Sunday, June 24, 2007
Kyoto and the art of human maintenance
Heading for some 'Rest and Realization' on Tuesday. Back soon.
Thursday, June 21, 2007
Dear Sirs..
Another bold question if I may. The topic is trust. The subjects are sheeple and computer systems. The framework is IT Security. The context is always changing. The goals are the same. Intent is irrelevant. Miscreants abound.
Excuse me arguing by analogy, but this online age verification system to access movie trailers, sums up many of the major issues and ignorances in IT Security.
http://blogs.csoonline.com/dirty_trailers_cheap_tricks
As the depth, pace and breadth of technology increases, no one can be expected to be an expert in all systems and subsystems they either use, interface with or build upon. Knowing what's going on 'under the hood' is becoming increasingly abstract and esoteric, especially to the standard consumer of computing resources. The issue is compounded by depth of code, system complexity, legacy systems, and third party drivers and modules, which are either knowingly or unknowingly part of a solution. Users require protection from both themselves and others while interfacing with systems or when having their information stored or utilised.
Unfortunately global systems span geo-political boundaries. Global systems which can be highjacked and used to attack more innocents.(Unfortunately systems will continue to be or will become vulnerable over time!) And I am talking about any node here; routers, switches, firewalls and traditional endpoints.
I am leaning towards the belief that more services should be available to end-users in their local cloud. Not necessarily mandated, but available - depending upon the environment. This is a highly complex and potentially volatile area, and arguments abound, however the question should be 'what's effective?'. DAMN -> fast, reliable and cheap. Though I like reliable!
How can you trust unmanaged systems and users? (also known as an information processing nodes!). See previous post.
How can you trust managed systems and users?
How can you trust infrastructure nodes?
Expect them all to fail. Expect them to be compromised. Expect to lose trust in them.
Now where does that leave us?
Let's look at the enforcement points on a simple systems trust model again... See previous post. (I like to think of the diagram as the equivalent of a Feynman diagram for IT Security, tee hee!)
So some stuff to think about. Here's a new acronym/phrase for you akin to SOA(Service Orientated Architecture).
SOV(Service Orientated Vulnerability) can be a compound or blended vulnerability.
SS(Service Surface) interface, network, user, back-end etc
IS(Interface Surface) subset of the above and takes in to account multiple new input vectors as the future interface will have more than one API/endpoint/processor per endpoint utilising new input devices and virtualisation.
Fun, fun, fun.
Every node will be a client.
Every node will be a server.
Every node will be a cache.
So now, do you trust the node, or introduce another trusted node to watch the node.
This could go on ad infinitum. At some point you hope there are enough checks and balances to watch the watchers.
Can we checksum people, anyone?
Schneier gets credit for leading me to the age verification system... http://www.schneier.com/blog/archives/2007/06/age_verificatio.html
Excuse me arguing by analogy, but this online age verification system to access movie trailers, sums up many of the major issues and ignorances in IT Security.
This morning, the New York Times has a nice story on gateways to online movie trailers that contain adult content. Trailers online will be preceded by colored tags, just like the green one you see in theaters that indicates the preview is acceptable for anyone watching. A yellow tag indicates the trailer may include PG-13ish content and a red one indicates an R-rated trailer, as it does in theaters, though red tags are rarely used in theaters.
The trailers that appear on the studios' movie sites, the story said, also have time of day restrictions, ostensibly viewable only between 9 p.m and 4 a.m.
More here
As the depth, pace and breadth of technology increases, no one can be expected to be an expert in all systems and subsystems they either use, interface with or build upon. Knowing what's going on 'under the hood' is becoming increasingly abstract and esoteric, especially to the standard consumer of computing resources. The issue is compounded by depth of code, system complexity, legacy systems, and third party drivers and modules, which are either knowingly or unknowingly part of a solution. Users require protection from both themselves and others while interfacing with systems or when having their information stored or utilised.
Unfortunately global systems span geo-political boundaries. Global systems which can be highjacked and used to attack more innocents.(Unfortunately systems will continue to be or will become vulnerable over time!) And I am talking about any node here; routers, switches, firewalls and traditional endpoints.
I am leaning towards the belief that more services should be available to end-users in their local cloud. Not necessarily mandated, but available - depending upon the environment. This is a highly complex and potentially volatile area, and arguments abound, however the question should be 'what's effective?'. DAMN -> fast, reliable and cheap. Though I like reliable!
How can you trust unmanaged systems and users? (also known as an information processing nodes!). See previous post.
How can you trust managed systems and users?
How can you trust infrastructure nodes?
Expect them all to fail. Expect them to be compromised. Expect to lose trust in them.
Now where does that leave us?
Let's look at the enforcement points on a simple systems trust model again... See previous post. (I like to think of the diagram as the equivalent of a Feynman diagram for IT Security, tee hee!)
So some stuff to think about. Here's a new acronym/phrase for you akin to SOA(Service Orientated Architecture).
SOV(Service Orientated Vulnerability) can be a compound or blended vulnerability.
SS(Service Surface) interface, network, user, back-end etc
IS(Interface Surface) subset of the above and takes in to account multiple new input vectors as the future interface will have more than one API/endpoint/processor per endpoint utilising new input devices and virtualisation.
Fun, fun, fun.
Every node will be a client.
Every node will be a server.
Every node will be a cache.
So now, do you trust the node, or introduce another trusted node to watch the node.
This could go on ad infinitum. At some point you hope there are enough checks and balances to watch the watchers.
Can we checksum people, anyone?
Schneier gets credit for leading me to the age verification system... http://www.schneier.com/blog/archives/2007/06/age_verificatio.html
Sunday, June 17, 2007
Friday, June 15, 2007
What does IT Security and a HIV/STD test have in common?
Answers on a S.A.E. ( Self Addressed Email )
Thursday, June 14, 2007
Symbiosis
If one doesn't separate the human from the endpoint system e.g. which is what client side security is really all about, then - and only then - will we make progress in the IT security battle. The human, peripherals and machine comprise the client side endpoint which needs to be protected in its entirety! Now let's think about Integrity, Availability and Confidentiality again.
Aside: Lines are being blurred between the conceptual client and server roles each day. Service orientated enterprise architectures are only a minor part of the puzzle... Let us never forget the users, administrators, operators and developers as part of the overall puzzle. (Or is it a mystery?)
Aside: Lines are being blurred between the conceptual client and server roles each day. Service orientated enterprise architectures are only a minor part of the puzzle... Let us never forget the users, administrators, operators and developers as part of the overall puzzle. (Or is it a mystery?)
Dorky is right!
IT Security needs more than this Open University style waffle.
I prefer the 'Look Around You' approach to learning ;)
I prefer the 'Look Around You' approach to learning ;)
Wednesday, June 13, 2007
A text from the ether
I got this message via text from a friend today:
"How many wasted thought cycles do we have each day, each month, each year, in a lifetime? How does fear rule our actions, control our thoughts, overrule our instincts, and dictate our emotions? Are we conditioned how to act and react? Are we bred to slave over data in the workplace? Have our minds been turned in to computers? Have our bodies been bred to consume? Are we drugged from childhood? Are we awake and if we were, how would we know?"
And here is a nice TED talk from Tenzin Bob Thurman (Uma Thurman's Dad!), who became a Tibetan monk at age 24, about a topic I would refer to as 'enlightened self-interest':
"How many wasted thought cycles do we have each day, each month, each year, in a lifetime? How does fear rule our actions, control our thoughts, overrule our instincts, and dictate our emotions? Are we conditioned how to act and react? Are we bred to slave over data in the workplace? Have our minds been turned in to computers? Have our bodies been bred to consume? Are we drugged from childhood? Are we awake and if we were, how would we know?"
And here is a nice TED talk from Tenzin Bob Thurman (Uma Thurman's Dad!), who became a Tibetan monk at age 24, about a topic I would refer to as 'enlightened self-interest':
On my tech mind.
- Complexity Crunch
- Feedback Loops
- Change Management
- Reliability(Integrity)
- Loosely Coupled
- Mobile
- Everything is a client, everything is a server, everything is a cache
- Distributed content inventories
- Intelligent packets
- Metrics
- Quality of information
- Feedback Loops
- Change Management
- Reliability(Integrity)
- Loosely Coupled
- Mobile
- Everything is a client, everything is a server, everything is a cache
- Distributed content inventories
- Intelligent packets
- Metrics
- Quality of information
Sunday, June 03, 2007
The Blue Packet
This is a great post from a site I like about the mobile Telco industry. It made me laugh out loud. Things that evoke an audible response from you are special, whether good or bad!
Link ( also in image ) : http://the.taoofmac.com/space/blog/2004/11/08
Tuesday, May 29, 2007
Friday, May 25, 2007
Ack, Ack, Ack
Just wanted to reiterate something from Wade's blog:
Watch your thoughts: They become your words.
Watch your words: They become your actions.
Watch your actions: They become your habits.
Watch your habits: They become your character.
Watch your character: It becomes your destiny.
Watch your thoughts: They become your words.
Watch your words: They become your actions.
Watch your actions: They become your habits.
Watch your habits: They become your character.
Watch your character: It becomes your destiny.
OSX'ers... please don't create a monoculture!
Well there is an argument out there that the security framework of OSX/BSD's is far superior to that of Windows - however - aside from the MOAB Month of Apple Bugs ( which incidentally didn't have an unassisted arbitrary remote code exploit - which was wormable ) it's nice to see some of my trusted analysts chime in.
"Apple running OS-X is the clear operating environment of choice today for most
normal users and most businesses, especially for notebook computers."
Report here from Fred Cohen and Associates: http://all.net/Analyst/2007-06.pdf
"Apple running OS-X is the clear operating environment of choice today for most
normal users and most businesses, especially for notebook computers."
Report here from Fred Cohen and Associates: http://all.net/Analyst/2007-06.pdf
Monday, May 21, 2007
On the up and up.
Glad to see Bruce Schneier sums up nicely my emergent view and business plan.
Link here: Do we really need a security industry?
[ http://www.schneier.com/blog/archives/2007/05/do_we_really_ne.html ]
Link here: Do we really need a security industry?
[ http://www.schneier.com/blog/archives/2007/05/do_we_really_ne.html ]
Saturday, May 19, 2007
How to assign value to digital objects and flows
This may be my next programming project. As a wise man once said, "You either code, or you don't!". Hmmm.. I think it was me actually. As a student of life once said, "...
Anyway here's the new pitch. A statically linked, cross platform binary to implement my 'Doobies' implementation of information evaluation in an enterprise. It takes advantage of multicast DNS and unicast DNS, thus the paths are already there! The client shoots off reports every so often to the 'reporter' which is the first entry in the 'value' subdomain, under 'reporter.value.companyx.com'.
Building blocks for client: Zeroconf, Netconf, BeePy, mDNS , nProbe and for some unknown reason, maybe resiliency?.. DHT's come to mind as does Anycast !
Anyway here's the new pitch. A statically linked, cross platform binary to implement my 'Doobies' implementation of information evaluation in an enterprise. It takes advantage of multicast DNS and unicast DNS, thus the paths are already there! The client shoots off reports every so often to the 'reporter' which is the first entry in the 'value' subdomain, under 'reporter.value.companyx.com'.
Building blocks for client: Zeroconf, Netconf, BeePy, mDNS , nProbe and for some unknown reason, maybe resiliency?.. DHT's come to mind as does Anycast !
My head hurts ...
The web is about to explode all over again, and I mean in a 2002/3 CodeRed/Slammer/Nimda/Blaster/Nachi type of way. With services like Dapper and the new flavours of mashup AJAX'y type apps - it's hard to get your head around how information will be mangled by consumers, hobbyists and MISCREANTS.
I believe soon everyone will be running their own OpenID servers or will require SSO services to reduce the identity overheads of all these network-centric services. No one has addressed the old issues of domain ownership and transferral though. These are generally rooted in silly things like confirmation by fax, whereby no one bothers to check the calling parties number. Don't get me started on headed notepaper.
I used to "dis" the Jericho Forum, but the web is morphing from the inside out. Combine this with mesh, mobility and multicast/p2p and the funny thing is... we need to secure even more rather than less in enterprises. We've known this for a while. Anyone who throws out their firewalls yet might as well take the doors off their houses too. Decommisioning is expensive at all levels and hard to do well. Legacy kit and issues abound.
However, the paradigm has already changed. It's still the Internet and World Wide Web, just there's more of it and the information is being atomized and made even more malleable and 'remixable'.
This scared me today, though I had heard of the previous incidents of self-replicating XSS ...
Funny thing is, all these open API's are creating another type of wider monoculture built on more layers than just TCP/IP.
Doobies.
I have joked before about units called 'doobies' but the idea is simple and flexible. Assume secure DNS. Use DNS as the dynamic database that it is - to create a sub-domain that relates to value. Each organisation may have different values/exchange rates to their own countries currency unit.
Once you breakdown your traffic to objects and flows and start quantifying different types, you can then assign arbitrary amounts to atomic entities to begin with and tweak from there.
value.companyx.com
dns-flows.value.companyx.com
dns-packets.value.companyx.com
dns-records.value.companyx.com
customer-ssn.value.companyx.com
customer-address.value.companyx.com
This could get very complicated very quickly, but could also be as basic and simple as one wanted. Using either any part of IPv4 address space or just BOGONS/Martians RFC1918/RFC3330 current values are resolved and could have huge scope depending on the organisation.
This value is your 'dooby' value. Devices report back, or are queried, on how many of each type of object they have processed or stored in an interim. Devices then supply flexible stats and can consult a central value database.(Kinda like SNMP/RMON only better, unless I am missing
something!)
DNS is ubiquitous. Kernel hooks to a special accounting/reporting client is required.
Device processed x times type y 'doobies'. What is the current 'dooby' exchange rate for my organisation?
Maybe you could re-use SNMP but I think the centralised DNS store of current values is more flexible.
Thoughts, this is just a beer mat type scribble idea on my behalf.
Once you breakdown your traffic to objects and flows and start quantifying different types, you can then assign arbitrary amounts to atomic entities to begin with and tweak from there.
value.companyx.com
dns-flows.value.companyx.com
dns-packets.value.companyx.com
dns-records.value.companyx.com
customer-ssn.value.companyx.com
customer-address.value.companyx.com
This could get very complicated very quickly, but could also be as basic and simple as one wanted. Using either any part of IPv4 address space or just BOGONS/Martians RFC1918/RFC3330 current values are resolved and could have huge scope depending on the organisation.
This value is your 'dooby' value. Devices report back, or are queried, on how many of each type of object they have processed or stored in an interim. Devices then supply flexible stats and can consult a central value database.(Kinda like SNMP/RMON only better, unless I am missing
something!)
DNS is ubiquitous. Kernel hooks to a special accounting/reporting client is required.
Device processed x times type y 'doobies'. What is the current 'dooby' exchange rate for my organisation?
Maybe you could re-use SNMP but I think the centralised DNS store of current values is more flexible.
Thoughts, this is just a beer mat type scribble idea on my behalf.
Thursday, May 17, 2007
Horse and cart? Cart and horse?
Donal to Securitymetrics mailing list.
(snippet)
Is not our problem that of assigning value to digital objects and/or their contents? First we need a good handle on our objects.
So intrinsic in 'Security Metrics' I posit are 'Non-Security Metrics' of sorts ;)
Are we putting the cart before the horse?
(snippet)
Basically the thrust here is that we are trying to measure security and risk without actually fully measuring the playing field, players and game to begin with. This is self-defeating as we only then sell FUD. One must first assign a value to digital objects no matter how hard that may be. I have suggested interim value units in the past that can be susequently assigned dynamic financial values on a per organisation basis. This could be achieved with DNS ( though DNS is a target in itself! )
"Security metrics deal with risk and risk is not about security - it's about the utility of content." ( From a highly respected individual in the field. )
So how do we measure our content and track it in the first place?
We cannot assign a value to something if we don't know it's actually there, what it is exactly... how many of them there are and where etc. Flexible real time distributed content inventory is required. This harks back to my emerging belief in a form of 'Total Information Awareness' and digital surveillance of networks. Distributed endpoint file/object indexing, keylogging etc. This then also raises issues regarding the security of said goldmine of information.
Yes, I am steering back towards the 'network computer'... thin everything!
(snippet)
Is not our problem that of assigning value to digital objects and/or their contents? First we need a good handle on our objects.
So intrinsic in 'Security Metrics' I posit are 'Non-Security Metrics' of sorts ;)
Are we putting the cart before the horse?
(snippet)
Basically the thrust here is that we are trying to measure security and risk without actually fully measuring the playing field, players and game to begin with. This is self-defeating as we only then sell FUD. One must first assign a value to digital objects no matter how hard that may be. I have suggested interim value units in the past that can be susequently assigned dynamic financial values on a per organisation basis. This could be achieved with DNS ( though DNS is a target in itself! )
"Security metrics deal with risk and risk is not about security - it's about the utility of content." ( From a highly respected individual in the field. )
So how do we measure our content and track it in the first place?
We cannot assign a value to something if we don't know it's actually there, what it is exactly... how many of them there are and where etc. Flexible real time distributed content inventory is required. This harks back to my emerging belief in a form of 'Total Information Awareness' and digital surveillance of networks. Distributed endpoint file/object indexing, keylogging etc. This then also raises issues regarding the security of said goldmine of information.
Yes, I am steering back towards the 'network computer'... thin everything!
Wednesday, May 16, 2007
Watch the bits go bye!
More Infosec stuffing:
Haven't brushed up on 'information geometry' yet ;) but this reminds me of what I was trying to map out with raw real data here:
http://static.flickr.com/47/174233556_2c39eb159b_o.jpg
Long rambling post lives here if anyone is interested, but very network centric and is garrulous and overblown: http://bsdosx.blogspot.com/2006/06/byo-rfc.html
Basically, should we be mapping everything real time at the data object and/or flow level from an operational perspective. Could every managed node actively stream back data? Should there be secure management covert channels ( Think Sebek http://www.honeynet.org/tools/sebek/sebek_intro.png ) to constantly feed back a nodes state, message passing and flows?
When you think about it, are nodes too independent and not surveilled enough? Rather than configure something to monitor/watch them (Openview, IDS, Argus), assuming initial trust, could they *constantly* advertise/disseminate statistical/session data that could be base lined (other than syslog/SNMP traps etc)? Am thinking initial zeroconf and MANETS style operation here, or MMORPG gaming clients? libkstat on steroids?
I know Verdasys have Digital Guardian, CA have Audit... but will Enterprise Digital Rights Management scale, or does it have the same problems as PKI.
Surveillance and Adhocracy scale. With utility computing, servers will move and be re-purposed and the clients are already on the move.
Haven't brushed up on 'information geometry' yet ;) but this reminds me of what I was trying to map out with raw real data here:
http://static.flickr.com/47/174233556_2c39eb159b_o.jpg
Long rambling post lives here if anyone is interested, but very network centric and is garrulous and overblown: http://bsdosx.blogspot.com/2006/06/byo-rfc.html
Basically, should we be mapping everything real time at the data object and/or flow level from an operational perspective. Could every managed node actively stream back data? Should there be secure management covert channels ( Think Sebek http://www.honeynet.org/tools/sebek/sebek_intro.png ) to constantly feed back a nodes state, message passing and flows?
When you think about it, are nodes too independent and not surveilled enough? Rather than configure something to monitor/watch them (Openview, IDS, Argus), assuming initial trust, could they *constantly* advertise/disseminate statistical/session data that could be base lined (other than syslog/SNMP traps etc)? Am thinking initial zeroconf and MANETS style operation here, or MMORPG gaming clients? libkstat on steroids?
I know Verdasys have Digital Guardian, CA have Audit... but will Enterprise Digital Rights Management scale, or does it have the same problems as PKI.
Surveillance and Adhocracy scale. With utility computing, servers will move and be re-purposed and the clients are already on the move.
Tuesday, May 15, 2007
Future, past and present.
I'm brewing a post about the future, as I think we are somewhat
entrenched in the past and present.
For the moment the powers that be are waking up to support the object
level security model, until reductionist thought strikes again :) I
guess we'll always have data at rest, data being utilised and the
resulting message passing or flows.
Anyway onwards and upwards.
a) Van Jacobson (Research Fellow at PARC) talks about new paradigms
and security problems from the network up. Jump to 38 minutes in, as
the start is a history lesson, albeit frames the old paradigms and
ensuing discussion extremely well.
http://video.google.com/videoplay?docid=-6972678839686672840
Thanks Wade. Props to http://www.blog.wi.id.au/
b) Also, when looking at things like new paradigms for computing.
[Stargate replicators anyone]?
Neil Gershenfeld (MIT Director for Bits and Atoms) The beckoning
promise of personal fabrication.
http://www.ted.com/index.php/talks/view/id/90
"We don't need to keep having a digital revolution"
Personal note: I especially love the fact that the Google video is
subtitled and that at the time there was a person signing for the
deaf. We need to cater for all walks of life as per the colour blind
discussions on visualising data. It shouldn't just be about 'survival
of the most adaptable'. Is Future Shock and technology going to
implement an unconscious eugenics program?
entrenched in the past and present.
For the moment the powers that be are waking up to support the object
level security model, until reductionist thought strikes again :) I
guess we'll always have data at rest, data being utilised and the
resulting message passing or flows.
Anyway onwards and upwards.
a) Van Jacobson (Research Fellow at PARC) talks about new paradigms
and security problems from the network up. Jump to 38 minutes in, as
the start is a history lesson, albeit frames the old paradigms and
ensuing discussion extremely well.
http://video.google.com/videoplay?docid=-6972678839686672840
Thanks Wade. Props to http://www.blog.wi.id.au/
b) Also, when looking at things like new paradigms for computing.
[Stargate replicators anyone]?
Neil Gershenfeld (MIT Director for Bits and Atoms) The beckoning
promise of personal fabrication.
http://www.ted.com/index.php/talks/view/id/90
"We don't need to keep having a digital revolution"
Personal note: I especially love the fact that the Google video is
subtitled and that at the time there was a person signing for the
deaf. We need to cater for all walks of life as per the colour blind
discussions on visualising data. It shouldn't just be about 'survival
of the most adaptable'. Is Future Shock and technology going to
implement an unconscious eugenics program?
Monday, May 14, 2007
The Holy Grail?
"Loosely coupled, rich internet applications and media delivered via infinitely scalable and secure utility computing to mobile thin clients in mesh environments."
I invite suggestions for my description. I invite comments and criticisms.
Note: Must keep to one sentence though ;)
I invite suggestions for my description. I invite comments and criticisms.
Note: Must keep to one sentence though ;)
Sunday, May 13, 2007
Time for a smile.
This kid breakdancing is the first thing in a while to make me laugh out loud, enjoy!
Another brief smile is here.
Maybe there is something weird in the ether today, but here is another one.
Another brief smile is here.
Maybe there is something weird in the ether today, but here is another one.
Saturday, May 12, 2007
Infosec the video.
Video Link
Rob Thomas has been a hero of mine ever since reading him on the First.org private lists. He founded (http://www.cymru.com/) Team Cymru. He features in this video, along with Richard A. Clarke.
Good to see the Department of Homeland Security training up the United States Secret Service. Geo-political boundaries anyone?
Rob first opened my eyes to the fact that something like a GSR ( Cisco 12000 Series Internet Routers ) could be 0wned and used to bounce or generate malicious traffic. Can you actually imagine a box with multiple OC-48 ( and above ) POS interfaces ready to do some miscreants bidding? “im4 g0nn4 p4x0r j00!”
More ForwardEdgeII training videos!
Rob Thomas has been a hero of mine ever since reading him on the First.org private lists. He founded (http://www.cymru.com/) Team Cymru. He features in this video, along with Richard A. Clarke.
Good to see the Department of Homeland Security training up the United States Secret Service. Geo-political boundaries anyone?
Rob first opened my eyes to the fact that something like a GSR ( Cisco 12000 Series Internet Routers ) could be 0wned and used to bounce or generate malicious traffic. Can you actually imagine a box with multiple OC-48 ( and above ) POS interfaces ready to do some miscreants bidding? “im4 g0nn4 p4x0r j00!”
More ForwardEdgeII training videos!
Friday, May 11, 2007
I love it...
Just re-read one of my links to recent testimony given by Dan Geer to the US Department of Homeland Security's Sub-Commitee on Emerging Threats, Cybersecurity, and Science and Technology.
Quote from page 2:
"Information security is perhaps the hardest technical field on the planet."
F**kin' A.
(I, or even he may seem biased, but those in the know will wholeheartedly agree.)
Q.E.D.
Quote from page 2:
"Information security is perhaps the hardest technical field on the planet."
F**kin' A.
(I, or even he may seem biased, but those in the know will wholeheartedly agree.)
Q.E.D.
Thursday, May 10, 2007
Wednesday, May 09, 2007
Collections of quotes.
I had emailed these around recently, you gettin' any warm and fuzzies?
The religion of the future will be a cosmic religion. It should
transcend personal God and avoid dogma and theology. Covering both the
natural and the spiritual, it should be based on a religious sense
arising from the experience of all things natural and spiritual as a
meaningful unity. Buddhism answers this description. If there is any
religion that could cope with modern scientific needs it would be
Buddhism. (Albert Einstein)
A human being is part of the whole called by us universe ... We
experience ourselves, our thoughts and feelings as something separate
from the rest. A kind of optical delusion of consciousness. This
delusion is a kind of prison for us, restricting us to our personal
desires and to affection for a few persons nearest to us. Our task
must be to free ourselves from the prison by widening our circle of
compassion to embrace all living creatures and the whole of nature in
its beauty. The true value of a human being is determined by the
measure and the sense in which they have obtained liberation from the
self. We shall require a substantially new manner of thinking if
humanity is to survive. (Albert Einstein)
The most beautiful and most profound experience is the sensation of
the mystical. It is the sower of all true science. He to whom this
emotion is a stranger, who can no longer wonder and stand rapt in awe,
is as good as dead. To know that what is impenetrable to us really
exists, manifesting itself as the highest wisdom and the most radiant
beauty which our dull faculties can comprehend only in their primitive
forms - this knowledge, this feeling is at the center of true
religiousness.
( Albert Einstein - The Merging of Spirit and Science)
Reality cannot be found except in One single source, because of the
interconnection of all things with one another. (Leibniz, 1670)
All things are parts of one single system, which is called Nature; the
individual life is good when it is in harmony with Nature. (Zeno)
But also really like Wade's quote page [ http://tumblr.wi.id.au/ ]as it has a similar theme.
The religion of the future will be a cosmic religion. It should
transcend personal God and avoid dogma and theology. Covering both the
natural and the spiritual, it should be based on a religious sense
arising from the experience of all things natural and spiritual as a
meaningful unity. Buddhism answers this description. If there is any
religion that could cope with modern scientific needs it would be
Buddhism. (Albert Einstein)
A human being is part of the whole called by us universe ... We
experience ourselves, our thoughts and feelings as something separate
from the rest. A kind of optical delusion of consciousness. This
delusion is a kind of prison for us, restricting us to our personal
desires and to affection for a few persons nearest to us. Our task
must be to free ourselves from the prison by widening our circle of
compassion to embrace all living creatures and the whole of nature in
its beauty. The true value of a human being is determined by the
measure and the sense in which they have obtained liberation from the
self. We shall require a substantially new manner of thinking if
humanity is to survive. (Albert Einstein)
The most beautiful and most profound experience is the sensation of
the mystical. It is the sower of all true science. He to whom this
emotion is a stranger, who can no longer wonder and stand rapt in awe,
is as good as dead. To know that what is impenetrable to us really
exists, manifesting itself as the highest wisdom and the most radiant
beauty which our dull faculties can comprehend only in their primitive
forms - this knowledge, this feeling is at the center of true
religiousness.
( Albert Einstein - The Merging of Spirit and Science)
Reality cannot be found except in One single source, because of the
interconnection of all things with one another. (Leibniz, 1670)
All things are parts of one single system, which is called Nature; the
individual life is good when it is in harmony with Nature. (Zeno)
But also really like Wade's quote page [ http://tumblr.wi.id.au/ ]as it has a similar theme.
Saturday, May 05, 2007
Game theories for the World
Should we all be playing non-zero-sum games?
In the words of author Robert Wright (TED talk), "players with linked fortunes tend to cooperate for mutual benefit", and "All the salvation of the world requires is the intelligent pursuit of self interest in a disciplined and careful way".
Moral evolution is required via appreciation for the interconnectedness of all things.
I have been thinking for quite some time now that games like Sim City are required as part of a more subtle education system to help to teach kids about interdependence and how societies and civilisation actually works. Also, if kids aren't creating entertainment any longer and just consuming entertainment while mimicking the wrong role models , surely as a society we are responsible for re-architecting how they perceive society and should introduce different paradigms to their learning and living. We have indeed outsourced almost all thought, decision making and learning to the mass media while demonstrating mostly the negative traits of human nature such as greed, intolerance and lack of discipline. We breed autonomic consumers.
Personally I believe we should be getting kids to game with things like Sim City, A Force More Powerful and FoodForce . Imagine a multiplayer non-zero-sum game akin to Command and Conquer where the only answer was to negotiate and collaborate rather than mutual assured destruction. Let them play it out over the course of a term in teams and hopefully like WOPR they would come to realise the best strategy!
We are either unconsciously breeding a new generation unequipped for the present/future day or we can consciously adapt to the increasing rate of change in the world and move out of the outdated and inept mass-industrialised focussed educational structure to a more modular digitally orientated autodidactic framework.
"Welcome to the internet my friend."
In the words of author Robert Wright (TED talk), "players with linked fortunes tend to cooperate for mutual benefit", and "All the salvation of the world requires is the intelligent pursuit of self interest in a disciplined and careful way".
Moral evolution is required via appreciation for the interconnectedness of all things.
I have been thinking for quite some time now that games like Sim City are required as part of a more subtle education system to help to teach kids about interdependence and how societies and civilisation actually works. Also, if kids aren't creating entertainment any longer and just consuming entertainment while mimicking the wrong role models , surely as a society we are responsible for re-architecting how they perceive society and should introduce different paradigms to their learning and living. We have indeed outsourced almost all thought, decision making and learning to the mass media while demonstrating mostly the negative traits of human nature such as greed, intolerance and lack of discipline. We breed autonomic consumers.
Personally I believe we should be getting kids to game with things like Sim City, A Force More Powerful and FoodForce . Imagine a multiplayer non-zero-sum game akin to Command and Conquer where the only answer was to negotiate and collaborate rather than mutual assured destruction. Let them play it out over the course of a term in teams and hopefully like WOPR they would come to realise the best strategy!
We are either unconsciously breeding a new generation unequipped for the present/future day or we can consciously adapt to the increasing rate of change in the world and move out of the outdated and inept mass-industrialised focussed educational structure to a more modular digitally orientated autodidactic framework.
"Welcome to the internet my friend."
Friday, May 04, 2007
Unequal, unstable, unsustainable... yet interdependent...
Working on this... but for now Bill Clinton sums it up http://www.ted.com/index.php/talks/view/id/85
Should TED talks not be required viewing for our youngsters?
Should TED talks not be required viewing for our youngsters?
Wednesday, May 02, 2007
Good things, when short, are twice as good.
If you know anything about information security, claim to, or even have a passing interest; then this 3 page PDF document will reinforce, refresh, and explain concisely the issues we face.
"The Committee on Homeland Security's Subcommittee on Emerging
Threats, Cybersecurity, and Science and Technology will hold a
hearing entitled "Addressing the Nation's Cybersecurity Challenges:
Reducing Vulnerabilities Requires Strategic Investment and Immediate
Action." Witnesses include Dr. Daniel E. Geer, Jr., Principal, Geer
Risk Services, LLC; ........."
....
Dan's testimony is here:
http://geer.tinho.net/geer.housetestimony.070423.PDF
Security metrics, expertise supply, increasing risk due to intelligent attacks, information sharing (my personal favourite) and accountability as opposed to access control.
Note: You may be interested also in some of Dan's other publications:
1. "Data Loss Prevention" [http://www.verdasys.com/pdf/dlp_whitepaper.pdf]
2. "Securing the Point of Use" [http://www.verdasys.com/pdf/SecurePOS.pdf]
3. "Convergence" [http://geer.tinho.net/ieee.geer.0606.pdf ] of physical and digital security.
4. "The Evolution of Security" [http://geer.tinho.net/acm.geer.0704.pdf]
"The Committee on Homeland Security's Subcommittee on Emerging
Threats, Cybersecurity, and Science and Technology will hold a
hearing entitled "Addressing the Nation's Cybersecurity Challenges:
Reducing Vulnerabilities Requires Strategic Investment and Immediate
Action." Witnesses include Dr. Daniel E. Geer, Jr., Principal, Geer
Risk Services, LLC; ........."
....
Dan's testimony is here:
http://geer.tinho.net/geer
Security metrics, expertise supply, increasing risk due to intelligent attacks, information sharing (my personal favourite) and accountability as opposed to access control.
Note: You may be interested also in some of Dan's other publications:
1. "Data Loss Prevention" [http://www.verdasys.com/pdf/dlp_whitepaper.pdf]
2. "Securing the Point of Use" [http://www.verdasys.com/pdf/SecurePOS.pdf]
3. "Convergence" [http://geer.tinho.net/ieee
4. "The Evolution of Security" [http://geer.tinho.net/acm.geer.0704.pdf]
Monday, April 30, 2007
Pull up those bre[e|a]ches...
In response to a post of Drazen's, quoting Peter Benson on Disclosure Laws; http://beastorbuddha.blogspot.com/2007/04/disclosure-laws-impacts-and-things-to.html
I offer the rant below.
I love this kind of topic, merely to highlight the macro and micro issues. One must look outside ones own discipline to find answers, as sometimes becoming too specialised does not allow one to 'see the forest, for the trees', more often than not.
I would like to try and answer the issue if I may with some history, a dash of the present and a dab of the future.
History:
This is what's starting to happen in our society and industry in terms of complexity and economics http://dieoff.org/page134.htm . Even though this paper is focussed on natural ecosystems and civilizations; the internet and composing networks are a wonderfully rich representative ecosystem existing in our civilization.
As complexity increases there is increased energy needed in any system. This either produces new paradigms which address diminishing marginal returns, or the system collapses under the weight of trying to address the complexity. Thus what is required is either non-reductionist thought to address the complexity, e.g. "Defense in Depth" (which happens to be extremely costly), or a reduction in complexity and type of energy required in trying to solve the problems, resulting in a new paradigm or paradigms. To introduce the next paragraph I thought I'd quote Marcus Ranum (http://www.ranum.com/) "Your job, as a security practitioner, is to question - if not outright challenge - the conventional wisdom and the status quo. After all, if the conventional wisdom was working, the rate of systems being compromised would be going down, wouldn't it?"
Present: Quality and Cost Benefit Analysis
Sometimes when you have been travelling along a certain path, there are a few signposts as to why you are potentially lost.
http://www.ranum.com/security/computer_security/editorials/master-tzu/
http://www.ranum.com/security/computer_security/editorials/dumb/
Future:
Personally I believe the tools and processes are out there, but the enumeration of the problem is somewhat incorrect and being hampered by the 'old guard' of IT who actually don't really get it! They are suffering extreme forms of 'Future Shock' (http://en.wikipedia.org/wiki/Future_Shock) "too much change in too short a period of time"... This is in fact a wider social issue that is very hard to address as people are afraid to challenge the status-quo or can't affect change within their existing roles. This must happen more quickly rather than allowing a generational 'breed out' of the less savvy CIO's, CTO's, CSO's and below, as things are speeding up and not slowing down. This will only occur with economic motivations. Economics is based on theories of scarcity and the perceived value of goods and services. We are having huge issues in evaluating data over it's lifecycle and putting a price on the ensuing issues and costs of a breach, disclosure or unintended manipulation of data.
As Grace Murray Hopper, USN (Ret) points out;
'Some day, on the corporate balance sheet,
there will be an entry which reads,“Information”;
for in most cases, the information is more valuable
than the hardware which processes it. '
Dan Geer re-introduces this in his wonderful paper "The Shrinking Perimeter: Making the Case for Data-Level Risk Management", which argues for object level protection and data valuation, which opens with the previous quote. (http://www.verdasys.com/pdf/ShrinkPerim.pdf )
Another interesting topic is that of time and physics at play in our new world. Time based security and convergence argues for new paradigms. (Convergence, Dan Geer http://geer.tinho.net/ieee.geer.0606.pdf) and highlights new effects of this highly connected information based economy.
To understand the infrastructure and ecosystems out there, one must constantly sample and baseline traffic in the face of constant change. Some change is valid, some invalid. One cannot manage what one cannot measure, and change management is at the heart of it all. Metrics need to be standardised upon and individual nodes or systems need to become simpler e.g. more easily defined and controlled.
MTTR (Mean Time To Repair, http://en.wikipedia.org/wiki/Mean_time_to_repair) for example, requires that one actually knows something is at first broken and/or performing incorrectly (be it malicious or benign!).
Even though technology changes, the challenge of information management stays the same.
Sampling and surveillance, tied to regulation and compliance? Whose pocket gets hurt and what can they then do about it? Does a public shaming exact the financial penalties warranted or is public memory short lived when entities change and reform as different companies?
I do believe it's the start of building a baseline awareness. But honestly, without a form of Total Information Awareness, massive indexing and far reaching information asset management, how do you know:
a) what you've lost
b) when you've lost it
c) how you've lost it
d) how not to lose it again
Where does the burden of liability fall and how big is the carrot or stick?
Hopefully we don't start to litigate. http://www.ranum.com/security/computer_security/editorials/lawyers/index.html
I am beginning to be more optimistic with good folks like SA (http://www.security-assessment.com/) on the case!
I offer the rant below.
I love this kind of topic, merely to highlight the macro and micro issues. One must look outside ones own discipline to find answers, as sometimes becoming too specialised does not allow one to 'see the forest, for the trees', more often than not.
I would like to try and answer the issue if I may with some history, a dash of the present and a dab of the future.
History:
This is what's starting to happen in our society and industry in terms of complexity and economics http://dieoff.org/page134.htm . Even though this paper is focussed on natural ecosystems and civilizations; the internet and composing networks are a wonderfully rich representative ecosystem existing in our civilization.
As complexity increases there is increased energy needed in any system. This either produces new paradigms which address diminishing marginal returns, or the system collapses under the weight of trying to address the complexity. Thus what is required is either non-reductionist thought to address the complexity, e.g. "Defense in Depth" (which happens to be extremely costly), or a reduction in complexity and type of energy required in trying to solve the problems, resulting in a new paradigm or paradigms. To introduce the next paragraph I thought I'd quote Marcus Ranum (http://www.ranum.com/) "Your job, as a security practitioner, is to question - if not outright challenge - the conventional wisdom and the status quo. After all, if the conventional wisdom was working, the rate of systems being compromised would be going down, wouldn't it?"
Present: Quality and Cost Benefit Analysis
Sometimes when you have been travelling along a certain path, there are a few signposts as to why you are potentially lost.
http://www.ranum.com/security/computer_security/editorials/master-tzu/
http://www.ranum.com/security/computer_security/editorials/dumb/
Future:
Personally I believe the tools and processes are out there, but the enumeration of the problem is somewhat incorrect and being hampered by the 'old guard' of IT who actually don't really get it! They are suffering extreme forms of 'Future Shock' (http://en.wikipedia.org/wiki/Future_Shock) "too much change in too short a period of time"... This is in fact a wider social issue that is very hard to address as people are afraid to challenge the status-quo or can't affect change within their existing roles. This must happen more quickly rather than allowing a generational 'breed out' of the less savvy CIO's, CTO's, CSO's and below, as things are speeding up and not slowing down. This will only occur with economic motivations. Economics is based on theories of scarcity and the perceived value of goods and services. We are having huge issues in evaluating data over it's lifecycle and putting a price on the ensuing issues and costs of a breach, disclosure or unintended manipulation of data.
As Grace Murray Hopper, USN (Ret) points out;
'Some day, on the corporate balance sheet,
there will be an entry which reads,“Information”;
for in most cases, the information is more valuable
than the hardware which processes it. '
Dan Geer re-introduces this in his wonderful paper "The Shrinking Perimeter: Making the Case for Data-Level Risk Management", which argues for object level protection and data valuation, which opens with the previous quote. (http://www.verdasys.com/pdf/ShrinkPerim.pdf )
Another interesting topic is that of time and physics at play in our new world. Time based security and convergence argues for new paradigms. (Convergence, Dan Geer http://geer.tinho.net/ieee.geer.0606.pdf) and highlights new effects of this highly connected information based economy.
To understand the infrastructure and ecosystems out there, one must constantly sample and baseline traffic in the face of constant change. Some change is valid, some invalid. One cannot manage what one cannot measure, and change management is at the heart of it all. Metrics need to be standardised upon and individual nodes or systems need to become simpler e.g. more easily defined and controlled.
MTTR (Mean Time To Repair, http://en.wikipedia.org/wiki/Mean_time_to_repair) for example, requires that one actually knows something is at first broken and/or performing incorrectly (be it malicious or benign!).
Even though technology changes, the challenge of information management stays the same.
Sampling and surveillance, tied to regulation and compliance? Whose pocket gets hurt and what can they then do about it? Does a public shaming exact the financial penalties warranted or is public memory short lived when entities change and reform as different companies?
I do believe it's the start of building a baseline awareness. But honestly, without a form of Total Information Awareness, massive indexing and far reaching information asset management, how do you know:
a) what you've lost
b) when you've lost it
c) how you've lost it
d) how not to lose it again
Where does the burden of liability fall and how big is the carrot or stick?
Hopefully we don't start to litigate. http://www.ranum.com/security/computer_security/editorials/lawyers/index.html
I am beginning to be more optimistic with good folks like SA (http://www.security-assessment.com/) on the case!
Thursday, March 29, 2007
Spring has sprung, the grass has riz, I wonder where the RFID ...
I recently got a new ePassport with an RFID chip installed. I would have gotten a legacy passport sooner had I been actively following Ireland's rollout schedule for ePassports. As I only provided the minimum amount of information e.g. old passport, photos and basic identity information, I am not currently deeply worried, however the potential to:
a) read my information
b) write new information
c) clone my identity
d) at some future time add more biometric information
e) remotely fingerprint the passport nationality
led me to re-read some work being carried out on RFID security and the encryption algorithms and key material being used or not used as the case may be. The term PKI ( Public Key Infrastructure ) has been bandied about, however who owns and controls the root key(s) and how is the local key derived. What is the key strength, who owns or controls them? Can I read my own info? How secure is their BAC ( Basic Access Control ), not very it seems? Issues abound in passports, credit cards and building or system access cards whereby proximity readers are employed.
Right now I would like to disable the chip completely, but I believe this to be a crime. Maybe I can coax it to gently fail? What is the MTBF ( Mean Time Between Failures ) for the RFID chips in Irish passports? The UK ones seem to be fairly short. http://www.theregister.co.uk/2007/02/07/nao_epassport_report/
Passports cloned at BlackHat : http://www.wired.com/science/discoveries/news/2006/08/71521
Bruce Shneier commentary http://www.schneier.com/crypto-gram-0610.html#3
Tools and Information from RFIdiot http://www.rfidiot.org/
NO2ID.net http://www.no2id.net/
Electronic Frontier Foundation http://www.eff.org/Privacy/
RFID Security and Privacy http://www.rfid-cusp.org/ Also, 1G Vulnerabilities in Credit Cards
Potential misuse via a targetted IED ( Improvised Explosive Device ) http://www.youtube.com/watch?v=-XXaqraF7pI
Paper on RFID card security : http://www.riscure.com/2_news/200604%20CardsAsiaSing%20ePassport%20Privacy.pdf
Basic countermeasures !
( Thinking about reducing skimming attempts through shielding! )
RFID SHIELD http://www.rfid-shield.com/
DIFRwear http://difrwear.com/
a) read my information
b) write new information
c) clone my identity
d) at some future time add more biometric information
e) remotely fingerprint the passport nationality
led me to re-read some work being carried out on RFID security and the encryption algorithms and key material being used or not used as the case may be. The term PKI ( Public Key Infrastructure ) has been bandied about, however who owns and controls the root key(s) and how is the local key derived. What is the key strength, who owns or controls them? Can I read my own info? How secure is their BAC ( Basic Access Control ), not very it seems? Issues abound in passports, credit cards and building or system access cards whereby proximity readers are employed.
Right now I would like to disable the chip completely, but I believe this to be a crime. Maybe I can coax it to gently fail? What is the MTBF ( Mean Time Between Failures ) for the RFID chips in Irish passports? The UK ones seem to be fairly short. http://www.theregister.co.uk/2007/02/07/nao_epassport_report/
Passports cloned at BlackHat : http://www.wired.com/science/discoveries/news/2006/08/71521
Bruce Shneier commentary http://www.schneier.com/crypto-gram-0610.html#3
Tools and Information from RFIdiot http://www.rfidiot.org/
NO2ID.net http://www.no2id.net/
Electronic Frontier Foundation http://www.eff.org/Privacy/
RFID Security and Privacy http://www.rfid-cusp.org/ Also, 1G Vulnerabilities in Credit Cards
Potential misuse via a targetted IED ( Improvised Explosive Device ) http://www.youtube.com/watch?v=-XXaqraF7pI
Paper on RFID card security : http://www.riscure.com/2_news/200604%20CardsAsiaSing%20ePassport%20Privacy.pdf
Basic countermeasures !
( Thinking about reducing skimming attempts through shielding! )
RFID SHIELD http://www.rfid-shield.com/
DIFRwear http://difrwear.com/
Tuesday, March 13, 2007
The Elves and the Shoemaker ( Part 1 )
Q. When is your reality not your reality?
A. When it's somebody else's?
So excuse the existentialism for a moment and permit me if you will, to step back from the issue to elaborate more clearly my opinion of the forces at work at a deeper level. At no time in history has the rate of change, the terms of reference and the paradigms been so extraordinarily different as they are currently, especially for knowledge based/information economies, or other businesses and organisations that rely upon or use Information Technology.
As William Gibson said, "the future is already here , it's just unevenly distributed".
For some this creates an exciting, ever-changing, ever-learning environment in which one can in some ways actively contribute and watch the future unfold in 'realtime' like never before. In no other discipline (I use the term 'discipline' lightly ...) is this rate of change as pronounced as it is in Information Security/Protection/Assurance ... where one must be constantly abreast of new technologies and engaged in a never-ending cyber arms race in an effort to help defend an organisation's assets from malicious attack or unintended breaches in data and service integrity, confidentiality or availability. A mammoth task even in smaller organisations.
EDS may have tried to herd cats, but we in Infosec try to repel alien invasions, uncover national conspiracies, protect and serve, and offer matrix style A-team vigilantism served up with a side order of business acumen and a portion of savoir faire. Fun until you realise your noble pursuit of protecting the weak and innocent, fighting the forces of evil and saving the world from itself isn't necessarily shared by all elves. Funny that ... the naivety in thinking that there were no lazy, apathetic IT elves ... the realisation that all the IT elves must do their work to a certain level of quality and assurance for your work to even begin to be worthwhile, measurable, or at least have the other elves believe you when you tell them of the 'dark magic' that counteracts the good elven magic they are so used to (this of course without demonstrating 'dark magic' on production or development systems as we meanwhile wait for the 'dark elves' to try all manner of 'dark magic' until they install 'dark doors' that are practically untraceable ...)
For many in business, even in IT itself, it is easier to allow the elves to get on with their daily magic and then work with the ensuing results, embracing without question the supposed increases in productivity and efficiency.
Most beings work on a macro layer and let the elves create and dabble in even more elven magic to ensure the lower level elves and base magics behave themselves. What we don't know can't and shouldn't hurt us right?
Let's take an administrator, management entity or executive in the Grimm Brothers Ltd. shoe business as a potential test subject. They are constantly worried about profit, share value, productivity and efficiency (as they might be in any business). They don't actually need to fully grasp how the increases in output and efficiency are achieved by the latest and greatest elves and magic, just that they work and work well. Unfortunately conveying and measuring the potential pitfalls and complexity of using this magic is extremely hard to explain to anyone who doesn't have a grasp of the most basic and rudimentary tenets of elven magic. Problems are compounded by the outsourcing of elven work to other cheaper elven lands, or insisting upon the use of increasingly complex and esoteric elven magic - without keeping some local elves in reserve to do quality assurance, vendor management or governance. Somehow all elves should be trusted with all magic and unfortunately unmanageable and unmeasurable SLA's (Service Level Agreements) cannot and do not incur penalties. Increasingly and understandably management want to connect their business directly to 'other' realms in the hope of increased sales and access to more B2E (Business-to-Elf) services ...
Unfortunately these realms also contain both good and bad elves, dark magic ... and all number of mythical and mysterious self replicating evil beasties and other magical creatures.
One mis-spoken elven incantation (depending upon the situation and circumstance) can cause terrible horrors and cripple a shoe business, reducing them back to cobblers. Rumour has it that a certain shoe business continued to make a full month's worth of shoes in the wrong realm without anyone noticing, while the offending bad elf pocketed the money and sold the incantation to other bad elves to use on other similarly connected shoe businesses for fun and profit.
In what I will call 'standard industries', people, resources, inputs/outputs, and the processes in between have, for centuries, been producing products and services with ever more efficient physical world means. Problems were addressed with mainly conventional wisdom and experience was garnered slowly but surely. Information's potential for utility was dictated by its storage, processing, quantity and speed of access. There was time to learn and slowly adapt to changing markets and conditions. Knowledge was passed on and people generally knew what was going on (or at least you could look under the hood and somewhat infer the mechanism and physics of the system). There was no need for knowledge of the other 'realms' or of extra sneaky elven escapades. In fact way back then there were no elves and no magic!
I think society is now approaching the Shoe Event Horizon?
Hopefully this goes some way to highlighting the levels of abstraction, complexity and lack of care in use of even the most basic elven magic ... the fact that elven magic is almost ubiquitous in every aspect of modern society and becoming even more so, should be a warning flag of sorts. I am still a little iffy on how my fridge works ... thermodynamics and all that, but I'm damned sure no other realm's dark elven magic will leak in through my freezer box, monitor me and empty my online bank account.
a) Forest from the trees: Micro vs Macro
Where do IT Security managers/analysts/admins really sit in the hierarchy of the business? Are they perceived as generating value or just scaremongering? Do they actually understand the business themselves? How many cowboys are there currently in this business and do these professionals still have an active foot in the 'real' business generation of value? Are the security vendors only interested in selling more kit? Is it worth building robust products and services with longevity that won't necessarily generate repeat business, entail a support contract or restrict usage and try to enforce over zealous licensing requirements?
Are we generating more complexity every second, introducing more nodes and depth of code rather than reducing it and improving the quality? Is this really an increase in efficiency and manageability? How many layers of abstraction and protocols before one gets to the data object?
b) Understanding the business: Bottom lines and risk management?
I agree that the technically orientated need to understand the business more, but the business guys need to understand the technical aspects of the platforms and systems they employ also. Maybe the security guys need to have security relationship managers facing off to other parts of IT and the business, or would this just complicate matters? Must each security dude/manager be a CSO and CTO in their own right? Are we asking too much or too little?
How can one employ risk management techniques without first understanding the flows and business processes, rather than just the distinct packets and security posture of systems in isolation. How does one map a business that is changing at such a fast pace 'under the hood' as it relates to operating systems, custom code, new rollouts, decomissioning etc. How up-to-date and intergal is your DNS, logging, NTP, routing, host database and asset management? How integrated and aware are your change management and operational monitoring systems? How much confidence do you have in all this information and the dudes, dudettes or elves performing the changes? And is this all required across the board from SME's and up?
c) Culture and generational: Youth vs. Age and wisdom of both?
Who wants the equivalent of a spotty youth or young buck trying to convey a different paradigm of the world to a well established businessperson who has made their mark and 'understands' the business fully? Many questions abound here ... how long has one been in their role, are they keeping up-to-date, do they actually care, is it all too much and how often is 'the changing of the guard' occurring in the higher echelons of a business?
d) Communication and quantification: Describing and conveying risk?
You can't manage what you can't measure. What metrics are available or employed to convey meaning and progress? How do you value your data, systems, IP flows and business systems other than the physical asset values? How do you translate these abstract concepts and systems to other business decision makers? Are analogies a poor substitute for direct real evidence? So at the end of the day, what you are going to communicate precedes the how.
“Some day, on the corporate balance sheet, there will be an entry which reads, 'Information'; for in most cases, the information is more valuable than the hardware which processes it.”
Grace Murray Hopper
Metrics, metrics, metrics ... what, how, where and when to measure? How do you enumerate the risks? Some progress is being made, but we are at a very early stage. Definitions are still somewhat wishy washy, frameworks are like standards... 'the beauty is that there are so many to choose from'.
When IT products and commercial code are more regulated and built with greater tolerances we'll all be in a better place.... see here!
e) Rate of Change and Future Shock: Telescoping, new paradigms and new physics?
A while back on the Security Metrics mailing list I started a debate on the new world physics employed when dealing with Information Security/Protection. Dan Geer had a great paper on the issue of time and the geographic, physical and technical issues faced in cyberspace versus the physical world. I highly recommend it.
Executives, managers and all aspects of business (including elves) are experiencing 'Future Shock'; which is basically a 'culture shock' in our own society and time, where the rate of change constantly removes our terms of reference and leaves us alienated. Are you still trying to ride the wave of information overload and how do you hope to address it? Or are you starved of the quality of data you require to make effective and critical judgements for your life, liberty and the pursuit of business/happiness?
Do we really need more elves and magic right now?
A. When it's somebody else's?
So excuse the existentialism for a moment and permit me if you will, to step back from the issue to elaborate more clearly my opinion of the forces at work at a deeper level. At no time in history has the rate of change, the terms of reference and the paradigms been so extraordinarily different as they are currently, especially for knowledge based/information economies, or other businesses and organisations that rely upon or use Information Technology.
As William Gibson said, "the future is already here , it's just unevenly distributed".
For some this creates an exciting, ever-changing, ever-learning environment in which one can in some ways actively contribute and watch the future unfold in 'realtime' like never before. In no other discipline (I use the term 'discipline' lightly ...) is this rate of change as pronounced as it is in Information Security/Protection/Assurance ... where one must be constantly abreast of new technologies and engaged in a never-ending cyber arms race in an effort to help defend an organisation's assets from malicious attack or unintended breaches in data and service integrity, confidentiality or availability. A mammoth task even in smaller organisations.
EDS may have tried to herd cats, but we in Infosec try to repel alien invasions, uncover national conspiracies, protect and serve, and offer matrix style A-team vigilantism served up with a side order of business acumen and a portion of savoir faire. Fun until you realise your noble pursuit of protecting the weak and innocent, fighting the forces of evil and saving the world from itself isn't necessarily shared by all elves. Funny that ... the naivety in thinking that there were no lazy, apathetic IT elves ... the realisation that all the IT elves must do their work to a certain level of quality and assurance for your work to even begin to be worthwhile, measurable, or at least have the other elves believe you when you tell them of the 'dark magic' that counteracts the good elven magic they are so used to (this of course without demonstrating 'dark magic' on production or development systems as we meanwhile wait for the 'dark elves' to try all manner of 'dark magic' until they install 'dark doors' that are practically untraceable ...)
For many in business, even in IT itself, it is easier to allow the elves to get on with their daily magic and then work with the ensuing results, embracing without question the supposed increases in productivity and efficiency.
Most beings work on a macro layer and let the elves create and dabble in even more elven magic to ensure the lower level elves and base magics behave themselves. What we don't know can't and shouldn't hurt us right?
Let's take an administrator, management entity or executive in the Grimm Brothers Ltd. shoe business as a potential test subject. They are constantly worried about profit, share value, productivity and efficiency (as they might be in any business). They don't actually need to fully grasp how the increases in output and efficiency are achieved by the latest and greatest elves and magic, just that they work and work well. Unfortunately conveying and measuring the potential pitfalls and complexity of using this magic is extremely hard to explain to anyone who doesn't have a grasp of the most basic and rudimentary tenets of elven magic. Problems are compounded by the outsourcing of elven work to other cheaper elven lands, or insisting upon the use of increasingly complex and esoteric elven magic - without keeping some local elves in reserve to do quality assurance, vendor management or governance. Somehow all elves should be trusted with all magic and unfortunately unmanageable and unmeasurable SLA's (Service Level Agreements) cannot and do not incur penalties. Increasingly and understandably management want to connect their business directly to 'other' realms in the hope of increased sales and access to more B2E (Business-to-Elf) services ...
Unfortunately these realms also contain both good and bad elves, dark magic ... and all number of mythical and mysterious self replicating evil beasties and other magical creatures.
One mis-spoken elven incantation (depending upon the situation and circumstance) can cause terrible horrors and cripple a shoe business, reducing them back to cobblers. Rumour has it that a certain shoe business continued to make a full month's worth of shoes in the wrong realm without anyone noticing, while the offending bad elf pocketed the money and sold the incantation to other bad elves to use on other similarly connected shoe businesses for fun and profit.
In what I will call 'standard industries', people, resources, inputs/outputs, and the processes in between have, for centuries, been producing products and services with ever more efficient physical world means. Problems were addressed with mainly conventional wisdom and experience was garnered slowly but surely. Information's potential for utility was dictated by its storage, processing, quantity and speed of access. There was time to learn and slowly adapt to changing markets and conditions. Knowledge was passed on and people generally knew what was going on (or at least you could look under the hood and somewhat infer the mechanism and physics of the system). There was no need for knowledge of the other 'realms' or of extra sneaky elven escapades. In fact way back then there were no elves and no magic!
I think society is now approaching the Shoe Event Horizon?
Hopefully this goes some way to highlighting the levels of abstraction, complexity and lack of care in use of even the most basic elven magic ... the fact that elven magic is almost ubiquitous in every aspect of modern society and becoming even more so, should be a warning flag of sorts. I am still a little iffy on how my fridge works ... thermodynamics and all that, but I'm damned sure no other realm's dark elven magic will leak in through my freezer box, monitor me and empty my online bank account.
a) Forest from the trees: Micro vs Macro
Where do IT Security managers/analysts/admins really sit in the hierarchy of the business? Are they perceived as generating value or just scaremongering? Do they actually understand the business themselves? How many cowboys are there currently in this business and do these professionals still have an active foot in the 'real' business generation of value? Are the security vendors only interested in selling more kit? Is it worth building robust products and services with longevity that won't necessarily generate repeat business, entail a support contract or restrict usage and try to enforce over zealous licensing requirements?
Are we generating more complexity every second, introducing more nodes and depth of code rather than reducing it and improving the quality? Is this really an increase in efficiency and manageability? How many layers of abstraction and protocols before one gets to the data object?
b) Understanding the business: Bottom lines and risk management?
I agree that the technically orientated need to understand the business more, but the business guys need to understand the technical aspects of the platforms and systems they employ also. Maybe the security guys need to have security relationship managers facing off to other parts of IT and the business, or would this just complicate matters? Must each security dude/manager be a CSO and CTO in their own right? Are we asking too much or too little?
How can one employ risk management techniques without first understanding the flows and business processes, rather than just the distinct packets and security posture of systems in isolation. How does one map a business that is changing at such a fast pace 'under the hood' as it relates to operating systems, custom code, new rollouts, decomissioning etc. How up-to-date and intergal is your DNS, logging, NTP, routing, host database and asset management? How integrated and aware are your change management and operational monitoring systems? How much confidence do you have in all this information and the dudes, dudettes or elves performing the changes? And is this all required across the board from SME's and up?
c) Culture and generational: Youth vs. Age and wisdom of both?
Who wants the equivalent of a spotty youth or young buck trying to convey a different paradigm of the world to a well established businessperson who has made their mark and 'understands' the business fully? Many questions abound here ... how long has one been in their role, are they keeping up-to-date, do they actually care, is it all too much and how often is 'the changing of the guard' occurring in the higher echelons of a business?
d) Communication and quantification: Describing and conveying risk?
You can't manage what you can't measure. What metrics are available or employed to convey meaning and progress? How do you value your data, systems, IP flows and business systems other than the physical asset values? How do you translate these abstract concepts and systems to other business decision makers? Are analogies a poor substitute for direct real evidence? So at the end of the day, what you are going to communicate precedes the how.
“Some day, on the corporate balance sheet, there will be an entry which reads, 'Information'; for in most cases, the information is more valuable than the hardware which processes it.”
Grace Murray Hopper
Metrics, metrics, metrics ... what, how, where and when to measure? How do you enumerate the risks? Some progress is being made, but we are at a very early stage. Definitions are still somewhat wishy washy, frameworks are like standards... 'the beauty is that there are so many to choose from'.
When IT products and commercial code are more regulated and built with greater tolerances we'll all be in a better place.... see here!
e) Rate of Change and Future Shock: Telescoping, new paradigms and new physics?
A while back on the Security Metrics mailing list I started a debate on the new world physics employed when dealing with Information Security/Protection. Dan Geer had a great paper on the issue of time and the geographic, physical and technical issues faced in cyberspace versus the physical world. I highly recommend it.
Executives, managers and all aspects of business (including elves) are experiencing 'Future Shock'; which is basically a 'culture shock' in our own society and time, where the rate of change constantly removes our terms of reference and leaves us alienated. Are you still trying to ride the wave of information overload and how do you hope to address it? Or are you starved of the quality of data you require to make effective and critical judgements for your life, liberty and the pursuit of business/happiness?
Do we really need more elves and magic right now?
Thursday, March 01, 2007
It's much clearer now.
This explains many of my previous posts and some I am actually working on right now regarding 'Future Shock', e.g. moving towards a:
http://en.wikipedia.org/wiki/Technological_singularity
Funny how lots of research, conversations and other material leads you to the same conclusion after having come from many paths. Back to TED and Ray Kurzwell http://www.ted.com/tedtalks/tedtalksplayer.cfm?key=r_kurzweil
Are Biology and Technology the keys? Kevin Kelly on TED
http://www.ted.com/tedtalks/tedtalksplayer.cfm?key=k_kelly
This has only strengthened my resolve to find balance, master the mind, and address certain internal needs. Where are we racing to and what happens when we get there?
Does Eamonn Healy know? Telescopic Evolution
( Another excerpt from Richard Linklater's Waking Life )
Interconnectedness and transcience abound.
With Peak Oil ( ABC Video ) a seemingly plausible near term future on earth, should we not all be planning ahead and focussing on what really matters in life?
I think perhaps searching for a middle ground between permaculture and IT will be my path / purpose.
http://en.wikipedia.org/wiki/Technological_singularity
Funny how lots of research, conversations and other material leads you to the same conclusion after having come from many paths. Back to TED and Ray Kurzwell http://www.ted.com/tedtalks/tedtalksplayer.cfm?key=r_kurzweil
Are Biology and Technology the keys? Kevin Kelly on TED
http://www.ted.com/tedtalks/tedtalksplayer.cfm?key=k_kelly
This has only strengthened my resolve to find balance, master the mind, and address certain internal needs. Where are we racing to and what happens when we get there?
Does Eamonn Healy know? Telescopic Evolution
( Another excerpt from Richard Linklater's Waking Life )
Interconnectedness and transcience abound.
With Peak Oil ( ABC Video ) a seemingly plausible near term future on earth, should we not all be planning ahead and focussing on what really matters in life?
I think perhaps searching for a middle ground between permaculture and IT will be my path / purpose.
Tuesday, February 13, 2007
$$$ I have love in my tummy....
Just passing on the concept of passive income... though some seem more active to me in the long run :)
- Create Passive Income ( GeniusTypes.com )
- Blogging Manual ( GeniusTypes.com )
- Money from your blog ( StevePavlina.com )
- Six Figure Blogger ( Problogger.net )
- LinkBaiting ( www.SEOegghead.com )
- SuccessFromTheNest
Friday, February 09, 2007
A World of Sheep?
Found this http://www.thesheepmarket.com/ while passing 'The Brain of Wade's post on information and Web2.0
It says many things to me about: possibilities, art, waste, control, tools and the most ironic thing of all.... many people in this world are SHEEP! It's time to wake up.
It says many things to me about: possibilities, art, waste, control, tools and the most ironic thing of all.... many people in this world are SHEEP! It's time to wake up.
Saturday, February 03, 2007
Required reading? Code v2.0
http://codev2.cc/ Free PDF download: http://codev2.cc/download+remix/
Amazon Description:
"There's a common belief that cyberspace cannot be regulated-that it is, in its very essence, immune from the government's (or anyone else's) control. Code, first published in 2000, argues that this belief is wrong. It is not in the nature of cyberspace to be unregulable; cyberspace has no "nature." It only has code-the software and hardware that make cyberspace what it is. That code can create a place of freedom-as the original architecture of the Net did-or a place of oppressive control. Under the influence of commerce, cyberpsace is becoming a highly regulable space, where behavior is much more tightly controlled than in real space. But that's not inevitable either. We can-we must-choose what kind of cyberspace we want and what freedoms we will guarantee. These choices are all about architecture: about what kind of code will govern cyberspace, and who will control it. In this realm, code is the most significant form of law, and it is up to lawyers, policymakers, and especially citizens to decide what values that code embodies."
Aside:
From http://www.paulgraham.com/opensource.html
"To me the most demoralizing aspect of the traditional office is that
you're supposed to be there at certain times. There are usually a few
people in a company who really have to, but the reason most employees
work fixed hours is that the company can't measure their productivity.
The basic idea behind office hours is that if you can't make people
work, you can at least prevent them from having fun. If employees have
to be in the building a certain number of hours a day, and are
forbidden to do non-work things while there, then they must be
working. In theory. In practice they spend a lot of their time in a
no-man's land, where they're neither working nor having fun."
Amazon Description:
"There's a common belief that cyberspace cannot be regulated-that it is, in its very essence, immune from the government's (or anyone else's) control. Code, first published in 2000, argues that this belief is wrong. It is not in the nature of cyberspace to be unregulable; cyberspace has no "nature." It only has code-the software and hardware that make cyberspace what it is. That code can create a place of freedom-as the original architecture of the Net did-or a place of oppressive control. Under the influence of commerce, cyberpsace is becoming a highly regulable space, where behavior is much more tightly controlled than in real space. But that's not inevitable either. We can-we must-choose what kind of cyberspace we want and what freedoms we will guarantee. These choices are all about architecture: about what kind of code will govern cyberspace, and who will control it. In this realm, code is the most significant form of law, and it is up to lawyers, policymakers, and especially citizens to decide what values that code embodies."
Aside:
From http://www.paulgraham.com/opensource.html
"To me the most demoralizing aspect of the traditional office is that
you're supposed to be there at certain times. There are usually a few
people in a company who really have to, but the reason most employees
work fixed hours is that the company can't measure their productivity.
The basic idea behind office hours is that if you can't make people
work, you can at least prevent them from having fun. If employees have
to be in the building a certain number of hours a day, and are
forbidden to do non-work things while there, then they must be
working. In theory. In practice they spend a lot of their time in a
no-man's land, where they're neither working nor having fun."
Thursday, January 04, 2007
Muhuhuhuhuh..hahahahahah!
"Alex Jones" in "Waking Life" by Richard Linklater
Here's also a great automated presentation about Copyright and free culture from none other than Lawrence Lessig http://lessig.org/freeculture/free.html
Ask yourself, what' life going to be like, in the future for your kids?
Monday, January 01, 2007
Synchronicity... again?
I came upon this ( http://www.worldchanging.com/book/ ) from the excellent TED talks ( http://www.ted.com/tedtalks/ ) and TED blog.... randomly clicking on Architecture.
Saturday, December 30, 2006
Reading list - [placeholder]
This post tries to echo the previous post somewhat...
Mortality:
Scarcity:
Religion:
Education:
Diet:
Mortality:
Scarcity:
Religion:
- A New Earth: Awakening to Your Life's Purpose, Eckhart Tolle
- The Power of Now: A Guide to Spiritual Enlighenment, Eckhart Tolle
- The Three Pillars of Zen, Roshi Philip Kapleau
- The Quantum and the Lotus: A Journey to the Frontiers where Science and Buddhism Meet, Matthieu Ricard and Trinh Xuan Thuan
- The Monk and the Philosopher:A Father and Son Discuss the Meaning of Life, Jean Francois-Revel and Matthieu Ricard ( To order... )
- The Art of Stalking Parallel Perception: The Living Tapestry of Lujan Matus, Lujan Matus ( To order... )
- The Active Side of Infinity, Carlos Castaneda ( To order... )
- Integral Yoga: Sri Aurobindo's Teaching & Method of Practice, Sri Aurobindo ( To order... )
Education:
- The Pleasure of Finding Things Out, Richard P. Feynman
- The Rise and Fall of the Third Chimpanzee, Jared Diamond
- The God Gene:How Faith Is Hardwired into Our Genes, Dean H. Hamer
- Emotional Intelligence: Why it can matter more than IQ, Daniel Goleman ( To order... )
- Godel, Escher and Bach: An Eternal Golden Braid, Douglas R. Hofstadter
- The Quest for Consciousness: A Neurobiological Approach, Christof Koch ( To order... )
- Principles of Statistics, M. G. Bulmer ( To order... )
Diet:
- Healthy at 100: The Scientifically Proven Secrets of the World's Healthiest and Longest-Lived Peoples, John Robbins ( To order... )
- Becoming Vegan: The Complete Guide to Adopting a Healthy Plant-Based Diet, Brenda Davis, Vesanto Melina ( To order... )
- The Omnivore's Dilemma: A Natural History of Four Meals, Michael Pollan
Some cud....
"Western Civilization, it seems to me, stands by two great heritages. One is the scientific spirit of adventure - the adventure into the unknown, an unknown which must be recognized as being unknown in order to be explored; the demand that the unanswerable mysteries of the universe remain unanswered; the attitude that all is uncertain; to summarize it - the humility of the intellect. The other great heritage is Christian ethics - the basis of action on love, the brotherhood of all men, the value of the individual - the humility of the spirit. These two heritages are logically, thoroughly consistent. But logic is not all; one needs one's heart to follow an idea. If people are going back to religion, what are they going back to? Is the modern church a place to give comfort to a man who doubts God - more, one who disbelieves in God? Is the modern church a place to give comfort and encouragement to the value of such doubts? So far, have we not drawn strength and comfort to maintain the one or the other of these consistent heritages in a way which attacks the values of the other? Is this unavoidable? How can we draw inspiration to support these two pillars of Western civilization so that they may stand together in full vigor, mutually unafraid? Is this not the central problem of our time?"
'The Relation of Science and Religion', Richard P. Feynman
Originally published by the California Institute of Technology in Engineering and Science magazine. Personally I would replace Christianity and the 'church' with 'religion', as this applies to many different forms and types of modern belief systems.
If one could really change the world in a long lasting meaningful way, it seems to me that a few barriers will always stand unless they are either a) stripped away ( which is unfortunately incredibly difficult with existing inertia and legacy frameworks and systems) or b) that of slowly replacing or superceeding that which is already there or appears to be working. Sometimes there is a slow and barely noticeable evolution; one that you don't notice until you actually stand back and see where you have come from, and other times there is massive paradigm shift that results in huge change by virtue of an idea, an invention or some catastrophic event ( which generally only lasts a short time in corporate or societal memory).
I posit that five basic concepts or issues are of utmost importance to how we think, live, learn and treat both our ecosystem and fellow sentient beings.
[ However, sometimes you find people have beaten you to it ;) http://www.copenhagenconsensus.com/ )
a) mortality ( http://en.wikipedia.org/wiki/Mortality )
b) scarcity ( http://en.wikipedia.org/wiki/Scarcity )
c) religion
d) education including information transparency and unfettered access to said information / knowledge
e) diet
So perhaps improvements could be made, or these concerns addressed by:
a) immortality - by constantly replacing or reprogramming our cells and fully understanding atomic / quantum interactions on molecular biology etc
b) nano-technological fabrication of goods and facilitation of services ( energy issues? ) and population control http://en.wikipedia.org/wiki/Population_control either voluntarily or involuntarily via governmental eugenics http://en.wikipedia.org/wiki/Eugenics or Nature re-exerting balance via some form of mass infertility and hopefully preventing some form of Malthusian Catastrophe
c) a sweeping new unified religion / belief system similar to, if not expanding upon buddhism in its synergy with modern science, universal compassion and tolerance... or even a spontaneous new mass movement or group awakening / Enlightenment which seems to be brewing due to accelerating global disillusionment
d) free ( as in beer ) universal education and wider topics of learning for younger generations, including digitization thereof and free access to the sum of all human knowledge including all global libraries, universities and educational publications
e) go vegan or vegetarian for everyone and everything's sake, including your own sanity and health! Why?
A gross simplification I know, ignoring current governments, regimes, political beliefs, markets, famine, drought, poverty, pollution etc etc.. where to begin? So many issues, so many problems... one problem I have spoken about before is that of archival, storage and standardisation of information and protocols to access said information. One must always assume rebuilding from an apocalypse e.g. instructions included, including the instructions for the instructions.
'The Relation of Science and Religion', Richard P. Feynman
Originally published by the California Institute of Technology in Engineering and Science magazine. Personally I would replace Christianity and the 'church' with 'religion', as this applies to many different forms and types of modern belief systems.
If one could really change the world in a long lasting meaningful way, it seems to me that a few barriers will always stand unless they are either a) stripped away ( which is unfortunately incredibly difficult with existing inertia and legacy frameworks and systems) or b) that of slowly replacing or superceeding that which is already there or appears to be working. Sometimes there is a slow and barely noticeable evolution; one that you don't notice until you actually stand back and see where you have come from, and other times there is massive paradigm shift that results in huge change by virtue of an idea, an invention or some catastrophic event ( which generally only lasts a short time in corporate or societal memory).
I posit that five basic concepts or issues are of utmost importance to how we think, live, learn and treat both our ecosystem and fellow sentient beings.
[ However, sometimes you find people have beaten you to it ;) http://www.copenhagenconsensus.com/ )
a) mortality ( http://en.wikipedia.org/wiki/Mortality )
b) scarcity ( http://en.wikipedia.org/wiki/Scarcity )
c) religion
d) education including information transparency and unfettered access to said information / knowledge
e) diet
So perhaps improvements could be made, or these concerns addressed by:
a) immortality - by constantly replacing or reprogramming our cells and fully understanding atomic / quantum interactions on molecular biology etc
- http://www.methuselahfoundation.org/
- http://en.wikipedia.org/wiki/Gerontology
- http://en.wikipedia.org/wiki/Methuselah_Mouse_Prize
b) nano-technological fabrication of goods and facilitation of services ( energy issues? ) and population control http://en.wikipedia.org/wiki/Population_control either voluntarily or involuntarily via governmental eugenics http://en.wikipedia.org/wiki/Eugenics or Nature re-exerting balance via some form of mass infertility and hopefully preventing some form of Malthusian Catastrophe
c) a sweeping new unified religion / belief system similar to, if not expanding upon buddhism in its synergy with modern science, universal compassion and tolerance... or even a spontaneous new mass movement or group awakening / Enlightenment which seems to be brewing due to accelerating global disillusionment
d) free ( as in beer ) universal education and wider topics of learning for younger generations, including digitization thereof and free access to the sum of all human knowledge including all global libraries, universities and educational publications
- http://laptop.media.mit.edu/ One Laptop Per Child... http://laptop.org/
- http://www.unesco.org/education/efa/
- http://www.gutenberg.org/ Project Gutenburg, Free Online Books
- http://www.oreilly.com/openbook/O'Reilly Openbooks
- http://cnx.org/ Connexions, Free Scholarly materials
- http://www.teacherswithoutborders.org/
- http://ocw.mit.edu/ MIT Open Courseware
- http://www.ocwconsortium.org/ Open Courseware Consortium
- http://www.pugwash.org/ Pugwash
e) go vegan or vegetarian for everyone and everything's sake, including your own sanity and health! Why?
- http://www.viva.org.uk/
- http://www.goveg.com/
- http://www.slowfood.com/
- http://www.animalfreeshopper.com/
Saturday, December 16, 2006
Quality and existence?
Impermanence and suffering, hand in hand?
Today's thought of the day comes from trying to cram too much in to one day, and then deciding to do only one thing! One tries to get the most, the best or the biggest from activities in a distinct period of time. So, who and what defines the quality of our experiences? Is it external, is it society or can it really be ourselves.. unfettered by external influences?
If we are perceiving and defining as we go ( a bit like new metaphysical theories that potentially become self-fulfilling prophecies..? ), then this world has already been defined in to existence, and continues to be so in the micro and the macro the further we wish to plunge. It will take some radical thinking to help undefine parts of it and a common moral/ethical system to guide 'science' as it does so. How deep can we go? Is Planck's constant really the limiting factor, until of course we go deeper?
Recently, after reading the 'Elementary Particles' (quoted in my last post), the problem of mortality does NOT allow us to absolve ourselves of the responsibilities to both our earth and our fellow man upon death ( we speak sometimes of our children inheriting the earth), but not everyone has children, and I believe people are still inherently selfish and even though they spend a lot of time thinking about the future, they are all selfish thought cycles. Being immortal, we would not be impermanent and as such, would both remember others actions and would be compelled to act in the common good in knowing we were all intrinsically part of the 'Wheel of Life'? Funnily enough though, an image of the vampires in the movie Blade(I|II|II)? spring to mind, whereupon they went down the other path in a meglomaniacal sense (only because there were the inferior humans still to be ruled!), there was somewhat of a respect for other 'immortal' vampires. ( Unfortunately though, vampires could still be killed in certain ways, as would potential future biologically immortal humans... albeit they would be free from disease and sickness, they could still be beheaded / incinerated etc. etc.) This is also apparent with the fictional Titans in Dune's 'Machine Crusade'Titans' http://en.wikipedia.org/wiki/Titan_(Dune) , a continued set of Dune books written by Frank Herbert's son Brian.
Would be nice to address group consciousness without immortality though.... ;)
Today's thought of the day comes from trying to cram too much in to one day, and then deciding to do only one thing! One tries to get the most, the best or the biggest from activities in a distinct period of time. So, who and what defines the quality of our experiences? Is it external, is it society or can it really be ourselves.. unfettered by external influences?
If we are perceiving and defining as we go ( a bit like new metaphysical theories that potentially become self-fulfilling prophecies..? ), then this world has already been defined in to existence, and continues to be so in the micro and the macro the further we wish to plunge. It will take some radical thinking to help undefine parts of it and a common moral/ethical system to guide 'science' as it does so. How deep can we go? Is Planck's constant really the limiting factor, until of course we go deeper?
Recently, after reading the 'Elementary Particles' (quoted in my last post), the problem of mortality does NOT allow us to absolve ourselves of the responsibilities to both our earth and our fellow man upon death ( we speak sometimes of our children inheriting the earth), but not everyone has children, and I believe people are still inherently selfish and even though they spend a lot of time thinking about the future, they are all selfish thought cycles. Being immortal, we would not be impermanent and as such, would both remember others actions and would be compelled to act in the common good in knowing we were all intrinsically part of the 'Wheel of Life'? Funnily enough though, an image of the vampires in the movie Blade(I|II|II)? spring to mind, whereupon they went down the other path in a meglomaniacal sense (only because there were the inferior humans still to be ruled!), there was somewhat of a respect for other 'immortal' vampires. ( Unfortunately though, vampires could still be killed in certain ways, as would potential future biologically immortal humans... albeit they would be free from disease and sickness, they could still be beheaded / incinerated etc. etc.) This is also apparent with the fictional Titans in Dune's 'Machine Crusade'Titans' http://en.wikipedia.org/wiki/Titan_(Dune) , a continued set of Dune books written by Frank Herbert's son Brian.
Would be nice to address group consciousness without immortality though.... ;)
Thursday, December 14, 2006
Elementarily T.I.R.E.D.?
The latest sociological acronym is "Tired" - the Thirty-something Independent Radical Educated Dropout.
"Tell me, what is it you plan to do - with your one wild and precious life?"
The Summer Day, Mary Oliver
"Children suffer the world that adults create for them and try their best to adapt to it; in time, usually, they will replicate it."
The Elemetary Particles, Michel Houellebecq, 1998
Have I exhausted all modern society has to offer - a year early at 29? Is it now time to change the world as previously envisaged? Enlightenment may be a pre-requisite. And these North American zen groups are either too scared, cliquey.... or there are too many stoners and looneys around this continent to warrant any form of trust in a stranger. I'll need to 'explore/meditate' back home in the EU, where the vibe is akin to the openness and friendliness of my second home, Australia. ( I hope ;)
"Tell me, what is it you plan to do - with your one wild and precious life?"
The Summer Day, Mary Oliver
"Children suffer the world that adults create for them and try their best to adapt to it; in time, usually, they will replicate it."
The Elemetary Particles, Michel Houellebecq, 1998
Have I exhausted all modern society has to offer - a year early at 29? Is it now time to change the world as previously envisaged? Enlightenment may be a pre-requisite. And these North American zen groups are either too scared, cliquey.... or there are too many stoners and looneys around this continent to warrant any form of trust in a stranger. I'll need to 'explore/meditate' back home in the EU, where the vibe is akin to the openness and friendliness of my second home, Australia. ( I hope ;)
Listening to inside, still confused...
Thought: All these coffee shops and coffee addicted people feed the 'chattering' monkey mind of the ego and keep the 'pain-body' emotionally hurting both itself and others. Keep those dumb 'battery' humans in their boxes consuming, keep their music/ipods playing when outside so they don't hear the real world.
Q. What's left to suppress? A visual overlay on the world to create a 'pseudo' reality?
Dream: Brother arrived at same conclusions as I. He felt even more hopeless. I ended up beating and bullying him not to give up. He went limp in my arms. He had passively accepted whatever fate was going to throw at him. He went to bed suicidal and woke up happy. Then another one of him appeared, and another and another - all taking multiple choices, directions etc. His essence and energy was becoming severely diluted the more 'hims' appeared, we (family) wanted him to stop multiplying but once he had started he couldn't and didn't want to. It was freeing and very powerful to him.
There was a building with lots of windows, some were filled with versions of him, some had large sloth/ant-eater bipeds that were also his essence too. They were smiling and looking up chuckling.
I tried to get him to come to Australia, he wouldn't. I realised I didn't live there anymore. By accident he ended up in a green hippie van traveling to New Zealand. I was happy about that.
Q. What's left to suppress? A visual overlay on the world to create a 'pseudo' reality?
Dream: Brother arrived at same conclusions as I. He felt even more hopeless. I ended up beating and bullying him not to give up. He went limp in my arms. He had passively accepted whatever fate was going to throw at him. He went to bed suicidal and woke up happy. Then another one of him appeared, and another and another - all taking multiple choices, directions etc. His essence and energy was becoming severely diluted the more 'hims' appeared, we (family) wanted him to stop multiplying but once he had started he couldn't and didn't want to. It was freeing and very powerful to him.
There was a building with lots of windows, some were filled with versions of him, some had large sloth/ant-eater bipeds that were also his essence too. They were smiling and looking up chuckling.
I tried to get him to come to Australia, he wouldn't. I realised I didn't live there anymore. By accident he ended up in a green hippie van traveling to New Zealand. I was happy about that.
Thursday, November 23, 2006
Hint - Who or what am 'I' ?
"..idleness is lonely and demoralizing."
While many would agree with this statement taken from an essay by Paul Graham http://www.paulgraham.com/gap.html , I would challenge all facets of it.... why? or why shouldn't it be? This may be a form of mental gymnastics if you wish to contemplate this... but if you go deeper, it is in fact meaningless, tied to a concept of self, worth, value, dependence and desire.
In this modern day and age we need more idleness, reflection and less business / escapism. Idleness is not 'the Devil's playground'.
While many would agree with this statement taken from an essay by Paul Graham http://www.paulgraham.com/gap.html , I would challenge all facets of it.... why? or why shouldn't it be? This may be a form of mental gymnastics if you wish to contemplate this... but if you go deeper, it is in fact meaningless, tied to a concept of self, worth, value, dependence and desire.
In this modern day and age we need more idleness, reflection and less business / escapism. Idleness is not 'the Devil's playground'.
Monday, November 20, 2006
Game Over - Insert more credits....
Back in 2004 I text'ed some friends, family and colleagues after a day of banality, while waiting to board the Jetcat to Manly:
" Today I got no closer to understanding myself, the world or
existence - why am I wasting my time such?"
Since then I have been skirting the edges of that _thought_, looking deeper at other topics and perhaps shrouding it in the career I had chosen for myself - and since then have been trying to understand and fix some of the macro challenges within the construct of IT enabled organisations. I have delved in to the inner workings of the industry, looked at and compared other industries.. examined the similarities - the differences, and tried to fully grasp the complexities from 'end-to-end'. Some of the issues are unfortunately ubiquitous in many other industries.... but not necessarily near the level of complexity, naivety, lack of appraisement(data), ignorance, barrier of entry, nefariousness ( and related cost of resources for nefarious purposes...) the list goes on. Don't get me wrong, definitely a fun, playful, yet dangerous and ever evolving 'sandbox?', shame most don't get the underlying fact of the quite real and tangible intersection with the physical/natural world; for this 'virtual' world we have created, is not virtual at all, but an intrinsic part of our economy, infrastructure and daily life in more ways than the masses can comprehend. Some of the string, glue and sticky tape that holds together certain critical parts of said infrastructure and services constantly amazes me, but that is a rant for another day!
Part of me thought the answer would lie in 'front of house' or in a 'one to many' vendor based relationship... both allowing and facilitating me to grasp much more -> further and faster, if you will.... when in essence this only actually distanced me from the things I believed to be in my control, or to which I could influence, extricating me from my first hand experiences on the battlefield/battlefront. When we introduce the concept of internet time and physics, a fun question may be asked.. what use is a veteran of the 'Battle of Waterloo' in a modern war fought with drones, digital information and weaponry, and the tactics or strategies thus employed?
Note: Here one may counter with quotes from Sun Tzu, but I think you get my point :)
Note II: I am a n00b compared to RFP but he sums it up the industry well here.
I have ruminated on going back to academia to study military tactics, history, economics, statistics, computer science ( again ).... as we battle to understand and control the entity that is the internet - and the *new* challenges that go with it, such as new appreciations and understandings of the traditional concepts of physics, time and space trade-offs....things like 'crowdsourcing' and massively distributed computing.. however is this again distancing myself from the coal face? Or just walking the same path over again?
For me, working towards the assurance and overall security of these internet or IP enabled organisations, has seemed a noble goal, and I believe still is - the eternal struggle of "good vs evil" ( justifiable to oneself through the continued integral enablement and benefits of IT in industry and the global economy etc ), but have however been slipping away from myself, my real-self, and over-indulging in everything there is in modern society that gently allows us to 'escape' from the reality in which we live. The reality we ( or they? ) continue to create and mould for ourselves on a daily basis.
I may come full circle. I may not. But right now "life is short" and the answers and questions I seek are not to be generated or answered from within the construct that surrounds me. I am about to embark on a new journey to relinquish the 'I' and to perhaps find the 'We'.. who knows?
All I know is the time is now, the path is unclear.... but I do not fear it anymore!
First things, first though... I need to be with my family.
" Today I got no closer to understanding myself, the world or
existence - why am I wasting my time such?"
Since then I have been skirting the edges of that _thought_, looking deeper at other topics and perhaps shrouding it in the career I had chosen for myself - and since then have been trying to understand and fix some of the macro challenges within the construct of IT enabled organisations. I have delved in to the inner workings of the industry, looked at and compared other industries.. examined the similarities - the differences, and tried to fully grasp the complexities from 'end-to-end'. Some of the issues are unfortunately ubiquitous in many other industries.... but not necessarily near the level of complexity, naivety, lack of appraisement(data), ignorance, barrier of entry, nefariousness ( and related cost of resources for nefarious purposes...) the list goes on. Don't get me wrong, definitely a fun, playful, yet dangerous and ever evolving 'sandbox?', shame most don't get the underlying fact of the quite real and tangible intersection with the physical/natural world; for this 'virtual' world we have created, is not virtual at all, but an intrinsic part of our economy, infrastructure and daily life in more ways than the masses can comprehend. Some of the string, glue and sticky tape that holds together certain critical parts of said infrastructure and services constantly amazes me, but that is a rant for another day!
Part of me thought the answer would lie in 'front of house' or in a 'one to many' vendor based relationship... both allowing and facilitating me to grasp much more -> further and faster, if you will.... when in essence this only actually distanced me from the things I believed to be in my control, or to which I could influence, extricating me from my first hand experiences on the battlefield/battlefront. When we introduce the concept of internet time and physics, a fun question may be asked.. what use is a veteran of the 'Battle of Waterloo' in a modern war fought with drones, digital information and weaponry, and the tactics or strategies thus employed?
Note: Here one may counter with quotes from Sun Tzu, but I think you get my point :)
Note II: I am a n00b compared to RFP but he sums it up the industry well here.
I have ruminated on going back to academia to study military tactics, history, economics, statistics, computer science ( again ).... as we battle to understand and control the entity that is the internet - and the *new* challenges that go with it, such as new appreciations and understandings of the traditional concepts of physics, time and space trade-offs....things like 'crowdsourcing' and massively distributed computing.. however is this again distancing myself from the coal face? Or just walking the same path over again?
For me, working towards the assurance and overall security of these internet or IP enabled organisations, has seemed a noble goal, and I believe still is - the eternal struggle of "good vs evil" ( justifiable to oneself through the continued integral enablement and benefits of IT in industry and the global economy etc ), but have however been slipping away from myself, my real-self, and over-indulging in everything there is in modern society that gently allows us to 'escape' from the reality in which we live. The reality we ( or they? ) continue to create and mould for ourselves on a daily basis.
I may come full circle. I may not. But right now "life is short" and the answers and questions I seek are not to be generated or answered from within the construct that surrounds me. I am about to embark on a new journey to relinquish the 'I' and to perhaps find the 'We'.. who knows?
All I know is the time is now, the path is unclear.... but I do not fear it anymore!
First things, first though... I need to be with my family.
Friday, November 17, 2006
Machine and service integrity..
What if instead of worrying about compromised services and data in the short term with fingerprints/hashes of binaries and files, we applied the concept of re-use and cycling to the actual services and machines? Think TKIP or perhaps PFS for IPSEC on a macro service and machine scale?
Think load balanced web servers constantly rebooting from verified images - either sequentially or in some form of complex pre-computed pseudo-random pattern, thus reducing the potential time an attacker had on a box, service or version? I will think more about this, but VM's, load balancing and operational management would require a lot of planning, thought and overhead. Re-use of TCP connections e.g. TCP multiplexing is common now in many optimisation products/load balancing offerings.
If, as some in the industry have -> thrown the towel in per se, and are more worried about compromise, detection and time to restore a machine to an integral state - then why not take that to it's logical conclusion. Almost like a macro level Stackguard and ProPolice in OpenBSD that randomises an offset to the next addressable chunk of memory to make it harder to predict/calculate and reproduce attacks with standard results.
Let's limit the conceptual static state of a live machine ( harder for databases and synchronisation though.. ) but an interesting thought nonetheless.
Maybe you'd need a farm of diskless head-end servers the monkeys would constantly upgrade the OS/App from a bootable set of flash drives etc?
No one has addressed the issue of micro-time adequately in Information Security, rather intractability and macro-time as a defense! Please correct me if I am wrong here...
Think load balanced web servers constantly rebooting from verified images - either sequentially or in some form of complex pre-computed pseudo-random pattern, thus reducing the potential time an attacker had on a box, service or version? I will think more about this, but VM's, load balancing and operational management would require a lot of planning, thought and overhead. Re-use of TCP connections e.g. TCP multiplexing is common now in many optimisation products/load balancing offerings.
If, as some in the industry have -> thrown the towel in per se, and are more worried about compromise, detection and time to restore a machine to an integral state - then why not take that to it's logical conclusion. Almost like a macro level Stackguard and ProPolice in OpenBSD that randomises an offset to the next addressable chunk of memory to make it harder to predict/calculate and reproduce attacks with standard results.
Let's limit the conceptual static state of a live machine ( harder for databases and synchronisation though.. ) but an interesting thought nonetheless.
Maybe you'd need a farm of diskless head-end servers the monkeys would constantly upgrade the OS/App from a bootable set of flash drives etc?
No one has addressed the issue of micro-time adequately in Information Security, rather intractability and macro-time as a defense! Please correct me if I am wrong here...
Thursday, November 16, 2006
Safety nets?
"There's always going to be a job out there if you're coherent and can put a sentence together."
Thursday, November 09, 2006
Hug the world
Today I was walking down Pitt St. in the centre of Sydney and a hippy'ish looking girl had a big piece of cardboard up above her head with 'Free Hugs' written on it in big letters.
I thought twice about it and then gave her one ;)
Most people were just staring and moving on confused, bemused and shocked. The world needs more hugs. City people don't connect enough. This was the highlight of my day.
The lowlight was that I had to think twice about it.
I thought twice about it and then gave her one ;)
Most people were just staring and moving on confused, bemused and shocked. The world needs more hugs. City people don't connect enough. This was the highlight of my day.
The lowlight was that I had to think twice about it.
Saturday, September 02, 2006
Welcome to the interweb my friend!
Organisations with 'open networks' want IPS to police their highways.
Organisations with 'closed/segmented networks' use internal firewalling to restrict passage to flows that are deemed 'good', but most of the time they're swiss cheese!
Organisations are starting to see the benefit of 'extrusion detection', with non-production routed darknets.
We need to only permit the good stuff and then enumerate the bad stuff inside the good stuff. How do you define the good stuff when sometimes organisations don't even know themselves, don't want to know, or don't care what's on their network? Asset and flow classification is a big, never ending job! It's very hard to spot bad stuff inside good stuff and very resource intensive.
Netflow helps. Baselining helps. Anomaly detection helps. Having management that understands, cares and realises the intangible, unquantifiable(metrics?) helps + experience goes a long way.
Logs help. Note: http://www.loganalysis.org/
http://www.sans.org/resources/top5_logreports.pdf
Assumpton: All traffic is good = early internet. Facilitating ease of communication.
Currently: Lots of internet traffic is bad :(
Current issues: Net Neutrality?
Can we allow a form of QOS and simple economics to dictate the traffic on the internet and the service level it gets?
Can we afford not to?
We cannot trust all the endpoints. Can we trust subsets thereof? A multi-tiered, multi-class internet?
We cannot trust all companies, countries and organisations. Thats the way BGP and backbone security of the internet works today. DNS is slightly different but equally succeptible. Funnily enough it ain't _too_ bad!
Notes: Read Barry Greene ( BGP ) and Dan Kaminsky's ( DNS ) work for more info. We love Team Cymru too!
No global security metrics exist that are useful, due to lack of standards, lack of information/incident sharing, lack of cooperation, distributed responsibility, no accountablity, speed and transition of technologies. Yet the internet is global. Its compomising countries' laws are not. Mind you http://www.first.org/ is leading the way.
Constantly enumerating bad stuff is self defeating. Marcus Ranum eloquently puts this, in his 'The Six Dumbest Ideas in Computer Security' essay.
Enumerating good stuff and blocking *everything* else, or submitting it to a lower class of service works. It may only be feasible on Enterprise networks though and with managed endpoints. Moreso in the future, QOS will be done per binary/app/data-object.
The internet is full of unmanaged endpoints and 'unmanaged' users. The internet is full of managed and 'unmanaged' coders.
The internet still works and is resilient due to its 'loose coupling' and civic duty of its technorati.
Note: However BGP reachability was severely affected by SQL Slammer, some backbone routers lost 3-4+% of their internet table via route withdrawls.
Answers: I'm working on it. For the moment enjoy your privileged packet freedom!
Organisations with 'closed/segmented networks' use internal firewalling to restrict passage to flows that are deemed 'good', but most of the time they're swiss cheese!
Organisations are starting to see the benefit of 'extrusion detection', with non-production routed darknets.
We need to only permit the good stuff and then enumerate the bad stuff inside the good stuff. How do you define the good stuff when sometimes organisations don't even know themselves, don't want to know, or don't care what's on their network? Asset and flow classification is a big, never ending job! It's very hard to spot bad stuff inside good stuff and very resource intensive.
Netflow helps. Baselining helps. Anomaly detection helps. Having management that understands, cares and realises the intangible, unquantifiable(metrics?) helps + experience goes a long way.
Logs help. Note: http://www.loganalysis.org/
http://www.sans.org/resources/top5_logreports.pdf
Assumpton: All traffic is good = early internet. Facilitating ease of communication.
Currently: Lots of internet traffic is bad :(
Current issues: Net Neutrality?
Can we allow a form of QOS and simple economics to dictate the traffic on the internet and the service level it gets?
Can we afford not to?
We cannot trust all the endpoints. Can we trust subsets thereof? A multi-tiered, multi-class internet?
We cannot trust all companies, countries and organisations. Thats the way BGP and backbone security of the internet works today. DNS is slightly different but equally succeptible. Funnily enough it ain't _too_ bad!
Notes: Read Barry Greene ( BGP ) and Dan Kaminsky's ( DNS ) work for more info. We love Team Cymru too!
No global security metrics exist that are useful, due to lack of standards, lack of information/incident sharing, lack of cooperation, distributed responsibility, no accountablity, speed and transition of technologies. Yet the internet is global. Its compomising countries' laws are not. Mind you http://www.first.org/ is leading the way.
Constantly enumerating bad stuff is self defeating. Marcus Ranum eloquently puts this, in his 'The Six Dumbest Ideas in Computer Security' essay.
Enumerating good stuff and blocking *everything* else, or submitting it to a lower class of service works. It may only be feasible on Enterprise networks though and with managed endpoints. Moreso in the future, QOS will be done per binary/app/data-object.
The internet is full of unmanaged endpoints and 'unmanaged' users. The internet is full of managed and 'unmanaged' coders.
The internet still works and is resilient due to its 'loose coupling' and civic duty of its technorati.
Note: However BGP reachability was severely affected by SQL Slammer, some backbone routers lost 3-4+% of their internet table via route withdrawls.
Answers: I'm working on it. For the moment enjoy your privileged packet freedom!
Subscribe to:
Posts (Atom)