Who should be punished for torture?

Posted on April 18, 2009 by adam

Normally, I try to post funny bits over the weekend, but I can’t let this week’s news slip by.

I have deeply mixed feelings about how to handle those who tortured. On the one hand, they were only following orders. On the other hand, they were following orders which clearly required contortions to see as legal. Soldiers also have a duty to disobey manifestly illegal orders.

“The OLC Memos” by Gerard Magliocca analyses the analysis, and finds it wanting. (Concurring Opinions)
“A History of Coercive Interrogation” is Will Levi’s summary of his forthcoming Yale Law Journal article on “Interrogation’s Law.” From the abstract: “Conventional wisdom [is] U.S. authorization of coercive interrogation techniques, and the legal decisions that sanctioned them, constitute a dramatic break with the past. This is false.”
At Obsidian Wings, Hilzoy makes “The Obvious Comparison” for one newly revealed technique.
“Torture and “laying blame for the past”” is Sonja Starr’s analysis of the Convention Against Torture, which seems to require prosecution. By this analysis Obama’s dichotomy of “reflection, not retribution” is the wrong one. The correct one is “do we start obeying the laws we passed, or not?” (Concurring Opinions)
The Unreleased Torture Memo by David Luban has a quite cutting response to the “second-guessing argument” at Balkinization.

As I said, I have mixed feelings about the perhaps legally required prosecution of those who tortured. My feelings about those who authorized it are more varied..they range from hanging to extraordinary rendition under the standards they claimed as legal.

Please keep comments as civil as is reasonable for the topic.

Off to the Moscone Center

Posted on April 17, 2009 by adam

Every year around this time, thousands of people converge on the Moscone Center in San Francisco for RSA. I had never given much thought to who Moscone was–some local politician I figured.

I first heard about Harvey Milk in the context of the Dead Kennedys cover of I Fought The Law:

The law don’t mean shit if you’ve got the right friends
That’s how this country’s run
Twinkies are the best friend I’ve ever had
I fought the law
And I won

I blew George and Harvey’s brains out with my six-gun
I fought the law and I won

I learned about Harvey Milk, but didn’t really remember George. I learned who he was from Milk, the movie.

When you hear someone talking about the absolute catastrophe that getting hacked might be, put it in context of human life. Most hacking incidents are annoying, some have real financial impact, and some few have the potential to do real and irreparable harm.

So as we go to the Moscone Center, remember the murders committed by an authorized entrant into city hall. When you hear someone talking about the absolute catastrophe that getting hacked might be, put it in context, and remember George Moscone and Harvey Milk.

Breaches Conference audio online

Posted on April 15, 2009 by adam

Back in March, the Berkeley Center for Law and Technology put on a great conference, the “Security Breach Notification Symposium.”

It was a fascinating day, and the audio is now online.

The New School Blog

Posted on April 14, 2009 by adam

I’m really excited to announce NewSchoolSecurity.com, the blog inspired by the book. I’ll be blogging with Alex Hutton, Chandler Howell and Brooke Paul. And who knows, maybe we’ll even get a post or two from Andrew?

Emergent Chaos will continue. My posts here will be a little more on the privacy, liberty and economics end of things, with my technical and business security split between The New School.

All that said, I’ve posted the followup to “ Security is about outcomes, not about process” on The New School, which you can read at “Events don’t happen in a Vacuum.”

Security is about outcomes, not about process

Posted on April 13, 2009 by adam

Nearly a decade ago Bruce Schneier wrote “Security is a process, not a product.” His statement helped us advance as a profession, but with the benefit of hindsight, we can see he’s only half right. Security isn’t about technology.

Security is about outcomes, and our perceptions, beliefs and assurance about those outcomes.

Here’s a quick gut check: which would you rather tell the board or your customers? (1) “We had no security incidents last year, and aren’t sure why,” or (2) “Our customer database was pillaged 9 times, despite a cross-organizational investment in ISO 27001 which was aligned with our balanced scorecard and measured to be in the top quartile of all infosec programs?”

However people orient themselves around security, what they worry about is not “does the organization follow COBIT or ITIL?” but, “will they protect the information I’m giving them?”

Across the variety of orientations which exist within security, outcomes are what counts. Some examples:

Compliance officers want to keep the CEO out of jail. All the process in the world is useful because when they’re not, they can talk about their plans for correcting that.
Applied Researchers ask “did you pwn it?” They’re concerned with testing a hypothesis, which is “this system resists this type of attack”
Law enforcement wants to catch the bad guy (or gal). Much of the friction between civil libertarians and law enforcement comes from a conflict about prioritization of goals.

We’ve focused on process because we have so little data on outcomes. People will talk about their training processes. But when you ask them, did that process work? no one wants to say.

For us to mature as a discipline and as part of the organizations we support, we must go from talking about what might happen to what does happen.

Statebook and Database State

Posted on April 12, 2009 by adam

So while Statebook is a pretty entertaining demo, “Database State” is a disturbing look at how real the underlying data collection is in the U.K.

Via Boingboing.

It’s hard to change a market

Posted on April 11, 2009 by adam

This is quite possibly the DEA’s greatest success in disrupting the supply of a major illicit substance. The focus on disrupting the supply of inputs rather than of the drug itself proved extremely successful. This success was the result of a highly concentrated input supply market and consequently may be difficult to replicate for drugs with less centralized sources of supply, such as cocaine and heroin. That this massive market disruption resulted in only a temporary reduction in adverse health events and drug arrests and did not reduce property and violent crimes, is disappointing. (italics added)

So reads the conclusion to “Methamphetamine, Public Health and Crime.”

Anyone watching our 40 year futile war on drugs has to see this. But we’re locked into it for all sorts of reasons. What security measure is the best analog for this? Expensive, intrusive, and ultimately futile?

Via Marginal Revolution.

New Billboards for the UK

Posted on April 9, 2009 by adam

Make your own at http://jamesholden.net/billboard/.

I was gonna wait for the weekend, but…via @alecmuffet

Flinging Money Around Never Works

Posted on April 9, 2009 by adam

Freeway Drivers Grab Money as Suspects Toss Thousands During Police Chase:”

Thousands of dollars worth of hundred dollar bills brought rush hour to an abrupt halt on two San Diego freeways.

Drug suspects tossed the money from their car as they were chased by police. Other drivers saw the money and stopped their cars on the freeway to dash into traffic trying to get some of the cash.

Research Revealed Track at RSA

Posted on April 7, 2009 by adam

For the past few months, I’ve been working with the folks at the RSA Conference to put together a track entitled “Research Revealed.” Our idea is that security needs to advance by getting empirical, and bringing in a wide variety of analytic techniques. (Regular readers understand that Andrew Stewart and I brought these ideas together in a book, “The New School of Information Security.)”

The content is really exciting. From the opening with a top rated speaker, Betsy Nichols, who’ll be talking about “Crunching Metrics from Public Security Data” continuing to Gene Kim’s talk about applying real analysis of practice to virtualization and a great panel talking about lessons learned from Election 2008, this track is just packed with hard facts and practical analysis.

Because I’m so excited by this, I’ve put the data into a Research Revealed .ics file you can use to bring these into your calendar.

I also extracted this table from the RSA website (it was hard to link), so you can easily see the track:

Session ID	Title	Classification	Session Type	Scheduled Date/Time	Speaker(s)
RR-105	Crunching Metrics from Public Security Data	Advanced	Track Session	Tuesday, April 21 01:30 PM	Elizabeth Nichols CTO, PlexLogic
RR-106	Controlling Virtualization Security Risks: Tips from the Experts	Intermediate	Track Session	Tuesday, April 21 03:00 PM	Gene Kim CTO, Tripwire
RR-107	Technology Lessons Learned from Election 2008	Advanced	Track Session	Tuesday, April 21 04:10 PM	Jeremy Epstein Senior Computer Scientist, SRI International John Sebes Chief Technology Officer, Open Source Digital Voting Foundation Dan Wallach Associate Professor, Rice University David Wagner Associate Professor, University of California, Berkeley Douglas Jones Associate Professor, University of Iowa
RR-108	Security Risk Metrics: The View from the Trenches	Intermediate	Track Session	Tuesday, April 21 05:40 PM	Alain Mayer CTO, RedSeal Systems
RR-201	Fraud Management Strategies of North American Financial Institutions	Intermediate	Track Session	Wednesday, April 22 08:00 AM	Nick Holland Senior Analyst, Aite Group
RR-202	Data Sources, Methods, and Challenges	Not Rated	Track Session	Wednesday, April 22 09:10 AM	Mark Kadrich CEO, The Security Consortium, Inc. Adam Shostack Program Manager, Microsoft Corporation Matt Blaze Professor of Computer Science, University of Pennsylvania Elizabeth Nichols CTO, PlexLogic Gary McGraw CTO, Cigital
RR-203	Why Software is Still Insecure: Conclusions from a Ten-Year Study	Advanced	Track Session	Wednesday, April 22 10:40 AM	Charles Kolodgy Research Director, Secure Content and Threat Management Products, IDC Ed Adams CEO, Security Innovation
RR-301	Into the Breach: An Analysis of Attack Data Trends	Intermediate	Track Session	Thursday, April 23 08:00 AM	Stephen Weis Software Engineer, Google John Flynn Information Security Manager, Google
RR-302	Best Practices for Mitigating Insider Threat: Lessons Learned from 250 Cases	Advanced	Track Session	Thursday, April 23 09:10 AM	Randall Trzeciak Senior Member of the Technical Staff, Carnegie Mellon Software Engineering Institute Dawn Cappelli Technical Manager, Carnegie Mellon Software Engineering Institute
RR-303	Using Science to Battle Data Loss: Analyzing Breaches by Type and Industry	Intermediate	Track Session	Thursday, April 23 10:40 AM	C. Matthew Curtin Founder, Interhack Corporation
RR-304	Cyber Warfare: Technology, Law and Ethics	Advanced	Track Session	Thursday, April 23 02:10 PM	Victor Ralevich Professor and Program Coordinator, Sheridan Institute of Technology and Advanced Learning
RR-401	The Data-Driven CSO: Steering Clear of Security Breaches	Intermediate	Track Session	Friday, April 24 09:00 AM	Peter Tippett Vice President of Technology & Innovation, Verizon Business
RR-402	Closed-Loop Information Assurance	Advanced	Track Session	Friday, April 24 10:10 AM	Jeff Bardin Principal, Treadstone 71
RR-403	Applying Pattern Recognition in SOD, Fraud or GRC-Related Violations	Advanced	Track Session	Friday, April 24 11:20 AM	Reza BFar Software Development Director, Oracle

Emergent Chaos

The Emergent Chaos Jazz Combo

Monthly Archives: April 2009