Emergent ChaosMuch as I enjoy your work, it is entirely dis-congruous to your readers to insert words known to neither the Oxford English Dictionary or the internet (as indexed here, here or here) whose meanings are not rapidly comprehensible.
Thank you for your future attention to this matter.
I remain, etc, etc.
Bookmark this post:
I'd like to review two recent books on the war on terror: "Bush's Law: The Remaking of American Justice" by by Eric Lichtblau, and "Less Safe, Less Free: Why America Is Losing the War on Terror" by David Cole and Jules Lobel. Both are well written assaults on the way in which the Bush administration is conducting itself, although each takes a tact aligned with the author's background and history. Lichtblau is a reporter, currently for the New York Times, and Cole and Lobel are law professors.
Bush's Law is an extended view into some of the major stories that Lichtblau has covered. Included are the NSA's warrant-less wiretapping, the SWIFT following of the money, and the Comey/Ashcroft hospital story. Even as someone who follows these stories fairly closely, I still learned quite a bit-some new, some not previously reported, and all better organized and more readable than in the newspaper. The theme that emerges from Bush's Law is one of secrecy, and the conflict which a free society faces when repeatedly begged to `trust us' by an administration which seems to not understand how its actions undermine trust.
The undermining of trust is also a major theme of Less Safe, Less Free. Before getting into the meat of the book, let me say that this is law professor writing at its best. It's clear and compelling, and the notes are at the end. They lay out a strong case that the Bush administration's concept of how to engage with the world is is at its core, preventative, rather than reactive. In theory, this seems like a great plan. In practice Cole and Lobel show how it inevitably undermines the concepts of justice on which our society is founded, as well as our reputation with the rest of the world. That is, it is not merely a practical failure, it was inevitably going to be a practical failure. Predictions are hard, especially about the future. Reasonable people may disagree on the reasonableness of a preventative action. The difficulty of reaching proof "beyond a reasonable doubt" about what would have happened undermines the legitimacy of claims about the future.
The essence of their argument is that prevention, be it preventative war, such as in Iraq, or preventative law enforcement, such as with the justice, always requires the showing of evidence. You can't simply detain someone because they might in the future commit a crime. In a court, no single body acts as judge, jury and executioner. Each party gets their day in court, with an opportunity to examine the evidence against them. These things are impossible in the preventative paradigm. Not only are sources and methods secret (sometimes with good reason), but the evidence is often lacking. In the case of war, the court is that of public opinion in many places. They also show a plethora of historical cases where preventative war went horribly wrong, and relate preventative war to a set of regimes with which no reasonable person wants to be associated.
The core reason which we demand that justice be reactive, or, at its fastest, at the instant of a crime, is that we rightfully fear the powers we invest in our government. It is a mighty and fearsome machine which can crush anything in its path. When it is allowed to do so, we are all less safe, and less free.
Two asides: I paid for both books, and I love the endnote styling of page number, excerpt, note used in Bush's Law.
Bookmark this post:
You don't have much credibility looking for a publisher for a book on rum when you're sailing in the Caribbean drinking the best rums you can find in the name of research. Most people just didn't take me seriously that there was even a need for a book on rum. It took quite a while to get things rolling.See the Ministry of Rum FAQ.
Bookmark this post:
Gary McGraw says buy it for the cover:
The New School of Information Security is a book worth buying for the cover alone. I know of no other computer security book with a Kandinski on the front. Even though I know Adam Shostack from way back (and never could have predicted that he would become a Microsoft guy), I saw his book at RSA, bought it for the cover, and only then discovered that he was the author! My plan was to give the book to a good friend who I know is a huge Kandinski fan. On the way to complete that errand, I had a chance to look though the book and now I need a copy of my own! If you’re a follower of the economics of security school (which Ross and Bruce Schneier have helped spearhead), you’ll like this book. (Gary McGraw)while Ben Rothke says buy it for what's in between:
The New School of Information Security is a ground-breaking text in that it attempts to remove the reader from the hype of information security, and enables the reader to focus on the realities of security. The fact that such a book needs to be written in 2008 shows the sorry state of information security.Thanks very much for the awesome review, Ben!...
Let's hope The New School of Information Security is indeed a new start for information security. The book is practical and pragmatic, and one of the most important security books of the last few years. Those serious about information security should definitely read it, and encourage others to do the same. (Ben Rothke's review on Slashdot)
Bookmark this post:
I've felt bad in not reviewing The Future of Reputation, because I really enjoyed it, and have been trying to figure out what to say. Solove does a great job of surveying reputation in its many forms, and offering up an interesting framework for making tradeoffs about how to manage some of the costs and benefits of being able to speak freely about people online.
Check them out!
Bookmark this post:
This book explores the dramatic shift from infrastructure protection to information protection, explaining why data security is critical to business today. It describes how implementing successful data security solutions across sophisticated global organizations requires a new data-centric, risk based and strategic approach, and defines the concepts and economics of a sound data security strategy.Order "Economics and Strategies of Data Security" from the Verdasys website.
Bookmark this post:
A few days ago, we turned in the very last edits to The New School of Information Security to Addison-Wesley.
My co-author, Andrew Stewart, and I are both really excited. The New School is a systemic look at dysfunction within information security, and a look at some of the ways people are looking to make things better. We think there's an emerging way of approaching the world, which we call the New School.
We start with a look at some persistent issues like spam and identity theft. From there, we look at why the information security industry hasn't just fixed them, and some of the data sources which we rely on and how poor they are. We then look at some new sources of data, and new ways of interpreting them, and close with some very practical steps that any individual or organization can take to make things better.
Incidentally, this isn't an official project for either of us. (We wouldn't want anyone to get confused about who gets the credit or blame.)
Bookmark this post:
A lot of people think of calls for diversity as fuzzy headed liberalism at its worst. If you're one of them, please keep reading. Or you could click here and just buy Scott Page's book and read that, which is what I'd like to convince you to do.
This is a book about problem solving. He starts with a set of observations about how we see the world, and how different people bring different approaches and perspectives to the same problem. His approach is mathematically grounded, although you can skip the math or delve into it. He talks about how bringing different perspectives, heuristics, interpretations and predictive models to a problem can result in super-addative results, as one person helps another overcome blockers.
From there, he looks at how groups compare to experts, and looks at those situations where a group will do better than an expert, even when no member of the group is as sophisticated or broad as the expert. He also looks at those places where averaging over the crowd can get you better results--that if the perspectives are different (and relevant) then a crowd may well have a more intricate model than any one expert.
He also talks about differences between instrumental and fundamental preferences. (We should walk to the park, we should bike to the park, versus we should go to the park or the movies) and how diversity in the latter doesn't always lead to better results.
He doesn't make the point that such fundamental diversity of preferences should lead us to prefer liberty. I'm somewhat surprised by this, because it ties to his main points so well. If we want very different things, then we gain a lot by allowing people to make their own choices: some good, some bad, but reducing coordination costs.
It's been a fascinating read, and I think it will have substantial long-term impact on my thinking. Thanks to Jon Pincus for the pointer. Also, I've decided to experiment a bit with Amazon affiliate links, and wanted to disclose that before Threat Level got revenge.
Bookmark this post:
What, might you ask, can we learn from a 30 year old text?
Nothing has changed.
Except, for some of the names. Donn Parker is in there, as are a melange of consultants. But read this:
As the result of such revelations of security weaknesses in IRS computer systems--and, in particular, the critical [date] GAO report--the commissioner of the IRS, while conceding that the IRS had not been as aggressive in the past as it might have been in correcting situations that potentially weakened its overall security, declared that he is committing the IRS to a "vigorous course of improvement" in the management of computerized tax data in order to assure the maximum security for information on taxpayers. (pp71 of the paperback)That was in 1977. Compare and contrast this 2008 Associated Press article:
IRS records, including taxpayer information, are vulnerable to tampering or disclosure because it has not yet fixed dozens of information security weaknesses, according to a government report issued Tuesday.I could go on about similarities between what's in Computer Capers, oh, ok, one more:The existing problems, the GAO said, included giving too many people access to sensitive material, failure to encrypt all sensitive data and weak physical security controls.
...
Acting IRS Commissioner Linda Stiff, in response to the report, wrote that the agency recognizes "there is significant work to be accomplished to address our information security deficiencies and we are taking aggressive steps to correct previously reported weaknesses." (Associated Press, 2008, "Report Cites IRS Security Flaws"
Top management people in large corporations fear that publicity about internal fraud could well affect their companies' trading positions on the stock market, hold the corporation up to public ridicule, and cause all sorts of turmoil... (Computer Capers, page 72)I could go on quoting, but can we as a profession go on making the same mistakes?
The fetishization of secrecy has got to stop, or in thirty years, we'll be looking back at the same problems.
Bookmark this post:
