiciary Committee Chairman Patrick J. Leahy (D-Vt.), citing concerns about Americans’ privacy, signaled yesterday that he will push to repeal a provision of a 2005 law aimed at creating new government standards for driver’s licenses.

Leahy, who has co-sponsored bipartisan legislation to repeal the provision, spoke out as the debate intensified over the Real ID Act, which requires states to create new tamper-proof driver’s licenses in line with rules recently issued by the Department of Homeland Security. States must begin to comply by May 2008 but can request more time. After 2013, people whose IDs do not meet those standards will not be allowed to board planes or enter federal buildings.

A similar Democrat-backed bill to repeal the provision is pending in the House. At least seven states have passed laws or resolutions opposing implementation of Real ID. Fourteen states have legislation pending. By yesterday, the DHS had received more than 12,000 public comments in response to the rules.

Leahy, Others Speak Out Against New ID Standards, By Ellen Nakashima, Washington Post Staff Writer, Wednesday, May 9, 2007; Page D03

You may be wondering why you didn’t hear about this law in 2005, when it was passed.

Continue reading

Real ID? No, Say DHS’s Advisors

The U.S. Government is proposing to implement a national identification scheme, yet the department that is supposed to implement it can’t get its own advisors to agree:
The Department of Homeland Security’s outside privacy advisors explicitly refused to bless proposed federal rules to standardize states’ driver’s licenses Monday, saying the Department’s proposed rules for standardized driver’s licenses — known as Real IDs — do not adequately address concerns about privacy, price, information security, redress, “mission creep”, and national security protections.

Homeland Security’s Own Privacy Panel Declines to Endorse License Rules, Ryan Singel, Threat Level, Wired Blog Network, 7 May 2007

The committee says REAL ID is not “workable” or “appropriate”.

This doesn’t mean DHS won’t implement REAL ID, however, with is approx. $21 billion cost to taxpayers and greatly increased paperwork required of all citizens, increased likelihood of identity theft, not to mention the obvious surveillance state implications.

Today, 8 May 2007, until 5PM EST, is the last chance to comment to DHS about REAL ID.

-jsq

IT Security: Unnatural Industry

Bruce Schneier says the obvious:
Last week I attended the Infosecurity Europe conference in London. Like at the RSA Conference in February, the show floor was chockablock full of network, computer and information security companies. As I often do, I mused about what it means for the IT industry that there are thousands of dedicated security products on the market: some good, more lousy, many difficult even to describe. Why aren’t IT products and services naturally secure, and what would it mean for the industry if they were?

Do We Really Need a Security Industry? Bruce Schneier, Schneier on Security, 3 May 2007

Obvious in an emperor’s new clothes sort of way. Continue reading

Metricon 2.0

It’s that time again:
Do you cringe at the subjectivity applied to security in every manner? If so, MetriCon 2.0 may be your antidote to change security from an artistic “matter of opinion” into an objective, quantifiable science. The time for adjectives and adverbs has gone; the time for hard facts and data has come.

Second Workshop on Security Metrics (MetriCon 2.0) — Call for Papers, MetriCon 2.0 CFP, August 7, 2007 Boston, MA

Want to quantify a pesky subjective security topic? You’ve got until 11 May 2007 to submit a request to participate.

-jsq

Do or Don’t

Well, you go away for the weekend, and Vista fans have a party on your blog….

While one of the commenters seems to mostly know people who like Vista, so far I haven’t found anybody I know who does; could be it’s who you know. Apparently Dell knows quite a few people who don’t want Vista, and the Houston Chronicle talked to some of them.

The people I talk to think Ubuntu Linux is just as good as Vista, and requires fewer resources. Sort of like this opinion: except for perhaps some Windows-specific applications, why not switch to Ubuntu? Dell is also moving to supply Ubuntu as a native operating system within weeks.

Continue reading

Ignore What’s Hard to Measure?

Interesting point in Spire Security Viewpoint about measuring important security metrics:
In my mind, this is an endorsement of the Donn Parker approach to risk management which is to not manage risk. It is like suggesting that a fundamental truth about the universe can simply be ignored.

There is one glaring problem with this line of reasoning – it is impossible to ignore loss expectancy and asset valuation in risk management.

This is as fundamental a problem as we have in information security today.

On Value and Loss, by Pete Lindstrom, Spire Security Viewpoint, 18 April 2007

Even advertising can’t get away without some sort of measurements of its effectiveness. If marketing came to the CEO and said “I want to spend X more for this program” and had no metrics to back up what sales, profit, good will, or something that that program had generated last year, nor any prediction for what it might generate this coming year, probably no more money would be forthcoming. Yet IT security operates like that. Continue reading

Tea Time in America (Business Time in India)

Gartner is shocked! shocked, I tell you! to discover that there is offshoring from the U.S. to India and China.

This is a wake-up call. Unfortunately, it’s a wake-up call coming at tea-time. Apparently, Gartner doesn’t get the phone calls and emails from offshoring companies I do — about four cold-calls and a half-dozen emails per week. They also stagger easier than I do. Sixteen percent is very good. It is not staggering.

Gartner Discovers Offshoring, mordaxus, Emergent Chaos, 25 April 2007

Sounds like Gartner is about as perceptive as the U.S. press in general was about weapons of mass destruction in Iraq.

A college student who turned in their papers after the test was over would probably flunk. It doesn’t seem like good risk management for analysts or countries, either.

-jsq