As I was reading the (very enjoyable) “To Engineer is Human,” I was struck by this quote, in which Petroski first quotes Victorian-era engineer Robert Stephenson, and then comments:
…he hoped that all the casualties and accidents, which had occurred during their progress, would be noticed in revising the Paper; for nothing was so instructive to the younger Members of the Profession, as records of accidents in large works, and of the means employed in repairing the damage. A faithful account of those accidents, and of the means by which the consequences were met, was really more valuable than a description of the most successful works. The older Engineers derived their most useful store of experience from the observations of those casualties which had occurred to their own and to other works, and it was most important that they should be faithfully recorded in the archives of the Institution.
Today Robert Stephenson would likely express the same hope, mutatis mutandis, about the failure of computer programs and the measures that have been taken to protect them.
Now, Petroski is talking about failures of computers in engineering, rather than the engineering of computers. But I think there’s little doubt that he’d say that the same applies to the engineering of computers. Both the chapter “The limits of design” and the new afterword are worth reading with an eye to what they can teach us about information security and disclosure. Actually, the entire book is worth reading, but the analogies are strongest there.
So if you don’t follow the folks over at OKCupid, you are missing out on some hot data. In case you’re not aware of it, OKCupid is:
the best dating site on earth. Compiling our observations and statistics from the hundreds of millions of user interactions we’ve logged, we use this outlet to explore the data side of the online dating world.
And in their latest post, they explore what brand of camera makes you look good. You should go read “Don’y be ugly by accident.” I’ll wait.
You’re back? Ok. So here, let me lay this out for you. These folks are applying science, not to dating, but to online dating profiles. They’re not slinging some best practice shtick, or re-writing profiles at $50 a pop, they’re telling you exactly what photos work and which ones don’t. How are they doing this? Data. Experiment. Analysis.
I don’t want to understate the importance of finding a good partner, but I will say how sad it is that they have all this data on this highly intimate activity, and we have 2,000 entries in DatalossDB.
If you don’t have time to develop a data-driven, business focused security strategy, we sympathize. It’s a lot of hard work. So here to help you is “What the fuck is my information security ‘strategy?’ “:
Thanks, N!
It’s not just a 3d pie chart with lighting effects and reflection. Those are common. This one has been squished. It’s wider than it is tall.
While I’m looking closely, isn’t “input validation” a superset of “buffer errors” “code injection” and “command injection?”
You can get the “Application Security Trends report for Q1-Q2 2010” from Cenzic. I’ve been generally impressed by the founders and other work I’ve seen for a long time, and I look forward to beautiful and effective data presentation in their future reports.
Alex Hutton has an excellent post on his work blog:
Jim Tiller of British Telecom has published a blog post called “Risk Appetite, Counting Security Calories Won’t Help”. I’d like to discuss Jim’s blog post because I think it shows a difference in perspectives between our organizations. I’d also like to counter a few of the assertions he makes because I find these to be misunderstandings that are common in our industry.
“Anyone who knows me or has subjected themselves to my writings knows I have some uneasiness with today’s role of risk. It’s not the process, but more of how there is so much focus on risk as if it were a science – but it’s not. Not even close.”
Let me begin my rebuttal by first arguing that risk management, at its basis, is at least ”scientific work”. What I mean by that is elegantly summed up by Eliezer Yudkowsky on the Less Wrong blog. To use Eliezer’s words, I’ll offer that scientific work is “the reporting of the likelihood ratios for any popular hypotheses.”
You should go read “Risk Appetite: Counting Risk Calories is All You Can Do“.
Ireland has proposed a new Data Breach Code of Practice, and Brian Honan provides useful analysis:
The proposed code strives to reach a balance whereby organisations that have taken appropriate measures to protect sensitive data, e.g. encryption etc., need not notify anybody about the breach, nor if the breach affects non-sensitive personal data or small amounts of sensitive personal data. Yet, companies who have not taken the appropriate measures will indeed be obliged to admit to their shortcomings and shoulder the responsibility for same.
The other benefit I see from this proposed code is how as an industry we all can learn from the mistakes or misfortunes of those who suffer a breach. I believe we would not have as many encrypted laptops and other mobile devices that we do today were it not been for the widespread publicity of lost unencrypted devices in the past.
Meanwhile, in the UK, the “Information Commissioner’s Office will not compel companies to report data losses:”
“Under the Data Protection Act organisations have an obligation to ensure that personal information is held securely. We encourage organisations to advise us as soon as they are aware of a data breach which puts their customers at risk,” the ICO said.
“Changes to the law are ultimately a matter for the government. Should legislation be proposed to compel UK organisations to notify people when a data breach occurs, it must be properly considered before it is introduced in the UK. ”
Published by
adam on
June 3, 2010 in
Book.
Andrew and I want to say thank you to Dave Marsh. His review of our book includes this:
I’d have to say that the first few pages of this book had more of an impact on me that the sum of all the pages of any other security-related book I had ever read
It’s really wonderful to hear that our book is still being discovered and having this sort of impact more than two years after we wrote it.
For your consideration, two articles in today’s New York Times. First, “How to Remind a Parent of the Baby in the Car?:”
INFANTS or young children left inside a vehicle can die of hyperthermia in a few hours, even when the temperature outside is not especially hot. It is a tragedy that kills about 30 children a year, according to the National Safety Council.
…
Janette Fennell is the founder and president of KidsAndCars.org, a safety advocacy group based in Leawood, Kan., that focuses on issues involving children and automobiles. In a telephone interview, Ms. Fennell made her view clear, saying she believed that carmakers must develop reminder devices to warn drivers if a child is left behind.
Second, “The Hard Sell on Salt:”
High blood pressure is rising among adults and children. Government health experts estimate that deep cuts in salt consumption could save 150,000 lives a year.
Bets on which problem is “addressed” first are encouraged in the comments.
There have been a spate of articles lately with titles like “The First Steps to a Career in Information Security” and “How young upstarts can get their big security break in 6 steps.”
Now, neither Bill Brenner nor Marisa Fagan are dumb, but both of their articles miss the very first step. And it’s important to talk about that first step when talking about first steps in a career:
Do something useful.
Some ideas:
- Write a new tool
- Add an awesome UI to an existing tool
- Break something interesting and responsibly disclose it*
- Get more data out there
- Analyze existing data in a new and thought-provoking way
We have enough people in infosec who are famous for being famous, or famous for being controversial. If you want to stand out from the pack, do something to move the field forward. Share useful work.
You’ll stand out a lot better than people adding to the chorus.
* You want to disclose it responsibly because it avoids a whole silly debate which detracts from attention to your work.
Thomas Ricks wrote a blog on Foreign Policy titled “Another reason to support Obamacare.” In it, he cited a Stars & Stripes report that one of out five veterans under the age of 24 is out of work.
However, Stars and Stripes compares total unemployment to 18-24 male vet unemployment. It took me less than 5 minutes to find the Bureau of Labor Statistics “Employment Situation of Veterans Summary” which states that “Young male veterans (those ages 18 to 24) who served during Gulf War era II had an unemployment rate of 21.6 percent in 2009, not statistically different from the jobless rate of young male nonveterans (19.1 percent)” and “Male veterans age 18 to 24 were more likely to participate in the labor force in 2009 than were their nonveteran counterparts–79.1 percent versus 69.1 percent.” (Emphasis added.)
The only element where veteran unemployment seems statistically worse is recently separated veterans, at 14.7%. However, they’re entering the worst labor market in decades, and there’s fierce competition for every job.
I expect better of the mainstream media, which is evidence that I’m not a Bayesian.
What You’ve Said