Happy Independence Day!

Since 2005, this blog has had a holiday tradition of posting “The unanimous Declaration of the thirteen united States of America.” Never in our wildest, most chaotic dreams, did we imagine that the British would one day quote these opening words:

When in the Course of human events, it becomes necessary for one people to dissolve the political bands which have connected them with another, and to assume among the powers of the earth, the separate and equal station to which the Laws of Nature and of Nature’s God entitle them, a decent respect to the opinions of mankind requires that they should declare the causes which impel them to the separation. [Ed: That article is jargon-laden, and interesting if you can wade past it.]

So, while it may be chaotic in the most negative of senses, there’d be some succor should we see a succinct success as England secedes from the United Kingdom. Of course, London, West-Virginia-style, secedes from said secession. Obviously, after this, the United Kingdom of Scotland, Northern Ireland and London should remain a part of the EU, dramatically simplifying the negotiation.

Or, perhaps, in light of the many British who were apparently confused about the idea that Leave meant Leave, or the 2% margin of the vote, it would be reasonable and democratic to hold another election to consider what should happen. A problem with democracy is often that a majority, however slim, votes in a way that impacts the rights of a minority, and, whilst we’re waxing philosophic, we would worry were the rights of that minority so dramatically impacted as the result of a non-binding vote. Perhaps a better structure to reduce chaos in the future is two votes, each tied to some super-majority. A first to negotiate, and a second to approve the result.

It doesn’t seem like so revolutionary an idea.

An Infosec lesson from the “Worst Play Call Ever”

It didn’t take long for the Seahawk’s game-losing pass to get a label.

But as Ed Felten explains, there’s actually some logic to it, and one of his commenters (Chris) points out that Marshawn Lynch scored in only one of his 5 runs from the one yard line this season. So, perhaps in a game in which the Patriots had no interceptions, it was worth the extra play before the clock ran out.

We can all see the outcome, and we judge, post-facto, the decision on that.

Worst play call ever

In security, we almost never see an outcome so closely tied to a decision. As Jay Jacobs has pointed out, we live in a wicked environment. Unfortunately, we’re quick to snap to judgement when we see a bad outcome. That makes learning harder. Also, we don’t usually get a chance to see the logic behind a play and assess it.

If only we had a way to shorten those feedback loops, then maybe we could assess what the worst play call in infosec might be.

And in fact, despite my use of snarky linkage, I don’t think we know enough to judge Sony or ChoicePoint. The decisions made by Spaltro at Sony are not unusual. We hear them all the time in security. The outcome at Sony is highly visible, but is it the norm, or is it an outlier? I don’t think we know enough to know the answer.

Hindsight is 20/20 in football. It’s easy to focus in on a single decision. But the lesson from Moneyball, and the lesson from Pete Carroll is Really, with no second thoughts or hesitation in that at all.” He has a system, and it got the Seahawks to the very final seconds of the game. And then.

One day, we’ll be able to tell management “our systems worked, and we hit really bad luck.”

[Please keep comments civil, like you always do here.]

Thoughts on the Tragedies of December 14th

I started this post on December 14th, and couldn’t finish it. I’m going to leave the opening as I wrote it then: By now, everyone has heard of the tragic school shooting in Connecticut. My heart goes out to everyone touched by the events. But this isn’t the first school shooting on a December 14th. I went to a tiny school, Simon’s Rock, and on December 14, 1992, Wayne Lo murdered my friend Galen Gibson and Professor Ñacuñán Sáez. He also shot my friend Tom McElderry. I can still remember the phone call from my friend Chi, telling me that Tommy had been shot and was in the hospital. I remember being up all night, spreading what little information we had by phone, and wondering what the hell was going on. I remember that weeks later, I’d get emails from co-workers whose local papers in places like Japan finally carried the story. For years after, I took December 14th as a day off, because it was hard to handle life with that weighing on you.

It’s a sad reality that we now have enough school shootings that one of them was going to fall on an anniversary of another. (Statisticians call this the birthday problem.) It’s also a sad reality that we have enough of them that schools, police and emergency responders have plans for them.

What a fucking world.

Some people like to say things like “time heals all wounds,” but you know? Greg Gibson isn’t going to get his son back. Ñacuñán’s family isn’t going to get him back. And twenty or more families in Sandy Hook will never again be the same. I’m having trouble editing this more than a month later because of how the memories flood back.

All that to say that I have some understanding of these events, and I think I can talk about them differently than a random observer.

A lot of people are using this tragedy to say we need gun control. I understand where they’re coming from, and I disagree. We’ve had a lifetime of marijuana control, and it didn’t work. We suffered under crypto controls, and they didn’t work. Assholes who want a gun will likely to be able to get a gun whatever regime we put in place. There’s some truth to the claim that if guns are outlawed, only outlaws will have guns. Maybe we’d gain some ability to catch these nuts early, but maybe not. Those who say that easy availability of guns drives murder rates must do better than simply cherry picking data. What makes the US worse than Switzerland or Israel?

Yesterday, the President outlined a set of proposals including expanded background checks, and signed executive actions including one to “encourage federal agencies and state governments to share more information.” And now I find it hard to speak, and hard to remain silent.

Infringing privacy would not have stopped the events at Sandy Hook, and I worry that reducing privacy around mental health care is going to deter people who need health care from getting it. That may mean that more people will end up hurt or dead. I’m confident that no one wants that, and we need to rationally consider the tradeoff.

I also see a lot of people who are worried about gun control being so strident that they’re undercutting their own case. I agree that gun control is a poor response, and I think the NRA are coming off like a bunch of idiots. I’m trying not to be strident, just add a voice to say that even from a position of grief, it’s possible to see that what’s proposed probably will not meet the goals.

I don’t know what we should do. I do think that taking the entire TSA budget and moving it to mental health care would be a fine start.

Another fine way to proceed would be to threat model and try to judge the efficacy of the mitigation techniques. (For those who don’t know me, I spent a few years designing threat modeling tools and techniques which you can read about here.) Perhaps that starts from data on how people who use guns to hurt themselves or others get them. There’s an easy trope of “buys a gun and shoots someone.” Is that because it’s common, or because the stories are highly “available” and spring to mind? I don’t know, and in that vein, more studies of gun ownership and gun violence are probably going to help. Whatever approach to threat modeling we take should also include the hundreds of millions of guns owned by hundreds of millions of people and not misused.

We can and should do better than bringing back ideas that didn’t pass muster in calmer times. We should be cautious about trading a little liberty for a little safety. And whatever we do, we should do so respectful of the victims.

Comments are closed.

Paul Ryan open thread

Oh, what the heck, it hasn’t been chaotic enough around here. So, I’ll give you a topic: Paul Ryan. Commentary from The Economist starts:

IN THE polarised world of American politics, achieving bipartisan agreement on any topic is a rare feat nowadays. So perhaps it’s worth celebrating the fact that, had it been put to a vote, the pick of Paul Ryan as Mitt Romney’s running-mate likely would’ve gained support from both parties.

Please, continue. Was it a hail mary move? Will Ryan energize the Republican base enough to get out more votes? Will he drive votes to the Democrats?

What do you think?

Oh, and bonus points if you can tie in internet security.

Seattle in the Snow

Seattle snow (From The Oatmeal.)

It’s widely understood that Seattle needs a better way to measure snowfall. However, what’s lacking is a solid proposal for how to measure snowfall around here. And so I have a proposal.

We should create a new unit of measurement: The Nickels. Named after Greg Nickels, who lost the mayorship of Seattle because he couldn’t manage the snow.

Now, there’s a couple of ways we could define the Nickels. It could be:

  • The amount of snow needed to cost a Mayor 10 points of approval rating
  • The amount of snow needed to cause a bus to slide down Olive way and teeter over the highway
  • 2 millimeters
  • Enough snow to reduce the coefficient of city road friction by 1%.

I’m not sure any of these are really right, so please suggest other ways we could define a Nickels in the comments.

Niels Bohr was right about predictions

There’s been much talk of predictions lately, for some reason. Since I don’t sell anything, I almost never make them, but I did offer two predictions early in 2010, during the germination phase of a project a colleague was working on. Since these sort of meet Adam’s criteria by having both numbers and dates, I figured I’d share.

With minor formatting changes, the following is from my email of April, 2010.

Prediction 1

Regulation E style accountholder liability limitation will be extended
to commercial accountholders with assets below some reasonably large
value by 12/31/2010.

Why:  ACH and wire fraud are an increasingly large, and increasingly
public, problem.  Financial institutions will accept regulation in order
to preserve confidence in on-line channel.


Prediction 2

An episode of "state-sponsored SSL certificate fraud/forgery" will make
the public press.

Why: There is insufficient audit of the root certs that browser vendors
innately trust, making it sufficiently easy for a motivated attacker to
"build insecurity in" by getting his untrustworthy root cert trusted by
default.  The recent Mozilla kerfuffle over CNNIC is an harbinger of
this[1].  Similarly, Chris Soghoian's recent work[2] will increase
awareness of this issue enough to result in a governmental actor who has
done it being exposed.


But only because for this one I forgot to put in a date (I meant to also say “by 12/31/2010”, which makes this one WRONG! too.

I was motivated to make this post because I once again came across Soghoian’s paper just the other day (I think he cited it in a blog post I was reading). He really nailed it. I predict he’ll do so again in 2012.

Outrage of the Day: Police Violence

When the LAPD finally began arresting those of us interlocked around the symbolic tent, we were all ordered by the LAPD to unlink from each other (in order to facilitate the arrests). Each seated, nonviolent protester beside me who refused to cooperate by unlinking his arms had the following done to him: an LAPD officer would forcibly extend the protestor’s legs, grab his left foot, twist it all the way around and then stomp his boot on the insole, pinning the protestor’s left foot to the pavement, twisted backwards. Then the LAPD officer would grab the protestor’s right foot and twist it all the way the other direction until the non-violent protestor, in incredible agony, would shriek in pain and unlink from his neighbor.

It was horrible to watch, and apparently designed to terrorize the rest of us. At least I was sufficiently terrorized. I unlinked my arms voluntarily and informed the LAPD officers that I would go peacefully and cooperatively. I stood as instructed, and then I had my arms wrenched behind my back, and an officer hyperextended my wrists into my inner arms. It was super violent, it hurt really really bad, and he was doing it on purpose. When I involuntarily recoiled from the pain, the LAPD officer threw me face-first to the pavement. He had my hands behind my back, so I landed right on my face. The officer dropped with his knee on my back and ground my face into the pavement. It really, really hurt and my face started bleeding and I was very scared. I begged for mercy and I promised that I was honestly not resisting and would not resist.

Go read My Occupy LA Arrest, by Patrick Meighan

What’s Wrong and What To Do About It?

Pike floyd
Let me start with an extended quote from “Why I Feel Bad for the Pepper-Spraying Policeman, Lt. John Pike“:

They are described in one July 2011 paper by sociologist Patrick Gillham called, “Securitizing America.” During the 1960s, police used what was called “escalated force” to stop protesters.

“Police sought to maintain law and order often trampling on protesters’ First Amendment rights, and frequently resorted to mass and unprovoked arrests and the overwhelming and indiscriminate use of force,” Gillham writes and TV footage from the time attests. This was the water cannon stage of police response to protest.

But by the 1970s, that version of crowd control had given rise to all sorts of problems and various departments went in “search for an alternative approach.” What they landed on was a paradigm called “negotiated management.” Police forces, by and large, cooperated with protesters who were willing to give major concessions on when and where they’d march or demonstrate. “Police used as little force as necessary to protect people and property and used arrests only symbolically at the request of activists or as a last resort and only against those breaking the law,” Gillham writes.

That relatively cozy relationship between police and protesters was an uneasy compromise that was often tested by small groups of “transgressive” protesters who refused to cooperate with authorities. They often used decentralized leadership structures that were difficult to infiltrate, co-opt, or even talk with. Still, they seemed like small potatoes.

Then came the massive and much-disputed 1999 WTO protests. Negotiated management was seen to have totally failed and it cost the police chief his job and helped knock the mayor from office. “It can be reasonably argued that these protests, and the experiences of the Seattle Police Department in trying to manage them, have had a more profound effect on modern policing than any other single event prior to 9/11,” former Chicago police officer and Western Illinois professor Todd Lough argued.

Former Seattle police chief Norm Stamper gives his perspective in “Paramilitary Policing From Seattle to Occupy Wall Street“:

“We have to clear the intersection,” said the field commander. “We have to clear the intersection,” the operations commander agreed, from his bunker in the Public Safety Building. Standing alone on the edge of the crowd, I, the chief of police, said to myself, “We have to clear the intersection.”


Because of all the what-ifs. What if a fire breaks out in the Sheraton across the street? What if a woman goes into labor on the seventeenth floor of the hotel? What if a heart patient goes into cardiac arrest in the high-rise on the corner? What if there’s a stabbing, a shooting, a serious-injury traffic accident? How would an aid car, fire engine or police cruiser get through that sea of people? The cop in me supported the decision to clear the intersection. But the chief in me should have vetoed it. And he certainly should have forbidden the indiscriminate use of tear gas to accomplish it, no matter how many warnings we barked through the bullhorn.

My support for a militaristic solution caused all hell to break loose. Rocks, bottles and newspaper racks went flying. Windows were smashed, stores were looted, fires lighted; and more gas filled the streets, with some cops clearly overreacting, escalating and prolonging the conflict. The “Battle in Seattle,” as the WTO protests and their aftermath came to be known, was a huge setback—for the protesters, my cops, the community.

Product reviews on Amazon for the Defense Technology 56895 MK-9 Stream pepper spray are funny, as is the Pepper Spraying Cop Tumblr feed.

But we have a real problem here. It’s not the pepper spray that makes me want to cry, it’s how mutually-reinforcing up a set of interlocking systems have become. It’s the police thinking they can arrest peaceful people for protesting, or for taking video of them It’s a court system that’s turned “deference” into a spineless art, even when it’s Supreme Court justices getting shoved aside in their role as legal observers. It’s a political system where we can’t even agree to ban the TSA, or work out a non-arbitrary deal on cutting spending. It’s a set of corporatist best practices that allow the system to keep on churning along despite widespread revulsion.

So what do we do about it? Civil comments welcome. Venting welcome. Just keep it civil with respect to other commenters.

Image: Pike Floyd, by Kosso K

Slow Thoughts on Occupy Seattle

Corporate ThievesI headed down to Occupy Seattle before a recent vacation, and have been mulling a bit on what I saw, because the lack of a coherent message or leadership or press make it easy to project our own opinions or simply mis-understand what the “Occupy” protests mean, and I wanted to avoid making that mistake. I think I saw two big themes there: an anti-war theme, and a combination of anti-capitalism and anti-corporatism. I think the second is more interesting, because it’s a combination of views, some of which I support, and others I think are somewhat foolish.

I think capitalism is a good thing. I’ve taken a salary from (venture) capitalists who were able to pay me because they captured “surplus value” from startups, and ploughed some of that profit back into more startups. I use the Marixst term of “surplus value” because I understand the Marxist critique, have lived it, and still think it’s a better system than all those others that have been tried from time to time. (I also think that Marx’s critique of capitalism is excellent, and even more so in light of the poorness of his suggested fixes.) The accumulation of capital in private hands greatly expands the range of entrepreneurship, allowing new products and services to emerge. And for those new products to succeed, they need to serve needs better than what preceded them. So we all benefit to a degree from the capital that accumulates in the hands of investors (even with the costs of creative destruction and externalities.)

At the same time, I think that there’s an emergent system of what we might call corporatism that I think is incompatible with a free society, and is in fact incompatible with free markets. By a free market, I mean one in which people contract with each other and with companies, and the court system enforces fair and predictable limits on those contracts. Fair limits might include that the parties came to a genuine meeting of the minds before exchanging value, that contracts are severable (so no indentured servitude or slavery), that interpretation favors the party that received the contract (rather than the drafter), and that neither party engaged in deceit in advertising their services.

Corporatism, at its heart, involves twisting the free market via government intervention in a number of ways:

  • Lobbying for rules that allow the company to exclude competition. See, for example, AT&T’s gradual re-monopolization of the phone system.
  • Manipulations of the contract system in ways which prevent fair redress. These include mandatory binding arbitration, prohibition of class action suits, clauses that allow the contract to remain in force even if the drafter puts in many clauses which shock the conscience of a court.
  • Un-knowable systems (in particular, the American credit system) in which companies work together to ensure that you do what they demand, even if it’s wrong, because if you don’t, they will destroy your ability to contract with anyone else on fair terms.
  • Convincing the government to take all the downside risk and none of the upside of the banking crisis, and then failing to prosecute those who enriched themselves via a game they knew full well was rigged.

Corporatism comes from the discovery that rules and meta-rules (the rules that are used to set the rules) are manipulatable. Of course, this is nothing new:

“People of the same trade seldom meet together, even for merriment and diversion, but the conversation ends in a conspiracy against the public, or in some contrivance to raise prices. It is impossible indeed to prevent such meetings, by any law which either could be executed, or would be consistent with liberty and justice.” (Smith, “The Wealth of Nations.”

There were a good number of frankly anti-capitalist signs and groups at Occupy Seattle. It’s a free country, they’re entitled to their opinion, and I can disagree.

But they were not the only signs. I saw lots of signs which seemed to take aim at the unaccountable: the bankers, the corporations (“I won’t believe that corporations are people until Texas executes one”). And I think that responses to currently unaccountable corporatism is going to be one of the key outcomes of the Occupy Movement.

Email chaos: How to reach Adam Shostack

The servers that host my personal email have been taken offline by a surprise attack by the evil forces of snow and ice, and my email is likely to start bouncing soon.

If you need to reach me, you can use nameofthisblog @ google, or first.last @ microsoft. You can also ask me to follow you on Twitter (@adamshostack) and we can talk in very short fragments.

I apologize for the inconvenience.

Sleepless in Seattle?

Reportedly, Seattle police have begun issuing tickets to drivers who honk their horns after 10 PM in support of the Occupy protest there.

To the extent that the police are only doing this to those expressing a specific point of view, there seems to be a legitimate issue. I am certain that the police would say they’d enforce the law equally, but it’s just that all the honking is for Occupy support.

If I were a Seattle prankster, I’d have a “Honk if you support law enforcement” sign made, and test that claim in whatever passes for a conservative ‘hood out there.

Egypt and Information Security

Yesterday, I said on Twitter that “If you work in information security, what’s happening in Egypt is a trove of metaphors and lessons for your work. Please pay attention.” My goal is not to say that what’s happening in Egypt is about information security, but rather to say that we can be both professional and engaged with the historic events going on there. Further, I think it’s important to be engaged.

A number of folks challenged me, for example, “Care to enumerate some of those lessons? The big ones I see are risks of centralized bandwidth control, lack of redundant connections.”

There’s a number of ways that information security professionals can engage with what’s happening.

A first is to use what’s happening to engage on security issues with their co-workers and management on issues like employee safety, disaster recovery and communications redundancy and security. This level of engagement is easy, it’s not political, but it uses a story in the news to open important discussions.

A second way is to use Egypt as a source of what-if scenarios to test those sorts of plans and issues. This gives strong work justification to tracking and understanding what’s happening in Egypt in detail.

A third way is to use Egypt as a way to open discussions of how our technologies can be used in ways which we don’t intend. Often times, security technologies overlap with the ability to impose control on communications. Sometimes, for example with Tor, they can be used to protect people. Other times, they can be used to cut off communications. These are difficult conversations, fraught with emotion and exposing our deep values. But they are difficult because they are important and meaningful. Oftentimes, we as technologists want to focus in on the technology, and leave the societal impact to others. I think Egypt offers us an opportunity to which we can rise, and a lens for us to engage with these questions in the technologies we build or operate.

There’s probably other ways as well, and I’d love to hear how others are engaging.

A few thoughts on chaos in Tunisia

The people of Tunisia have long been living under an oppressive dictator who’s an ally of the US in our ‘war on terror.’ Yesterday, after substantial loss of life, street protests drove the dictator to abdicate. There’s lots of silly technologists claiming it was twitter. A slightly more nuanced comment is in “Sans URL” Others, particularly Jillian York, said “Not Twitter, Not WikiLeaks: A Human Revolution.” Ethan Zuckerman had insightful commentary including “What if Tunisia had a revolution, but nobody watched?” and “A reflection on Tunisia.”

That conversation is interesting and in full swing. What I want to ask about is the aftermath and the challenges that Tunisia faces. After 24 years of oppression, it’s going to be hard to build the political structures needed to create a legitimate and accepted government.

The American revolution came after years of discussion of British abuses of power. American perceptions of abuses of power like the Stamp Act combined with slow communication to the King and fast local communication to create a local political class that could assemble in a continental congress. Even so, after the American revolution, we had one entirely failed government under the Articles of Confederation, which was replaced with our current Constitution. But that was followed by the whiskey rebellion.

I bring this up because it’s easy to focus on the mechanics of government while forgetting about the soil in which it grows. Perhaps the digital world, with its ability to connect Tunisians to people living in places where we’ve worked these things out, will help. (For those foreigners who speak Arabic, or those Tunisians who speak other languages.) I’m not terribly optimistic in light of the shootings in Arizona and how quickly the online discourse devolved into “why this tragedy proves I’m right.” I’m also not optimistic given our poor understanding of our history.

I am, however, hopeful that the people of Tunisia will manage to take a collective break from the violence for long enough to work out a Tunisian approach to democracy. What would that look like? Would technology play a role?