Tag Archives: Prevention

Detection is much more important than prevention –Bruce Schneier

Reviewing Bruce Schneier’s 2004 book Secrets and Lies, much of which was written in 2000, reminds us of something really basic. You can’t just fix security. Security is a process, most of which is about knowing what’s going on. Detection is more important than prevention. To which I add that for detection we need comparable Internet-wide metrics on security performance so every organization can see what’s going on and will have incentive to do something about it because its customers and competitors can see, too. Sound familiar? That’s what SpamRankings.net is about.

Joe Zack posted in Joezack.com on Bastille Day, 14 July 2013, Secrets and Lies: Nine Years Later,

2. “Detection is much more important than prevention”

Schneier keeps coming back to this point. He had this epiphany in 1999 that “it is fundamentally impossible to prevent attacks” and “preventative countermeasures fail all the time.” Security is “about risk management, that the process of security was paramount, that detection and response was the real way to improve security.” (emphasis mine)

I had formerly thought of security as largely being about prevention. A year ago, if you have asked me about “InfoSec” I might have prattled on about firewalls, injection attacks, encryption and good passwords. That’s still important, but now I know that there’s a lot more to it.

Zack says he thinks Schneier was like Nostradamus for having such insight before NSA PRISM and even before Facebook. Sure, Bruce has always been ahead of his time. But that basic insight was not unique to him, and Continue reading

John Quarterman on Mapping Spam and Politics (audio)

At a meeting on a completely different subject, I was interviewed about SpamRankings.net. Here's the audio, and here's the blurb they supplied:

John S. Quarterman, long time Internet denizen, wrote one of the seminal books about networking prior to the commercialization of the Internet. He co-founded the first Internet consulting firm in Texas (TIC) in 1986, and co-founded one of the first ISPs in Austin (Zilker Internet Park, since sold to Jump Point). He was a founder of TISPA, the Texas ISP Association. Quarterman was born and raised in Lowndes County, where he married his wife Gretchen. They live on the same land where he grew up, and participate in local community and government.

Quarterman took some time during Georgia River Network's Weekend for Rivers to speak with the Nonprofit Snapshot about spam-mapping and small town politics.

More about Elinor Ostrom's Nobel-prize-winning work on organizing the commons, and how that applies to SpamRankings.net.

The water organization has since been incorporated as the Georgia non-profit WWALS Watershed Coalition:

WWALS is an advocacy organization working for watershed conservation of the Willacoochee, Withlacoochee, Alapaha, and Little River Systems watershed in south Georgia and north Florida through awareness, environmental monitoring, and citizen advocacy.


eCrime Summit in Prague 25-27 April 2012

These ecrime meetings are always interesting and useful. -jsq

Press release of 29 March:

Containing the Global Cybercrime Threat is Focus of Counter eCrime Operations Summit (CeCOS VI) in Prague, April 25-27

CeCOS VI, in Prague, Czech Republic, to focus on harmonizing operational issues, cybercrime data exchange, and industrial policies to strengthen and unify the global counter-ecrime effort.

CAMBRIDGE, Mass.—(BUSINESS WIRE)—The 6th annual Counter eCrime Operations Summit (CeCOS VI) will convene in Prague, Czech Republic, April 25-27, 2012, as the APWG gathers global leaders from the financial services, technology, government, law enforcement, communications sectors, and research centers to define common goals and harmonize resources to strengthen the global counter-cybercrime effort.

CeCOS VI Prague will review the development of response systems and resources available to counter-cybercrime managers and forensic professionals from around the world.

Specific goals of this high-level, multi-national conference are to identify common forensic needs, in terms of the data, tools, and communications protocols required to harmonize cybercrime response across borders and between private sector financial and industrial sector responders and public sector policy professionals and law enforcement.

Key presentations will include:

Continue reading

Medical Metrics Considered Overrated

One of the presenters at Metricon 5.0 was comparing IT security to other fields in various aspects of metrics and monitoring. I mentioned I thought she was giving far too much green for good to the field of medicine. This provoked repeated back and forth later.

My point was that 150 years after the invention of epidemiology and 100 years after the discovery of bacterial transmission of disease, in medicine application of known preventive measures is so low that Atul Gawande of Harvard has gotten large (on the order of 30%) reductions in deaths from complications of surgery in many hospitals simply by getting them to use checklists for things like washing hands before surgery.

I have an elderly relative in a nursing home who can’t take pills whole due to some damage to nerves in her neck. Again and again visitors sent by the family discover nursing home staff trying to give her pills whole without grinding them up. Why? They don’t read instructions about her, and previous shifts don’t remind later shifts. This kind of communication problem is epidemic not only in nursing homes but in hospitals. I found my father in a diabetic coma because nurses hadn’t paid any attention to him being a diabetic and needing to eat frequently. Fortunately, a bit of honey brought him out of it. Even nurses readily acknowledge this problem, but it persists. I can rattle off many other examples.

To which someone responded, yes, but medicine has epidemiology, and Edward Tufte demonstrated in one of his books that that goes well beyond checklists in to actual analysis, as in a physician’s discovery of a well in London being he source of cholera. I responded, yes, John Snow, in 1854: that was the first thing I said when I stood up to address this. But who now applies what he learned? One-shot longitudinal studies are not the same as ongoing monitoring with comparable metrics to show how well one group is doing compared to both the known science and to other groups.

Many people still didn’t get it, and kept referring to checklists as rudimentary.

So I tried again. If John Snow were alive today, he wouldn’t be prescribing statins for life to people with high blood pressure. He would be compiling data on who has high blood pressure and what they have been doing and eating before they got it. He would follow this evidence back to discover that one of the main contributors to high blood pressure, heart disease, and diabetes in the U.S. is high fructose corn syrup (HFCS). Then he would mount a political campaign to ban high fructose corn syrup, which would be the modern equivalent of his removal of the handle from the pump of the well that stopped the cholera.

To which someone replied, but there are political forces who would oppose that. And I said, yes, of course. Permit me to elaborate.

There were political forces in John Snow’s time, too, and he dealt with them:

Dr Snow took a sample of water from the pump, and, on examining it under a microscope, found that it contained “white, flocculent particles.” By 7 September, he was convinced that these were the source of infection, and he took his findings to the Board of Guardians of St James’s Parish, in whose parish the pump fell.

Though they were reluctant to believe him, they agreed to remove the pump handle as an experiment. When they did so, the spread of cholera dramatically stopped. [actually the outbreak had already lessened for several days]

Snow also investigated several outliers, all of which turned out to involve people actually travelling to the Soho well to get water.
Still no one believed Snow. A report by the Board of Health a few months later dismissed his “suggestions” that “the real cause of whatever was peculiar in the case lay in the general use of one particular well, situate [sic] at Broad Street in the middle of the district, and having (it was imagined) its waters contaminated by the rice-water evacuations of cholera patients. After careful inquiry,” the report concluded, “we see no reason to adopt this belief.”

So what had caused the cholera outbreak? The Reverend Henry Whitehead, vicar of St Luke’s church, Berwick Street, believed that it had been caused by divine intervention, and he undertook his own report on the epidemic in order to prove his point. However, his findings merely confirmed what Snow had claimed, a fact that he was honest enough to own up to. Furthermore, Whitehead helped Snow to isolate a single probable cause of the whole infection: just before the Soho epidemic had occurred, a child living at number 40 Broad Street had been taken ill with cholera symptoms, and its nappies had been steeped in water which was subsequently tipped into a leaking cesspool situated only three feet from the Broad Street well.

Whitehead’s findings were published in The Builder a year later, along with a report on living conditions in Soho, undertaken by the magazine itself. They found that no improvements at all had been made during the intervening year. “Even in Broad-street it would appear that little has since been done… In St Anne’s-Place, and St Anne’s-Court, the open cesspools are still to be seen; in the court, so far as we could learn, no change has been made; so that here, in spite of the late numerous deaths, we have all the materials for a fresh epidemic… In some [houses] the water-butts were in deep cellars, close to the undrained cesspool… The overcrowding appears to increase…” The Builder went on to recommend “the immediate abandonment and clearing away of all cesspools — not the disguise of them, but their complete removal.”

Nothing much was done about it. Soho was to remain a dangerous place for some time to come.

John Snow didn’t shy away from politics. He was successful in getting the local politicians to agree to his first experiment, which was successful in helping end that outbreak of cholera. He even drew his biggest opponent into doing research, which ended up confirming Snow’s epidemiological diagnosis and extending it further to find the original probable source of infection of the well. But even that didn’t suffice for motivating enough political will to fix the problem.

From which I draw two conclusions:

  1. Even John Snow is over-rated. Sure, he found the problem, but he didn’t get it fixed longterm.

  2. Why not? Because that would require ongoing monitoring of likely sources of infection (which sort of happened) compared to actual incidents of disease (which does not appear to have happened), together with eliminating the known likely sources.
Eliminating likely known sources is what Dr. Gawande’s checklist is about, 150 years later, which was my original point. And the ongoing monitoring and comparisons appear not to be happening, even yet.

As someone at Metricon said, who will watch the watchers? I responded, yes, that’s it!

One-shot longitudinal studies can create great information. That’s what John Snow did. That’s what much of scientific experiment is about. But even when you repeat the experiment to confirm it, that’s not the same as ongoing monitoring. And it’s not the same as checklists to ensure application of what was learned in the experiment.

What is really needed is longitudinal experiments combined checklists, plus ongoing monitoring, plus new analysis derived from the monitoring data. That’s at least four levels. All of them are needed. Modern medicine often only manages the first. And in the case of high fructose corn syrup (HFCS), until recently even the first was lacking, and most of the experiments that have happened until very recently have not come from the country with the biggest HFCS health problem, namely the U.S. A third of the entire U.S. population is obese, and another third is overweight, with concomittant epidemics of heart disease, diabetes, and high blood pressure. And the medical profession prescribes statins for life instead of getting to the root of the problem and fixing it.

Yes, I think the field of medicine gets rated too much green for good.

And if IT security wants to improve its own act, it also needs all four levels, not just the first or the second.


Crossing the Street in Cyberspace: Michael Kaiser and the National Cyber Security Alliance

If you grew up in a small town, you’d likely cross the street without stopping to look each way. Try that in New York City, and you’ll end up in the hospital. Similarly, most of us grew up in meatspace and clicking on any old link in cyberspace often ends up with our bank account in the hospital.

OK, that was my mangled simile, but it illustrates what Michael Kaiser and the National Security Alliance are trying to do: educate the public about what to do and not do in cyberspace without losing their audience with technical details or lengthy pedantic instructions. In his talk at APWG he had all sorts of interesting points, such as address different audiences (K-12, small business, elderly, etc.) differently, and that it’s not just unlearning bad habits (including ones that would be good habits in other contexts), it’s teaching good habits. ANd changing habits of any kind requires repetition and persistence. As Kaiser said, look at the CDC and its ongoing campaigns of prevention of HIV, domestic violence, etc.

Personally, I think staysafeonline.org could use more graphics and less text, or, more importantly, more storyline. It seems a tad pedantic to me. More poets in prevention! Or more marketing in staying safe. Or something.

But it’s a useful site already.

MySpace Anti-Phishing

Shing Yin Khor of Fox Interactive Media, which owns MySpace, gave an entertaining talk at APWG in which she gave a good case that MySpace has mostly eliminated phishing ads on MySpace and is busily suppressing other phishing.
Throwing money at the issue of phishing actually works.
MySpace’s anti-phishing forces include former law enforcement people, including a former federal and state prosecutor, a former L.A. D.A., and a former FBI agent. They have successfully sued spam king Scott “ringtones” Richter and his CPA empire.

MySpace does have an advantage in actually hosting all displays and messages. It’s good to be a many-hundred-million shopping mall. She didn’t say that; I did. She did say they use MySpace specific measures such as education via Tom’s profile. Tom was one of the founders of MySpace. Every new user gets Tom as a friend, so his online persona (pictured) has 240 million friends, so that’s a channel that reaches most of their users. She did say:

Education is just as important as technical measures.
What works on MySpace will work on other social network sites.

But Shing’s theme of pro-active measures against phishing and spam is one other organizations could take to heart. Don’t think you can do nothing: you can.

Of course, if you have fewer than 200 million users, you may want to band together with other organizations, for example by joining APWG. Even MySpace does.

Logging to Fund Firefighting?

CommunityForestry.jpg Got too many wildfires and need somebody to pay?
The forest service’s reasoning is simple: sell trees to loggers, use the money to clear areas of potential fire fuel. What the loggers cut can be potential fuel. With one sale, a fire hazard can be removed and the agency paid so it can remove more fuel.

US judges order stop to California logging projects, McClatchy newspapers, guardian.co.uk, Thursday May 15 2008

The federal Ninth District Court didn’t think that was so clever, or at least not so legal, and also not the only way:
Two for one always has an attractive ring. But are there no alternative ways of getting money to do the clearing that is imperative? Obviously, there may be. First of all, there is the USFS’s own budget. Does that budget contain any funds that could be devoted to fuel removal? Is every one of its activities so necessary and so tightly allocated that no money could be shifted? We do not know the answer because this alternative has not been explored.

Suppose that the USFS and its parent, the Department of Agriculture, cannot spare a dime. What then? Appropriate appropriations come from Congress. The work of fire prevention is work of the first importance. If the USFS does not have enough, why should not Congress be asked to give it more? Surely the avoidance of catastrophic fire in the national forests must rate a high priority among the needs of the nation.

No. 07-16892 D.C. No. CV-05-00205-MCE, United States Court of Appeals for the Ninth Circuit, 14 May 2008

Coming soon: eating seed corn to prevent hunger, credit card debt to get rich, and other clever risk management strategies.