Emergent ChaosThe CVE Web site now contains 30,000 unique information security issues with publicly known names. CVE, which began in 1999 with just 321 common names on the CVE List, is considered the international standard for public software vulnerability names. Information security professionals and product vendors from around the world use CVE Identifiers (CVE-IDs) as a standard method for identifying vulnerabilities, and for cross-linking among products, services, and other repositories that use the identifiers.See the CVE News page. I remember proposing that we have a CVE-1. I'm tremendously proud to have helped get such a useful thing off the ground, and really happy for the CVE team.
Bookmark this post:
Before Bruce Schneier started using the term, "Security Theatre" was a term I heard from what I call Real Security People. I was designing a security-oriented NOC, and I interviewed people who built secure sites for a couple of governments, banks, and others. They said that what The Adversary thinks you can do is more important than what you can do. I was told that perception is the majority of security: "Maybe not two-thirds, but definitely more than half." As the team built the system, we took this to heart, which made it more fun, at the very least. But I also heard from someone I know who nmapped our system and received an nmap in return that he decided it wasn't a good idea to go further. In that case, at least, the security theatre worked.
We also used a bit of security-through-obscurity. We tweaked some of our network protocols so that they were merely incompatible with the off-the-shelf stuff. Our protocol banners lied. We particularly enjoyed having them declare that they were known vulnerable in odd ways. It was at least informative that the random attacks that came by were not tailored. No one ever tried Sparc vulnerabilities on that server claiming to be SunOS 4 with Bind 3. They hit it with the Windows buffer overflows anyway. That was disappointing, but we also learned an important lesson -- the only people who care what your banners say are the good guys. The bad guys find it more economical to just spray you with whatever exploits they have in their bag of tricks. Or at least most of the bad guys.
Security through obscurity has gotten a bad rep in part because there are people who think that merely by being obscure is being secure. There are also people who think that a mediocre security system can be made secure by being obscure. If, however, you start with good security and then put a bit of obscurity on the top, it's a bonus. Think of security as armor and obscurity as camouflage. Camouflage is not armor; obscurity is not security. People who tell you it is are trying to sell you something. However, if an attacker is faced with armored things that are also camouflaged, their job is harder. If you back up the camouflage with good log analysis, then you can take the element of surprise away from the attacker. The total effect is good security theatre, a theatre that might result in deterrance. Just be honest about it, especially to yourself. If the attacker discovers you have no armor behind the camouflage, then you have a well-prepared opponent.
There are other reasons to eschew obscurity. It isn't scalable, and it doesn't lead to market solutions. You can't shop around for the best obscurity. The notion of a global secret is somewhere between ironic and silly. This is why DRM systems don't work against determined attackers. However, not everything needs to be open, scalable, and market-driven. If you are building a system that is closed, proprietary, and local (such as the secure NOC I was working on), obscurity can be a valuable spice in the dish that makes a tasty meal tastier.
We are also seeing changes in the threat model that justifies a revision in our defense model. A few years ago, the attackers were using broadcast attacks. They didn't look at the lies we told them because they were unskilled attackers throwing all the handy exploits they had. They wouldn't see embarrassments that didn't fit their model. I have a story about that I'll post soon.
The trend in attacks is that they are becoming slow, targeted, and with a clear goal -- money. They also want not only to succeed, but to succeed undetected. A measure that increases the attacker's uncertainty increases the attacker's risk of being caught.
Here's an informal example. Suppose I divide my system into an external "red" network and an internal "black" network. All connections use TLS with AES-256, but on the black network, we are not using standard AES, we're using a modified AES that real cryptographers agree is as secure, just incompatible with AES; call it AEN for Advanced Encryption Non-standard. Cryptographers have a formal notion of this that they call "family keys." AEN is my spice. On the black network, you're expected to use AEN. We just compiled it into OpenSSL where AES was supposed to be. The resulting system is just as secure as one that uses AES everywhere, but has this extra little twist. It makes the attacker's job harder, and makes our job of detecting an attack easier. It has costs, of course, which you can think of as well as I can. But in my system, which is not only closed, but I want to be closed, they're not bad costs to pay. Even better, if I publicize that I've done this, I might convince an attacker to target someone else.
If you remember that obscurity is not security, that it is camouflage rather than armor, that it is not scalable, that it is only as good as the obscurity itself is, there might be places you can use it effectively. Also, not all security theatre is bad. What is bad is only having theatre and not backing up obscurity with real security. Photo of theatre security courtesy of Luigi Rosa.
Bookmark this post:
Bookmark this post:
The periodic table is under-appreciated as a design masterpiece, and as an iconic representation of science. The table works as a taxonomy, showing someone who knows how to read it a great deal of information about the elements based on their arrangement in space.
So it's pretty audacious to come out with a re-design: The Periodic Spiral envisions a remedy to the flaws in conventional periodic tables by illustrating hydrogen's ambiguous relationship to the noble gases and halogens while recognizing its relationship to the alkali metals; it also fully integrates the lanthanons and actinons into the design. Via Information Esthetics.
Bookmark this post:
Over at the OSVDB blog, blogauthor writes:
On September 29, Stefan Esser posted an advisory in which he said “While searching for applications that are vulnerable to a new class of vulnerabilities inside PHP applications we took a quick look…“. This lead me to remember an article last year titled Microsoft unveils details of software security process in which Window Snyder (former Microsoft security strategist) said “These are entire classes of vulnerabilities that I haven’t seen externally. When they found these, (the developers) went on a mission, found them in all parts of the system, and got rid of them.” referring to vulnerabilities that were proactively removed. The article goes on to say “Moreover, the company found and fixed two classes of vulnerabilities that have not been discovered elsewhere, she said.”So, here are the details. No, just kidding. I can't talk about the details, but what I can talk about are taxonomies. I can talk about taxonomies for hours. I think, by analogy, that stack smashing may be an order. Perhaps a family. Closely related are the integer overflow and format string. Each places code in the expected path of execution, overwriting it. More distant are command stuffing (my term for the classic "; echo $stuff > /etc/passwd") or sql injection. Cross site scripting belongs to the phyla of code/data separation, or perhaps the family of output validation.Anyone else curious about these? Less than a year, and three new classes of vulnerabilities? Come on Window, you left Microsoft, you can speak up now! Steffan, spill the beans, give us details!
I'm not sure if there's a taxonomy here at all. By taxonomy I mean a repeatable, exclusive, reproducible system of questions that a variety of experts can ask of a sample and classify it in the same way. To be a taxonomy, you need exclusivity. You can't be both a person and a penguin. Not all data fits neatly into taxonomies because of that exclusivity requirement. You can, for example, be both a Mac and Windows user. Thus, being a Mac or PC user isn't a good taxonomic classification.
What's the natural ordering of relations of emergent phenomenon?
Oh, the title? It's a memonic for the Linean taxonomy of life: kingdom, phyla, class, order, family, genus, species. And the photo is Drawers of Curiosities, by smalleyta.
Bookmark this post:
A rose by any other name might smell as sweet, but it would certainly be confusing to order online. Consistent naming is useful, but requires much effort to get right. In identity management, which I hadn't thought of as closely related to taxonomies, Zooko has argued that names can be "secure, decentralized or human memorable (pick any two)." I think this applies to taxonomists as well. All of this is inspired because the February 11th Economist has two articles on taxonomy! The first was an article on naming consistency in biology "Today we have naming of parts," and the second covered that there are "Names for Sale:"
Last year, for example, America's president, vice president and defence secretary each got a beetle (Agathidium bushi, A. cheneyi, A. rumsfeldi) courtesy of two Republican coleopterists. Admittedly, the beetles in question eat slime mould, which caused a few titters among taxonomists of a Democrat persuasion, but it is clearly an act of gross speciesism to criticise the dining habits of other organisms, so the titters were sotto voce. And it is not only politicians who are benefiting. Sting, a musician, has his own tree frog (Hyla stingi), and several spiders also bear the names of entertainers (Calponia harrisonfordi, Pachygnatha zappa) who clearly have taxonomists as fans.Ironically, the last post I offered up on this subject was "A Profusion of Taxonomies," after which, on that topic, the rest was silence.
"Portland 151" rose photo by Brian Lopez.
Bookmark this post:
In "In the Classification Kingdom, Only the Fittest Survive," Carol Kaesuk Yoon writes about the profusion of naming schemes for animals:
Then there's uBio, which has sidestepped the question of codes and regulations altogether and instead aims to record every single name ever used for any organism, scientific or common, correct or incorrect, down to the last variation and misspelling, as a way of linking all information ever recorded about an organism together.And I used to think this was simple. But as Clay Shirky has pointed out, vocabularies are most useful for a particular task, and different tasks, even in the same domain, may require slightly different "meta-data." (That is, the information about the data in the taxonomy.)The All Species Foundation aims not only to record all names but also to find every species and describe it, all in 25 years. And then there's Wikispecies, Species 2000, the Electronic Catalogue of Names of Known Organisms and many more. Some have already come and gone, or nearly so, and others are expiring for lack of sustained funds.
So ZooBank finds itself born in the midst of a Cambrian explosion of initiatives, a proliferation not merely of Web sites and databases but of ideas about how to accomplish the task of naming and organizing all of life. And though disorder may be the most abhorrent thing to a tidy taxonomist, sometimes a little chaos can be healthy. [mmm, chaos!]
I'll note that uBio sounds a lot like the CVE, which is a computer vulnerability concordance, (concordance at Wikipedia) even though not everyone agrees with that definition.
Bookmark this post:
First, a very brief bit of terminology: A typography is a way to organize things, much like a taxonomy. Each item within a typography has clearly distinguishing characteristics, but there's no hierarchy such as animal, vertebres, mammals, hominids, humans. To be honest, I'm not sure if this is a typography or just some categories. But "A few categories..." would be far less fun as a headline.
At BlogNashville, Rebecca McKinnon discussed the concept of "bridge bloggers," those bloggers who make an effort to blog about their country in a way that an outsider or foreigner can understand. Its a great concept, but I'm having trouble finding a good link. Anyone? So much of what so many bloggers say is "inside baseball," things that are hard for folks outside the club to understand (or even understand why you might bother to say them). This doesn't just happen across national boundaries, it also takes place across organizational or professional lines. Milbloggers and peace bloggers often seem to be on different planets. No one takes the time to explain their orientation.
There are a few information security bridge bloggers: Steven Hofmeyer nthWorld, the mysterious John at "Internet Security: Be Careful," Deb Radcliffe at "Security Chief." Some people might stick Bruce Schneier may fit into the category; his last book was intended as a bridge, but his blog doesn't always seem to fit.
In a closely related post, "An update from the Weblog Workshop" Ethan Zuckerman posts:
Shinsuke Nakajima from NAIST introduces three ways to think about key bloggers: topic-finders, agitators and summarizers. He talks most about the second two types and methods for detecting them. Summarizers, unsurprisingly, link to lots of people. Agitators can be found by looking for a drastic change in entries posted within a thread, or a drastic change in topic.Its not original, but still important to note that there's a split between personal life bloggers (the "Livejournal crowd") and issue bloggers. Many people maintain both.
And look, once again, it's Technorati's blognashville tag. Isn't there a way to hide that?
Bookmark this post:
The categories I've set for this blog are non-functional. I have 16 categories, of which maybe 4 are ever exclusive.
Do you look at my categorization of posts? Do you look at the category archives? Should I create a new set of categories? If so, what? (mmm, Choicepoint! Not.) Should I abandon categories and go to tagging? If so, what Movable Type/MarsEdit add-on should I use?
Bookmark this post:
At RSA, Mike Schiffman presented a Common Vulnerability Scoring System. Brian Erdelyi has taken that, and made a web page to generate numbers. It's at SecurityHive. (The page requires Javascript be turned on to function.)
Bookmark this post:
Nude Cybot, in an email in which he promises to emerge soon, presumably to be exceptionally cold, mentions that folksonomies have hit Wired News. The Wired article points out that there are more "cat" (16,297) tagged images than "dog" (14,041) in Flickr. But the conclusion they draw from this, "If the photo-sharing site Flickr is any indication, the world of digital photographers is dominated by cat people" is very dependent on the search. Puppy (2145) beats kitten (1912). As I discuss in Economics of Taxonomies, the cost of easy classification can be difficulty in searching. Deciding which tags are close enough to kitten to be included in the count is subjective. (Flickr suggests "Related: cat, cats, cute" and that you "See also: kitty, animal, kittens, pet, animals, pets, black, sleeping, sleep, bw, white"
This relates closely to the idea of Keynes' Beauty Contests, where your goal was not really to decide which was the most beautiful woman out of a set of photos published by Flickr the newspaper, but to select the one picked by the most other people. This might indicate that those skilled at groupthink will do well in a folksonomy-centric world.
A different way to state that, which would get far fewer nods, because the ideas are more rare, would be to say that those with different orientations may well be disadvantaged by their need to spend energy observing the mainstream, unless they use those analysis to guide their decisions and actions to take advantage of the orientation differences. In this way, those Microsofties with Ipods could be doing their company a great service.
[Prior posts include "Folksonomies, Tested", and "Economics of Taxonomies".]
Bookmark this post:
...In this paper, we focus on an experiment in which different component indexing and retrieval methods were tested. The results are surprising. Earlier work had often shown that controlled vocabulary indexing and retrieval performed better than full-text indexing and retrieval..., but the differences in performance were often so small that some questioned whether those differences were worth the much greater cost of controlled vocabulary indexing and retrieval ... In our experiment, we found that full-text indexing and retrieval of software components provided comparable precision but much better recall than controlled vocabulary indexing and retrieval of components. There are a number of explanations for this somewhat counter-intuitive result, including the nature of software artifacts, and the notion of relevance that was used in our experiment. We bring to the fore some fundamental questions related to reuse repositories.
Bookmark this post:
In his latest post on folksonomies, Clay argues that we have no choice about moving to folksonomies, because of the economics. I'd like to tackle those economics a bit.
(Some background: There was recently a fascinating exchange between Clay Shirky and Louis Rosenfeld on the subject of taxonomies versus "folksonomies," lightwieght, uncontrolled terms that users attach to things as classification. Now, as the name of my blog implies, I'm all in favor of such emergent and chaotic phenomenon as folksonomies. At the same time, some of the work I'm doing may involve the creation of a taxonomy. Worse, its a taxonomy where the items being classified are subject to a great many potential classifications, and really, a folksonomy may well be a better choice. So how to decide where to go?)
I don't think that there is a single economics of taxonomies. We could compare effort of creation to effort of use. Flickr users create a folksonomy because its trivial to create, and the work needed to use it for tagging is also low. In contrast, the Linean taxonomy of life is the subject of a huge amount of work. Once you've learned to use both Flickr and the plethora of modern library systems to search, the effort to search the Flickr site is higher than the effort to search in a library. So Flickr (and perhaps all folksonomies) offload costs from classifiers to searchers.
There's also an economic question of the cost of failure. Flickr is not there to help you find precisely the photo you're looking for, nor the paper or book you mean to find. It's there to make surfing easier. If you want to see specific people's photos, you can subscribe to their site. So the folksonomy works where there's a very low cost of not seeing a result. Does it work as well where the costs are higher? If you're searching for a specific book in a library, and can't guess the tags attached to it, you can fall back to other, organized search criteria. I'm finding it hard to quantify the search failure costs here, because moving from photos to say, reference specimens of butterflys, that specimen, and its name, act as an index into all sorts of scientific work.
Another tension is speed of change. Fast changing taxa are hard to search, but easy to create. Is it worthwhile to spend the effort to enable effective searching? To whom is it worthwhile?
To relate this back to the work I'm doing, I think that the cost of failed searches may be very high. High enough to dominate? Unclear.
Bookmark this post:
In "Metadata for the masses," Peter Merholz presents an interesting idea, which is build a classification scheme from free-form data that users apply. He points to Flikr's "Cameraphone" category, which would probably not exist if there was only a pull-down list.
He also points up problems: Many categories for one thing (nyc, NewYork, NewYorkCity), one category that means many things ("Flow, for instance, can either mean optimal creative experience, or the movement of a fluid,"), and categorizations that are wrong.
I think there's a tie here to memes, or ideas which encourage you to adapt them. If I see a tag which strikes me, is evocative to me, or I see as useful, I'm likely to use it myself. If I create a tag which I find evocative, but no one else does, (say, "Bastiat-ic") its unlikely to get picked up. I am a big fan of evolutionary, or memetic systems like this, and am sorely tempted to try to include it in my project, but the goal of that project isn't actually to create a taxonomy, its to create a useful naming scheme. I think a taxonomy is part of that, but others who get a say in the final analysis disagree, and so I'd like to focus on getting a taxonomic name space, rather than a cool evolutionary method for creating it.
(Via Nudecybot. Oh, and its too bad that there's no RSS on Merholz's page. I'd like to see their essays, but not their "appearance dates and other news.")
Bookmark this post:
The September 30th issue of the Economist points to an article in PLoS Biology by Hebert, et al, discussing a new technique for identifying species. The technique, which relies on mitochondirial genes for cytochrome c oxidase I (COI), which is a 648 pair gene. [1]
This technique helps settle the question of "Is Astraptes fulgerator one species or several?"[2]. The butterfly in question looks the same as a butterfly, but there are important variations in the caterpillar forms.
Which, as I strugle to create a taxonomy for a specific set of computer security issues, shows that I am doomed to fail, and that may just be ok.
[1] Who the heck told them they could throw a 'c' out in the midst of a protien name like that? Do these people have no respect for the English language?
[2] It was keeping me awake at night, too. (As many as 10 species in Costa Rica alone.)
Bookmark this post:
A small window into a large world, with its own software: biological software, including DELTA, a DEscription Language for TAxonomy, database software, ecology software, morphometric, paleontologic, and phylogentics software. (Hey, I need a taxonomy just to keep the breakdowns straight!)
Or DMOZ has a page, but it doesn't seem as comprehensive.
What I want to do is to throw keywords at database and have them organized for me. I suspected that this may be sufficiently specialized as to not have software available for it, but I'm no longer so sure.
Bookmark this post:
Biological taxonomy is not fixed, and opinions about the correct status of taxa at all levels, and their correct placement, are constantly revised as a result of new research, and many aspects of classification will always remain a matter of judgement. The ITIS database is updated to take account of new research as it becomes available, and the information it yields is likely to represent a fair consensus of modern taxonomic opinion. Inevitably, however its information cannot be final, and is likely to be more reliable for some groups than others.So says Wikipedia, in discussing ITIS, the Integrated Taxonomic Integrated System. Who knew that the USDA was in charge of calling us homo sapiens?
Bookmark this post:
It has a General and Miscellaneous Topics section, too.
Articles must be given a primary classification, and may be given arbitrary additional classifications. The first article in the first volume I was published in was 54C40, 14E20 secondary 46E25, 20C20.
That's (54C40 Algebraic properties of function spaces), (14E20 Birational Geometry:Coverings), (46E25 Rings and algebras of continuous, differentiable or analytic functions {For Banach function algebras, see 46J10, 46J15})*, 20C20 Modular representations and characters).
Google doesn't seem to be specialized in searching these things. Those 4 numbers as a search don't return the specific paper, but then, the specific paper isn't online. There are search engines that are able to search by MSC. (It's under "Class") in that link, or try to navigate in Norwegian. I did, before finding the English link.
UPDATE: The * after the {see 46J10, 46J15} was going to be a footnote, explaining that {braces} represent prioritization--you must check to see if 46J10 or 46J15 are better fits.
Bookmark this post:
