Emergent Chaos

When this blog was new, I did a series of posts on “The Security Principles of Saltzer and Schroeder,” illustrated with scenes from Star Wars.

When I migrated the blog, the archive page was re-ordered, and I’ve just taken a few minutes to clean that up. The easiest to read version is “Security Principles of Saltzer and Schroeder, illustrated with scenes from Star Wars.”

So if you’re not familiar with Saltzer and Schroeder:

Let me start by explaining who Saltzer and Schroeder are, and why I keep referring to them. Back when I was a baby in diapers, Jerome Saltzer and Michael Schoeder wrote a paper “The Protection of Information in Computer Systems.” That paper has been referred to as one of the most cited, least read works in computer security history. And look! I’m citing it, never having read it.

If you want to read it, the PDF version (484k) may be a good choice for printing. The bit that everyone knows about is the eight principles of design that they put forth. And it is these that I’ll illustrate using Star Wars. Because lets face it, illustrating statements like “This kind of arrangement is accomplished by providing, at the higher level, a list-oriented guard whose only purpose is to hand out temporary tickets which the lower level (ticket-oriented) guards will honor” using Star Wars is a tricky proposition. (I’d use the escape from the Millennium Falcon with Storm Trooper uniforms as tickets as a starting point, but its a bit of a stretch.)

We’re honored to be nominated for “Most Entertaining Security Blog” at this years “2010 Social Security Blogger Awards.” Now, in a fair fight, we have no hope against Hoff’s BJJ, Mike Rothman’s incitefulness, Jack Daniel’s cynicism, or Erin’s sociability.

But, really, there’s no reason for this to be a fair fight.

So we’re asking our readers to help us cheat. For the next month, whenever you see any of the judges (Mike Fratton, Bill Brenner, Kelly Jackson-Higgins and Larry Walsh) buy them a drink, mention how entertaining our story of the day was, and send us the bill.

We thank you. And remember, as you drink to our success, you’re making America stronger, strengthening your community, reducing taxes and fighting terrorism. Future generations will thank you.

Thank you for all the feedback in email & comments.

Testing a new font size, feedback is again invited and welcome.

After more than 5 years, nearly 3,300 posts, and 6,300 comments on Movable Type, we’re migrating the blog to WordPress on a new host.

Please let us know if I broke something.

This is the new machine.

Photo: Face the World with a Peaceful Mind, by Ting Hay.

A few weeks ago, I joined the SearchSecurity team (Mike Mimoso, Rob Westervelt and Eric Parizo) to discuss the top cybersecurity stories of 2009. It was fun, and part 1 now available for a listen: part 1 (22:58), part 2 is still to come.

We’ve been flooded with comment spam. I’ve added one of those annoying captcha things that don’t work, and a mandatory comment confirmation page. Please let me know if you have trouble. Blogname @ gmail.com, or adam @ blogname.com

I think comments are working, but most won’t show up immediately. I’m digging into more effective solutions.

Is over on the New School blog. “An open Letter to the New Cyber-Security Czar.”

With the kind help of our awesome readership, Amazon and Glazer’s, I’ve acquired a camera, some books, a tripod, a prime 50mm, a flash diffuser, a polarizing filter, a graduated neutral filter, and some other random photography toys tools. You might question this, but I can quit anytime. Really! I even offered to loan my 50mm to a friend for a few days so he could get hooked make an informed decision about buying one.

Now, I know there are lots of people in our communities who post up their photos, and that’s their choice. I like to maintain some privacy-control of how I’m presenting myself. I have posted photos from my trip to South Africa and from the Privacy Enhancing Technologies conference, but those are almost journalistic. There’s something tremendously revealing about what subjects people photograph and share. Go ahead. Look. Ask yourself, who takes pictures like that? Why did they share that? What does it say about them?

Me, I prefer that people focus on my photos for themselves, and not for who I am. And I prefer to present a professional image that’s a carefully cropped subset of the whole.

And what I’m re-discovering is that it’s tremendously hard. A few of the shots at the end of the PETS set are, if I do say so myself, very nice. I have some bald eagles that I shot on Lake Washington while boating with some co-workers. Which stream do those go in?

There’s also a technical hard: I dug into EXIF a fair bit with exiftool, and there’s at least two serial numbers in each raw photo. (Camera body and lens. I don’t vouch for completeness, but for a Canon camera, start with exiftool -SerialNumber -InternalSerialNumber -CameraSerialNumber.) If you set IPTC data automatically, you have to remember to strip it. There are micro-variations from manufacture which (supposedly) can be used to fingerprint a lens, but my expectation is that’s complex and requires some reference images. I’m prepared to re-evaluate that exposure when Moore’s Law comes along for a conversation.

Then there’s wanting to be noticed. I remember being a new blogger, and obsessively watching the stats for new links. Compulsively linking to the big bloggers in the hopes of some love. Writing articles to bait some of the carnivals. Linking back whenever someone gave me a link. If I posted the photos (or even a link here), I’d presumably get a fair number of views. Does that do anything for me? Some folks have given me really great feedback and advice, but let’s face it, giving a new photographer advice is hard. There are so many things you could say, and which ones will help them improve? Does this person take feedback well?

Is there a technological approach which might help, with a crowd of photographers who commit to jointly telling the world their nicknames if there’s a decent anonymity set? But really, isn’t that just the old saw about the dancing bear all over again? (And doesn’t it go up against what Bob Blakley was saying? More on that shortly.) So for now, I’m interested: is there a better way to frame this?

I had fun recording Beyond the Perimiter Episode 48 and 49 with Amrit.

I think Amrit asked some of the broadest, most complex questions I’ve been asked, and it was hard to keep the episodes short.

Go have a listen!

A little more seriously, the identity of a blog is constructed between the authors, commenters and readers, and I’m continually amazed by what emerges here.

At the same time, what’s emerging is currently not very chaotic, and I’m wondering if it’s time for some mixing it up. Suggestions welcome.