[SecurityRatty] tag: yorker

Dead Possum Patrol Aided by NYC Wireless Network

Fri, 27 Jun 2008 15:54:02 +0000

I'm going for the sensational in the headline, but it's part of the story's intro, too: The New York Times reports on some early uses of the city's $500m wireless network designed for non-public uses. The network uses UMTS over licensed spectrum specifically devoted the city's municipal and public safety purposes.

One of the projects leaders uses terms that should warm every New Yorker's heart, if he or she knew what they meant. IT head Paul Cosgrave says the system will overcome silos, an often disparaging term for the separation of resources across groups that can only expensively be overcome. It's the government and business equivalent of the academic problem of a lack of cross-discipline focus.

One of the first applications allows sanitation workforce managers a frighteningly precise amount of knowledge about routes, activities, and behavior of trucks in their territory. Let's hope that's not misused! Efficiency is one thing; micro-management is another.

Another project is testing wireless water-meter reading. The city hopes to spend $90 per meter for the upgrade and shed part of a $12.2m contract with Con Edison that covers 850,000 units. What should be useful about this is that problems can be detected by monitoring waterflow patterns, which in turn allows the often huge problems that take months to notice (occurring underground or in basements where rivers formerly flowed) to be stopped before they turn into multi-million-dollar problems for property owners or the city. Anytime anything happens in Manhattan, it's a multi-million dollar problem.

Checklists -The Preserve of the Intelligent

Sun, 17 Feb 2008 04:51:11 +0000

As the New Yorker says “If something so simple can transform intensive care, what else can it do?”. Dennis Groves sent me this article a week ago and I read it twice. Each time I couldn’t stop myself thinking about how many people in the information security industry shun checklists and considering why this is. [...]

The Checklist

Thu, 07 Feb 2008 17:14:00 +0000

Brian Chess wrote about a great article in the New Yorker - "The Checklist." The article is a fantastic read and I highly recommend it, even if you're not interested in medicine. It is well written and quite engaging about how doctors handle a ridiculously complex topic - intensive care.

Like Brian, I was struck by how closely the article can parallel some of the problems we face in trying to develop secure software. I agree with the basic premise of Brian's statement, that a checklist can help in the software development world just like it can in the ICU. I've had great success providing checklists to developers of common areas of concern, areas they need to make sure the document, etc.

Document how you handle authentication. if different from standard X, get a security reviews.
Document how you're handing input filtering. If not the standard library with declarative syntax, document and get a security review.....

You get the picture. You can do similar things with static analyzers for example, and even by tweaking compilers or compile environment to prevent the usage of certain easy to mess-up functions such as strcpy, messed up buffer sizes, etc.

I want to focus on two other items from the article that are worth noting.

Metrics
Processes

Metrics

In the paper the author talks about following the checklist and how it reduced deaths. One thing he never mentions is the cost of following the checklist. I thought it interesting, but I can only assume based on the number of lives saved, and the cost of even a single infection, that the costs of following the checklist are far outweighed by the cost savings. Still, it would have been nice to see a cost comparison between the two.

What is also interesting though is that in the hospital setting its generally quite clear what an adverse event is. We generally know when someone has an infection, we certainly know when someone dies. We do root cause analysis in many cases (though not all) to understand the general cause of death, though when there is an infection for example we don't always get to root cause.

One result of this sort of tracking, is that it occurs within a regulatory framework where hospitals must report their incident rates publicly, and there are agencies within government charged with collecting, monitoring, and even in some cases improving on these measurements and results.

As a result of this public tracking, the key doctor from the paper, Pronovost, was able pretty clearly to tell whether his process changes were having a positive or negative effect. He had lots of public data to draw from, and the incidence rate at any given hospital is large enough that we can start to make valid statistical judgments about the impact of our changes.

Contrast this with software and the differences in both area, and maturity, are quite telling. We don't have any standard measures of success/failure, we don't perform lots of root cause on adverse events, and we don't have public reporting of success and failure. So, we don't have a general body of knowledge that allows us to get better or at least measure how we're doing.

Maybe we ought to have something like that? I wrote about this last year when saying that we ought to have some sort of NTSB for security, or at least for security breaches. Maybe its time we start taking that more seriously?

Processes

I was also struck by one of Pronovost's comments about medicine that I think especially relevant to software security. When asked whether we'd get to the point that checklists are as common as a stethoscope for a Dr, he replied:

"At the current rate, it will never happen,” he said, as monitors beeped in the background. “The fundamental problem with the quality of American medicine is that we’ve failed to view delivery of health care as a science. The tasks of medical science fall into three buckets. One is understanding disease biology. One is finding effective therapies. And one is insuring those therapies are delivered effectively. That third bucket has been almost totally ignored by research funders, government, and academia. It’s viewed as the art of medicine. That’s a mistake, a huge mistake. And from a taxpayer’s perspective it’s outrageous.” We have a thirty-billion-dollar-a-year National Institutes of Health, he pointed out, which has been a remarkable powerhouse of discovery. But we have no billion-dollar National Institute of Health Care Delivery studying how best to incorporate those discoveries into daily practice.

I was reminded of Gunnar's response to the Spaf piece - "Solving the Wrong Problems." I think Gunnar hit it on the head with his criticism of Spaf's piece, and I think the situation is quite similar to the one Pronovost finds in medicine.

For the most part we fail to treat the delivery/creation of software as a science. We do lots of research on languages, we do lots of work on theories of security, and then it all breaks down because we have people implementing the processes, and we don't spend any time on that. Well, at least not in measure to how much we spend on all sorts of other efforts that we don't measure, we aren't sure achieve results, etc.

We know lots about how to theoretically secure things, but we don't know a whole lot about how to get large software development organizations to produce consistently high quality/"secure" software. Heck, we don't even know how to do it if we aren't budget constrained, much less if we are.

To be sure, medicine hasn't solved this problem either, and they aren't dealing with a huge installed base :) They are better at measuring effectiveness, but again they are in a life/death world plus they have the added joy of strict liability. Operating under those conditions they do manage to settle on newer/better techniques pretty quickly, because they are tracking how they are doing, lives are on the line, and they are pretty strongly incented to get it right.

Security vs. Privacy

Tue, 29 Jan 2008 02:21:41 +0000

If there's a debate that sums up post-9/11 politics, it's security versus privacy. Which is more important? How much privacy are you willing to give up for security? Can we even afford privacy in this age of insecurity? Security versus privacy: It's the battle of the century, or at least its first decade.

In a Jan. 21 New Yorker article, Director of National Intelligence Michael McConnell discusses a proposed plan to monitor all -- that's right, all -- internet communications for security purposes, an idea so extreme that the word "Orwellian" feels too mild.

The article (now online here) contains this passage:

In order for cyberspace to be policed, internet activity will have to be closely monitored. Ed Giorgio, who is working with McConnell on the plan, said that would mean giving the government the authority to examine the content of any e-mail, file transfer or Web search. "Google has records that could help in a cyber-investigation," he said. Giorgio warned me, "We have a saying in this business: 'Privacy and security are a zero-sum game.'"

I'm sure they have that saying in their business. And it's precisely why, when people in their business are in charge of government, it becomes a police state. If privacy and security really were a zero-sum game, we would have seen mass immigration into the former East Germany and modern-day China. While it's true that police states like those have less street crime, no one argues that their citizens are fundamentally more secure.

We've been told we have to trade off security and privacy so often -- in debates on security versus privacy, writing contests, polls, reasoned essays and political rhetoric -- that most of us don't even question the fundamental dichotomy.

But it's a false one.

Security and privacy are not opposite ends of a seesaw; you don't have to accept less of one to get more of the other. Think of a door lock, a burglar alarm and a tall fence. Think of guns, anti-counterfeiting measures on currency and that dumb liquid ban at airports. Security affects privacy only when it's based on identity, and there are limitations to that sort of approach.

Since 9/11, approximately three things have potentially improved airline security: reinforcing the cockpit doors, passengers realizing they have to fight back and -- possibly -- sky marshals. Everything else -- all the security measures that affect privacy -- is just security theater and a waste of effort.

By the same token, many of the anti-privacy "security" measures we're seeing -- national ID cards, warrantless eavesdropping, massive data mining and so on -- do little to improve, and in some cases harm, security. And government claims of their success are either wrong, or against fake threats.

The debate isn't security versus privacy. It's liberty versus control.

You can see it in comments by government officials: "Privacy no longer can mean anonymity," says Donald Kerr, principal deputy director of national intelligence. "Instead, it should mean that government and businesses properly safeguard people's private communications and financial information." Did you catch that? You're expected to give up control of your privacy to others, who -- presumably -- get to decide how much of it you deserve. That's what loss of liberty looks like.

It should be no surprise that people choose security over privacy: 51 to 29 percent in a recent poll. Even if you don't subscribe to Maslow's hierarchy of needs, it's obvious that security is more important. Security is vital to survival, not just of people but of every living thing. Privacy is unique to humans, but it's a social need. It's vital to personal dignity, to family life, to society -- to what makes us uniquely human -- but not to survival.

If you set up the false dichotomy, of course people will choose security over privacy -- especially if you scare them first. But it's still a false dichotomy. There is no security without privacy. And liberty requires both security and privacy. The famous quote attributed to Benjamin Franklin reads: "Those who would give up essential liberty to purchase a little temporary safety, deserve neither liberty nor safety." It's also true that those who would give up privacy for security are likely to end up with neither.

This essay originally appeared on Wired.com.