Emergent Chaos“The best evidence shows that teaching kids to drink responsibly is better than shutting them off entirely from it,” he told me. “You want to introduce your kids to it, and get across the point that that this is to be enjoyed but not abused.”Ironically, the Times decided to ask their readers: "Do you think teenagers drinking wine with their parents at home encourages reckless drinking or more responsible habits with alcohol later in life?" See the sidebar. Without any disrespect to people reading the Times, why would we care what they think about this? We have evidence of what really happens. Why not ask "Why do you think we can't fix a broken law?" or "Would you vote for a candidate who promised to fix these laws?"...
What is the evidence? In 1983, Dr. George E. Vaillant, a professor of psychiatry at Harvard University, published “The Natural History of Alcoholism,” a landmark work that drew on a 40-year survey of hundreds of men in Boston and Cambridge.
Relatedly, Adam Barr wrote:
I saw an article today about how the Smart ForTwo (that tiny car you see around) had earned top marks in safety tests conducted by the Insurance Institute for Highway Safety. Despite this, the Institute decided to disqualify the car from potentially earning its "Top Safety Pick" designation because it is just too dang small. "All things being equal in safety, bigger and heavier is always better," says the president of the Institute. ("Things that Everybody Knows.")Experts are experts because they have data and the tools to analyze them. That's why we listen to them. When did we become so resistant to science?
Bookmark this post:
“It used to be you were labeled with your diagnosis and that was it; you were marginalized,” said Molly Sprengelmeyer, an organizer for the Asheville Radical Mental Health Collective, a mad pride group in North Carolina. “If people found out, it was a death sentence, professionally and socially.”Call me crazy, but I think these folks might be onto something. Learning about coping strategies from one another? Testing what works and what doesn't, and reporting on it? Maybe "we were broken into" isn't the most embarrassing thing you can say in public.She added, “We are hoping to change all that by talking."
...
Participants write and distribute publications, stage community talks, trade strategies for staying well and often share duties like cooking or shopping....
Many psychiatrists now recognize that patients’ candid discussions of their experiences can help their recoveries. “Problems are created when people don’t talk to each other,” said Dr. Robert W. Buchanan, the chief of the Outpatient Research Program at the Maryland Psychiatric Research Center. “It’s critical to have an open conversation.”
Bookmark this post:
"Let's play 'airport security'," says Foriegn Policy. It's like playing Doctor, only with latex gloves and inappropriate touching.
In an effort to help children understand and be comfortable and confident in the need and process of higher security protocols we've developed a new play and learning toy and resource web site to promote and educate security procedures.It's not really clear who "we" refers to here. The operationcheckpoint.com, also refers to "SampleRewards.com." That sounds like the sort of pliable marketing channel who'll sell anything for a buck, so maybe it's not them who's really behind this thing. OperationCheckpoint has four different names on a single landing page. (OperationCheckpoint, SampleRewards.com, Wizard Idustries and Product Exposure Services.) If only we had ID for the forces of evil. Maybe these guys could carry sample National ID cards, and kid's tattoo guns, too.
Previously, "From the mouths of toymakers:"
Bookmark this post:
Frans Osinga's book on Boyd, "Science, Strategy and War: The Strategic Theory of John Boyd" has been issued in paperback. Previously, it was $90 for a copy. The new paperback edition is $35.95, and is easily worthwhile at that price.
Science, Strategy and War is an academic analysis of the John Boyd's thinking and its origin. It may not be as good an introduction as Coram's book but it goes into far more detail about the theories he put forth, challenges narrow views of them, and provides a degree of academic respectability the work hasn't previously had.
Via Global Gureillas.
Bookmark this post:
Portuguese seafarer Christopher de Mendonca led a fleet of four ships into Botany Bay in 1522. No one noticed before because the map was oriented wrong when it was copied. This is a nice article from news.com.au.
Bookmark this post:
I've been meaning to blog about "The Far Enemy: Why Jihad Went Global " by Fawaz Georges for quite some time.The book is a fascinating look at the internal debates of the various Jihadist sub-groups, and takes its title from an argument over targeting the "near enemy," or local government, or the "far enemy," the United States. Georges is clearly deeply immersed in Jihadist debate, and traces much of the history and character of those debates.
It was a deeply challenging read, on several levels. First, Georges orientation is so close to the Jihadists that he offers up distinctions which seem like the splitting of the thinnest hairs. He also seems to express sympathies for the jihadist movement in sentences like "At this stage, it is difficult to see how and if jihadis will ever be able to rescue their movement from terminal decline and decay." In other places, he refers to the murder of civilians as "military operations." Yet others, he made important assertions that I would have liked to see explored, and simply followed them with "suffice it to say."
However, understanding the orientation of the enemy is important. It allows you to select actions to constrain the enemy's responses. The Far Enemy expanded my understanding of Jihadist orientation.
Before digging into of of those arguments, I'll be clear that I'm not an expert on this, and am restating Georges' argument. There is assertion, put forth by a set of Jihadists in the 50s and 60s that jihad is not only a collective responsibility, but an individual one. There is also the assertion that anyone witnessing great injustice may call for Jihad, without the full support of the clergy. This is (apparently) at odds with more traditional jurisprudence, which requires the clergy to call for jihad.
Thus when reading Jonathan Rauch's article "A War on Jihadism," I was surprised to see this:
"I think defining who the enemy is is a real problem in this war," says Mary Habeck, a military historian at the Johns Hopkins University School of Advanced International Studies. "If you can't define who's a real threat and who's just exercising free speech, it's a problem." As it happens, Habeck is the author of one of three new books that, taken together, suggest the time is right to name the battle. It is a war on jihadism.If it is actually the case that an individual, such as Osama bin Ladin, or Zawaqari, can not declare jihad on his own, then that seems part of a reasonable basis on which to decide who is a threat, and who is exercising free speech.
This test is not so bright-line as I would like. What to do with those who claim that jihad is a personal responsibility, that an individual may call for it, and that whatever provocations exist are not enough to justify such a call?
One of the basic precepts of the nation state system, which distinguishes it from predecessor systems, is that the state has a monopoly on violence, and uses that violence in furtherance of policy, not personal, aims.
Such a distinction also fails to address (say) the Iranian death sentence on Salman Rushdie, or their President's call to wipe Israel off the map. But it seems essential, as part of preserving the nation-state system, to assert that individuals may not invoke armed struggle, and this is an enemy which nation states can rally to fight.
Of course, actually bothering to fight an individual lowers the state to a smaller, less grandiose level, but that seems unavoidable.
[Update: Don't miss the closely related "Area Islamic Militant All Talk," at The Onion Radio News.]
Bookmark this post:
When Larry Ellison said "We have the security problem solved," a lot of jaws dropped. A lot of people disagree strongly with that claim. (Ed Moyle has some good articles: "Oracle's Hubris: Punishment is Coming," "Oracle to World: 'Security Mission Accomplished...'") That level of dripping sarcasm is fairly widespread amongst the security experts I talk to, based on their technical evaluations of Oracle's promises and delivery.
Dave Litchfield actually explained it to me. Let me say that again, because I've been told that David Litchfield isn't liked in certain neighborhoods of Redwood Shores. I can't understand why. David explained that Oracle is using "security" in a specific way, which is to say that they have certifications and processes that their customers care about. That Oracle is speaking to their customers at the executive level, not the security or technology level. The way they use security is just as correct as the way in which I use security, and means quite different things. [Updated for clarity.]
I should have seen this sooner. I've spoken extensively about how privacy has many meanings, and the same is true of security. I regularly discuss Boyd's concept of orientation, and even have a category for it.
The picture? Suruga Bay, from Hiroshige's 36 Views of Mt. Fuji.
Bookmark this post:
In a jargon-rich yet readable essay, ("Cryptographic Commitments") David Molnar discusses the assumptions that he brings to his work as a cryptographer. Its fascinating to me to see someone lay out the assumptions portion of their orientation like this, and I think readers can ignore the specifics and get a lot out of the essay. Some tidbits:
In particular, I've noticed that I make certain assumptions about the world when I set up a problem. These assumptions are what make it possible for me to map a messy real-world problem into a model where I can apply the tools I have to solve the problem. You might call these philosophical commitments. I'm at the point where these cryptographic "commitments" seem so natural to me that it's a shock when I run across technical work that makes different assumptions.
- Everything in sight is an (efficient) algorithm. Efficient, in turn, means probabilistic polynomial time. If we have a problem where Alice and Bob communicate, but they want to prevent Eve from listening in, then Alice and Bob are going to "be" probabilistic polynomial time Turing Machines or possibly families of polynomial-size circuits. Eve might be allowed arbitrarily large running time, but in any case Eve is an algorithm, and one not known to Alice and Bob (or me) in advance.
...Possibly more subtle is this example: suppose we have two theories as to why, say, real estate prices are still so high in the Bay Area after the end of dot-com boom. Theory A implicitly or explicitly requires homebuyers to solve a problem that will take them 2^(2^100) steps. Theory B does not. From my point of view, theory A will be difficult to believe, regardless of how well it performs on other criteria, such as predicting real home prices.The issue of Alice and Bob being replaced by their representations is one that I touched on in the previous post, "Identity is Hard, Let's go Shopping."
Bookmark this post:
A final comment, on Robb's final point: "It is impossible to discern the motives of this movement until it fully matures." I see no reason to believe such a movement ever 'fully matures.' As long as these principles are followed, the organization will continue to change for as long as the external factors which reward cooperation exist. When those factors no longer exist, it will both stagnate and fragment, and those who consciously apply the rules will emerge elsewhere.
Bookmark this post:
Bookmark this post:
The study, which followed more than 1,300 adults over 2 years, found that those who consistently used a mobile phone or pager throughout the study period were more likely to report negative "spillover" between work and home life -- and, in turn, less satisfaction with their family life.From "Cell phones tied to family tension," via SmartphoneThoughts, who asks a good question about the implication--that this sounds like it's tied to cell phones but not computers. It turns out that the article sounds like it addresses the question. The article is "Blurring Boundaries? Linking Technology Use, Spillover, Individual Distress, and Family Satisfaction" in the December 2005 Journal of Marriage and Family. I say it sounds like it answers the question because the article is $38.36, plus taxes. No word on if your taxes paid for the research or the abstract:
Information technology is entrenched in everyday life; yet, scholars have not firmly established whether this use blesses or vexes individuals and their families. This study analyzes longitudinal data (N =1,367) from the Cornell Couples and Careers Study to assess whether increases in spillover explain changes in distress and family satisfaction associated with technology use. Structural equation models indicate that cell phone use over time (but not computer use) is associated with increases in negative forms of spillover (positive spillover is not significant) and is linked to increased distress and lower family satisfaction. Overall, the evidence suggests that technology use may be blurring work/family boundaries with negative consequences for working people.I find this to be fascinating, because as more and more new things flow into the market, and they're used in new and innovative ways, new possibilities open up. Precision online package tracking is made possible by radios that are very similar to mobile phones. There are downsides, too. That same technology can be used to track people. As the rate of change increases, our ability to integrate change into our lives and agree on new social norms doesn't always keep up. Witness people having inappropriate conversations on their cell phones, and the stress people feel witnessing those conversations, and feeling it rude to interrupt. Twenty years after mobile phones were introduced, we're still trying to sort out the social mores which should surround them. Those mores have changed substantially as nalle (yuppie teddy bears) have come down in price to where the formerly scornful could become addicted to them. I hope and expect that the mores of accepting a call in the middle of a conversation will continue to shift to something approximating politeness.
More broadly, cell phones are one of a great many new technologies around which mores are unsettled. New technologies have costs and benefits which aren't 'perfectly' distributed to those who bear the costs. Another example is the use and abuse of data about people by government agencies:
Last night Oliver Heald, the shadow constitutional affairs secretary, said: "There is growing concern among the public about Labour's use of invasive 'Big Brother' computer databases - without transparency or clear backing from the public - such as for the forthcoming council tax revaluation.I think that the personal privacy aspects of this are the only part that Toefler didn't talk about in "Future Shock" thirty years ago. These are hard problems. They lead to people being disaffected and adrift. (On which topic, be sure to read John Perry Barlow's "Here and Now in the Floating World.")"I believe local residents will be alarmed at the further prospect of town hall bureaucrats being told to investigate people's homes for ID cards, backed up with the threat of thousand-pound fines." (From "No identity card? You could be fined £2,500."
Disaffected and adrift seems to be a fine description of this post as well. It had a point when I started it. Then chaos happened, and I'm powerless to do anything but say that the cute kid is from Kaiser T, on Flickr, and hope. [Update: Oooh, and I could spell 'modernity' correctly.]
Bookmark this post:
None of these views, by themselves are adequate. The combination of horizontal and vertical views is what yields the most accurate picture. Obviously, iteration is the only way to work towards that. Adam's brilliant suggestion? OODA Loops.I think there's some misunderstanding here. First, I don't understand what Gunnar means by 'horizontal' and 'vertical' views. Secondly, I'm not actually suggesting OODA loops as a means of advancing. Being intelligent about our choice of things to observe and how to interpret our observations is essential, and much harder than it seems.
A project I'm working on has an aspect I call "the jell-o slicing problem." That is, there are lots of valid ways to slice jell-o. None of them are obviously more valid than all the others, but many of them are obviously more valid than some others. Some of the original project descriptions were broad and aspired to really great things. Things that we've been meaning to get to for quite some time. Choosing what to observe and how to measure those observations is causing us much grief.
I think there is probably a simple set of things that we can look at to increase assurance. I think most people probably think so, and when we start digging in, in forums like "build security in" and the NIST/DHS SAMATE project, we realize just how divergent, chaotic, and different our views are.
As I finished this, I see that Gunnar has another article, "Assurance Techniques Review." I'll respond in a bit.
Bookmark this post:
As used by John Boyd, orientation is the interaction of cultural traditions, genetic heritage, new information, previous experience, and analysis and synthesis, all of which filter new information as decisions are being made. Understanding the orientation of a person or organization is a powerful way to predict how they will act in response to new circumstances. Orientation is shaped by cultural tradition and experiences. Orientation is often presented as part of the Observe, Orient, Decide, Act (OODA) loop. The OODA loop is often seen as a tactical one, but Boyd discussed it on all levels, from a knife fight to grand strategy. I am using orientation in that broad sense here, and will assign labels, grossly oversimplified, to three of them.
I realize after I wrote this that all three of the people I'm quoting here are vastly smarter than perhaps I imply. My goal is not to attack any of them, but to contrast some of the background which informs their approaches. To draw out this contrast, I quote a little unfairly.
After the break, a bit of inside baseball on security orientations.
When will we be secure? Nobody knows for sure - but it cannot happen before commercial security products and services possess not only enough functionality to satisfy customers' stated needs, but also sufficient assurance of quality, reliability, safety, and appropriateness for use.This is a stunning set of claims. Snow is asserting that commercial security products aren't good enough to be used. Clearly, products are good enough to be used. Commercial organizations decide to devote their scarce resources to them, rather than other things. So there is a very important sense in which today's products are plenty appropriate for use. Snow makes a set of comments about emerging threats which he believes (and I agree) will demonstrate that today's products are insufficient. Those threats, generally organized crime, use techniques such as phishing, malware and rootkits to implement schemes such as identity theft and other forms of fraud. Our defenses are struggling to keep up.
The approach makes lots of sense from a historical perspective, and also from the agencies that do security deeply. They wish the commercial world would slow down and stop building so many features that keep distracting their captive agencies from security. This is slightly unfair to Snow, who also says:
Many vendors tell me that users are not willing to pay for assurance in commercial security products; I would remind you that Toyota and Honda penetrated U.S. markets in the 70's by differentiating themselves from other brands by improving reliability and quality!Gunnar Peterson has some good thoughts on the Snow paper in "The Road to Assurance." One final comment: All the assurance in the world won't fix liability transfers.
Coming back to audit "random" closed source code after having worked on MS binaries is a bit like auditing a "random" open-source project after having spent time on well-audited bits of OpenSSH. You're surprised that things can be so easy.(From Halvar Flake, "Microsoft Is Moving GUI Code.") I don't want to peg Halvar as a pure example of the hacker orientation. The sentence preceding my quote includes the phrase "operate under market conditions and thus can't pump a few billion into security." But his willingness to do deep audits, and his inability to actually come out and either praise Microsoft or admit that any product's security is actually any good are deep, deep orientation.
Incidentally, I've been meaning to mention that Halvar is blogging at "ADD / XOR / ROL," and I've added him to the blogroll, thanks to the Matasano folks. As you may know, I keep my blogroll very short, and urge you to read all of them.
Having spent some time pondering this question - why so few people ask whether products are secure - I've actually taken the liberty of assembling a list of 13 potential responses.
- People assume the vendor takes care of it. When buying a new car, I don't ask about the engineering processes used in the design; I assume Ford or Toyota knows more about how to design cars than I do. Why should the purchaser of software be responsible for asking how secure it is?
- They don't know that they should ask. Some IT organizations (even in large companies) lack a dedicated internal security staff; instead, security is one aspect of everyone's job. No one person has enough background to know what to ask, or how to make sense of the answers.
...
Bookmark this post:
Over at Volokh, Orin Kerr has a beautiful analogy which illustrates orientation issues in reading Supreme Court cases. By orientation, I mean the sum of cultural, educational, and training experience that come together to influence the way people interpret the things they observe. (In other words, what Boyd meant.) Kerr writes (emphasis mine):
I think Pearlstein misses the point. The real issue isn't sovereignty, but the culture wars. The Supreme Court's citations to foreign law have appeared in highly controversial cases at the heart of a national sociopolitical divide between (for lack of better labels) social conservativism and modern liberalism.More and more, I find myself using the idea of orientation as a way to evaluate disputes and disagreements between myself and others. I try to respond to the question of "Why is he being so stupid" with the question "What's the orientation difference that leads to this disagreement?" (Yes, that comes before "Is there one," because I find there usually is in emotional disagreements.)
...it is a reflection of cultural association, an indication that at least some Justices envision themselves as part of a community that happens to be strongly identified with one side of these highly contested debates.
...If you're unpersuaded, try this experiment. Imagine that instead of citing foreign law in its decisions, the conservative majority on the Court started citing to and discussing the Bible. In particular, let's imagine that Roper v. Simmons had come out the other way, and that Justice Kennedy's opinion for the Court upholding the death penalty for 16 and 17 year olds had contained the following passage:
Our determination that the death penalty is proper punishment for offenders under 18 finds confirmation in the fact that such punishment is recognized in the Judeo-Christian Bible. The Bible repeatedly requires capital punishment for many offenses, and nowhere limits this punishment to those 18 years of age. See, e.g., Levitucus 24:17 ("He that killeth any man shall surely be put to death.")...
It doesn't always work: Sometimes disagreements are real, over real bits. But much of the time, I find they split on views of privacy or liberty, or in the technical world, windows folks vs. unix folks.
Bookmark this post:
