Comparing normal distributions and powerlaws, John Quarterman nails it:

Many people assume that everything is organized in bell curves, with most expense, population, etc. in a big hump in the middle, tapering off on each side (by age, height, or whatever). This kind of distribution is so common that it is known as the normal distribution.

But many real world distributions just don’t work that way. Populations that organize themselves in power laws don’t: they have a short head and a long tail. This kind of distribution has gotten most notice for networks of various types, social, biological, and technological. Mistaking a power law distribution for a normal distribution leads to bad science, bad policy, and bad economics. Maybe as people begin to see more power law distributions in non-networked policy arenas they will become less likely to mistake them in networks.

Picking the wrong distribution to describe a phenomenon is bad risk management, because it leads to bad predictions.

All I can add to that is that there are lots of different continuous curves out there. One of them probably fits your data.

The European Union has just updated list of airlines banned from flying into the EU for security reasons.

As Gridskipper notes,

It’s not the best time to be running a Congolese airline, as the country’s entire air industry (51 carriers strong) was effectively blocked from flying into the European Union last week due to abysmal safety, security, and cooperation records. They’re not alone however, as a total of 93 airlines were kicked out of the EU, with four more placed on restriction pending improvement. African airlines fared the worst by far, with similar national blacklists also hitting all airlines from Sierra Leone, Equatorial Guinea, Swaziland, and Liberia.

Which led me to wonder…how does one get to from the EU to West Africa. I spent a few minutes of quality time with Expedia and what I determined is that there are no flights from London Heathrow, Paris (any airport), or Nice to Freetown, Liberia; Kinshasa, D.R. Congo, or The Ivory Coast in their database.

I wasn’t too surprised, given that most of the airlines on the EU List lack international callsigns or operator licenses and the U.S. State Department has lots of scary things to say about those places. I was potentially concerned that a major carrier might have operations in the region, creating a potential channel for poor local security to facilitate entry into the greater airline system (as was the case with the Lockerbee bombing), but this does not seem to be the case here.

But this still leaves the question, which I only ask out of idle curiosity (although, if this whole Information Security thing doesn’t work out, I guess I could always become a Soldier of Fortune): How does one fly from Western Europe to West Africa, anyway?

John Robb is optimistic that government networks will inadvertantly kill the ILEC

development of parallel communications networks for first responders (which will expand to encompass much of the population in the area):

“Corporate communications monopolies will crumble as cities build their own emergency wireless networks using simple products …”

Unfortunately, he underestimates the powers of greed and the telecom lobby, something that’s playing out in New Orleans even as I type:

After Katrina ravaged the Big Easy six months ago, Greg Meffert, the city’s chief information officer, got downtown businesses back online by opening the city’s wireless mesh network—originally deployed to link surveillance cameras—to anyone who needed it. For free.

“Now it is the lifeblood for so many businesses,” Mr. Meffert told Red Herring. With Internet service still down in more than half the city, he estimates more than 15,000 people use the city’s 512 kbps (kilobits per second) network.

…

Now telecommunication lobbyists are trying to shut down the network, and Mr. Meffert says it looks like the state legislature will agree. State law prohibits cities from providing more than a relatively sluggish 128-kbps network, but New Orleans offered its faster network as an emergency relief effort.

No Emergencies

“The vendors, the BellSouths of this world, are not only going to force us back, making our existing Wi-Fi illegal, but also they want to close a loophole for emergencies so that we would not do this again,” said Mr. Meffert.

Once upon a time, I would have found it hard to believe that even Louisiana’s politicians are truly so hostile to their constituents that they would vote for corporate profiteering at the expense of letting the government provide services that its citizens have already paid for. These days, I’m not so confident.

Of course, Municipal Wireless has been growing in cities across the country precicely because companies like BellSouth are more interested in forcing the services they want to sell down people’s throats than offering the services that people want to buy. POTS is dead, it’s just being kept on life support by the SBC’s, AT&T’s and BellSouths of the world until they figure out how to extend their monopoly rents up the IP stack past the wire. The fact that they’re doing it with an infrastructure funded by monopoly franchises makes this even more disgusting.

That’s the same BellSouth, by the way, whose CEO essentially declared that ending Net Neutrality was their corporate strategy as the value of the network moves into the applications.

That’s a real nice transactional system ya’ got there…It’d be a real shame if it were to get a few significant deficiencies on it…

While they’re always very pleasant to talk to, I always get the feeling that the Big Four are running a protection racket when it comes to SoX. Corporate America has become so obsessed with compliance and avoiding any findings of deficiencies that we’ll do pretty much anything (after some token pushback) to avoid Gaps, then complain about the costs that result.

Now, it looks like some folks at the SEC are catching on:

Paul Atkins, commissioner with the Securities and Exchange Commission (SEC), said in January that both the SEC and PCAOB need to give corporations and auditors “more leeway.” “Despite our attempt to emphasize reasonableness [in application of SOX 404], people in the trenches are taking an excessive granular approach.” Atkins emphasized that he spoke only for himself, not for his fellow commissioners or the SEC, while speaking in San Diego at the Securities Regulation Institute.

Atkins’s statement echoes corporate criticism that auditors have been performing overly aggressive assessments, often of immaterial controls. This view crystallized at a March 2005 roundtable with business representatives and auditors, during which feedback from public companies was clear: SOX compliance was costing too much, and inappropriate auditing of internal controls was largely to blame. Auditors were criticized for taking advantage of ambiguities inherent in SOX to charge exorbitant fees for largely unnecessary work.

While I am not implying any sort of collusion or conspiracy, the Big Four are run by smart people. Those smart people have to be aware that everyone has two firms, one internal for helping prepare the audit documents and one for the actual audit, with each firm’s findings feeding the other. They also have to be aware that a rising tide lifts all boats.

Although the SEC sets regulatory tone in regard to public company reporting, auditors actually report to the PCAOB—a legally independent entity. And therein lies potential conflict. If the SEC seems to be playing good-cop to business interests, the PCAOB’s latest round of audit reviews is more critical, particularly of the Big Four accountancies: Deloitte & Touche, Ernst & Young, KPMG, and PricewaterhouseCoopers. Despite the board’s recent statements encouraging public-company auditors to focus less on transactional details and more on a top-down, risk-based approach, its audit reviews provide little evidence of this direction.

We keep hearing that we should avoid overly prescriptive audits and checklists in compliance efforts, but our auditors keep demanding that we submit to exactly that. It’s certainly more profitable for them–lots of billable hours by junior associates, many of whom mean well but lack the authority or experience to make the judgements we need. Personally, I often come away feeling that we miss the forest for the trees in our IT Controls efforts.

The net effect could be summarized as, “Risk? We’ve heard of it.” The only risk I see in our SoX efforts is the risk of getting a bad review if a deficiency is found on your watch, which is the core of the problem.

People will behave however they are paid to behave. If they are paid to avoid Findings of Material Deficiency as their top priority, then they will submit to any demand of the auditor, no matter how ineffective or irrelevant it is to the system or process in question.

Down in the trenches, the perception seems to be that any significant pushback will invite the “wrong” kind of attention. Instead, people just do their bet to tell the auditors what they want to hear and hope they go away. And so long as that’s how they’re paid to behave, there’s not much the SEC can do about that.

Remember how SSL was supposed to protect our Internet traffic from sniffing? Well I have good news and bad news. The good news is, it works. The bad news is that companies have noticed it works.

But rest assured, where there’s FUD, there’s someone willing to make a buck off it.

Blue Coat recently announced the new SSL proxy functionality for its appliance platform to finally bring visibility into – and granular control over – SSL communications between internal corporate employees and external Internet applications. These SSL communications now represent a significant and growing percentage of corporate Internet traffic. Blue Coat’s SSL proxy enables organizations to stop or manage employee use of rogue applications or anonymous Web surfing encrypted in an SSL session. It can also stop encrypted malware, including viruses and spyware, from infiltrating enterprise networks through encrypted tunnels. The SSL proxy can deny threats from secured phishing attempts that now utilize SSL explicitly as a cloaking mechanism.

They could have saved themselves a lot of keystrokes and just called this what it is, a Man-in-the-Middle Attack.

SSL inspection creates any number of problems for the company that deploys it. First, it destroys the confidentiality and integrity of the SSL connection.

Even i the system is supposed to only be configured to match signatures and generate alerts accordingly, it is still accepting the site’s certificate and substituting its own when it re-encrypts. This means that the user can no longer authenticate or validate the credentials of the remote site. If a user gets taken by an SSL’ed phishing site through this proxy, is the company liable since they have effectively asserted the validity of the remote site on the user’s behalf?

Next, corporate MitM ignores the fact that the information inside an SSL tunnel is supposed to be confidential. If I go look at healthcare information which is protected by HIPPA or some other piece of sensitive PII with legal protections around it, what is the company’s legal standing when it inspects the contents of that connection?

Finally, SSL inspection sends a clear signal that the company thinks its employees are thieves. And there’s no better way to get people to act like thieves than to tell them you think they are. People taking data is a management, HR, and possibly legal issue. All the technology does it get it from Point A to Point B. Even if you turn your entire company into a giant SCIF, you’ll run out of money for countermeasures long before people run out of ways to get the data out.

Besides, I don’t know about your enterprise, but the last thing we need around here is another source of Known Badness that we lack the resources to police. We can’t handle the volume of Bad Things we already find. Finding more things to go after isn’t the problem. The problem is the triage and workflow for dealing with the things that we find today.

I should also note that Finjan has had this capability since 2004.

I’ve seen multiple references to a news articles discussing the negative impact of DRM on portable device battery life.

The Archos Gmini 402 Camcorder maxed out at 11 hours, but with DRM tracks, it played for less than 9 hours. The iRiver U10, with an astounding life of about 32 hours, came in at about 27 hours playing subscription tracks. Even the iPod, playing back only FairPlay AAC tracks, underperformed MP3s by about 8 percent.

Yet another example of security as an externality to its beneficiaries. The “rights owners” receive the benefits while the cost (in this case, the reduced battery life of the player) is borne by the consumer.

Yet another reason to hate DRM which will probably resonate with consumers much more than the more material arguments about all the Bad Things that DRM does. Lost potential for innovation in order to protect greedy, corrupt companies’ business models doesn’t resonate like, “You’ll get two hours less battery life between charges,” even though most people rarely run their iPod past about halfway before recharging.

The space planner was sniffing around this morning, getting ready (I suspect) to downsize my cube from a Double wide (8′ by 14′) to the New Standard Configuration (I rate an 8′ by 8′ although many will not be so lucky and will find themselves in either 6′ by 6′ or 6′ by 8′ boxes).

Throw in the fact that it features prominently in my blog’s name, and it seems somehow fitting that this article about the history of the cubicle should show up on CNN today.

Reviled by workers, demonized by designers, disowned by its very creator, it still claims the largest share of office furniture sales–$3 billion or so a year–and has outlived every “office of the future” meant to replace it. It is the Fidel Castro of office furniture.

…

That’s when Propst’s original vision began to fade. “They kept shrinking the Action Office until it became a cubicle,” says Schwartz, now 80. As Steelcase, Knoll, and Haworth brought their versions to market, they figured out that what businesses wanted wasn’t to give employees a holistic experience. The customers wanted a cheap way to pack workers in.

Propst’s workstations were designed to be flexible, but in practice they were seldom altered or moved at all. Lined up in identical rows, they became the dystopian world that three academics described as “bright satanic offices” in a 1998 book, Workplaces of the Future.

Designer Douglas Ball, for instance, remembers the first installation of cubicles he created for a Canadian company in 1972. “I thought I’d be excited, but I came out depressed,” says Ball, now 70. “It was Dilbertville. I’d failed to visualize what it would look like when there were so many of them.”

Right now, I sit toward the edge of a giant cubicle sea. I know exactly what it looks like when there are “so many of them.” We have to identify our location by pillar numbers.

Of course, once my cube gets downgraded, I may have to change the blog’s name to something more appropriate, like “Sucks like only a cubicle can” or something.

I’m also wondering where they think everyone is going to park. The lot is already full with the current population density. This building was originally built as a data center and was never supposed to be filled with people.

Actually, I’m often torn if the worst cube I ever had was the one that wasn’t really a cube, just a surface on the outside of a “real” cube at the end of a hallway or the one that was 8′x4′6″ so I could only get in and out by swiveling the chair to face the aisle. The seats may have sucked but the jobs were a lot of fun.

I was obviously a little harsh in my sarcasm regarding Darren Briscoe’s story on the emergence of “NetBanging,” since he left me a lengthy rebuttal in the comments. I’m actually glad he did it, since it takes me to task and forces me to actually back up my assertions.

I agree that it is inevitable that some percentage of the people in the world going on-line would include members of street gangs. Where I disagree is whether or not this is an exploding trend. There is a big difference between individuals or small groups using Internet resources and and the organized leveraging of on-line-specific resources to create some sort of Online Revolution in the gang world that the original article implies.

Ten years ago, you could probably have written a similar article about how gangs were adopting cell phones to avoid the geographic limitations of fixed phone lines. Of course, you could have written the exact same article about urban professionals adopting cell phones for the same reason. To somehow imply that it is unique to criminal enterprises is what I take offense at–it makes it a scare story, similar to the MySpace scare stories that I referenced in my original post.

I don’t doubt that there are gang members who sometimes communicate with each other via the Internet. What I remain highly skeptical of is the assertion that, “there’s just been an explosion of this stuff.”

I suspect a much more likely scenario is that the percentage of gang members going on-line is quite small and will trend asymptotically toward some value which is greater than today but still remains solidly underneath the Tipping Point of widespread adoption. It’s too bad the quoted detective didn’t better quantify the size of the “explosion” since his explosion might be my non-event (or vice-versa).

Consider also that this is far from the first time that someone has declared that gangs were Takin’ it to the Net. This article is pretty similar, only it dates from 1996. The biggest difference is that the detective they interviewed didn’t see it as a problem:

08/19/96 - 14:00CST

GANGBANGERS INVADE CYBERSPACE
By Steve Macko, ENN Editor

Chicago, IL (ENN) — As if law enforcement officers didn’t already have enough to worry about, there is now a new hangout in cyberspace. It’s for street gang members and gangbanger wannabes. Just what was needed — a place for gang members to exchange ideas on how to improve drug sales, what’s the best gun to use to shoot your business rivals and what’s the best drugs to use in your spare time?

All of that and even more can be found on the Glock3 Web site. This site is said to link members of street gangs from around the world, from ‘Lil Shorty’s Click in London to the Gangster Disciples in Chicago to the West Side Crips in Phoenix. Experts say that the site provides a virtual how-to-be a street gang member.

…

Sergeant Mark Clark of the Scottsdale, Arizona, Police Department says that he is more concerned about Web sites showing how to make bombs then how to act and dress like a gangbanger.

…

In the United States, there are at least 25,000 street gangs with an estimated membership of about 650,000 people. Gangbangers in the Southwest portion of the U.S. are said to be less organized than those on the East Coast, said Jim Ledy, a criminal-intelligence analyst for the Arizona Department of Public Safety.

As to the “functionally illiterate” claim, I had to do a little inference but here it is.

There is an older body of research, “An Urban Ethnography of Latino Street” by Dr. Francine Hallcom on, specifically, Hispanic gangs in Los Angeles and Ventura County. From her research:

The participants in this investigation remarked that teens who graduate from ghetto schools do not know enough to get even a minimal 9 to 5 office job, and more often than not — any kind of job at all. Thus, staying in school was “all hype” as one individual put it, and gang activity seemed to be a more realistic option for him.

Drop outs and crime are discussed collectively in this investigation; however, this is not to imply that drop-outs are all committing crimes, nor that drop-outs all join gangs. In fact, the drop out problem is extremely complex. It is partially the outcome of poverty, of poor experiences in schools, of “miseducation” and the resulting lack of at least minimal grade level reading, writing and math skills. It is also an individually distinct matter from one student to another although common threads run through most dropouts’ tales of woe.

(emphasis mine)

Correlate that to the adult illiteracy statistics from the National Center for Educational Statistics (page 5), which shows that 55% of those with “Less than/some high school” lack basic literacy and I stand by my comment that the average street gang member is functionally illiterate.

As to the Web sites…

The Latin Kings’ site is not exactly current:

This page was last updated Wed Oct 29 00:37:22 1997 Pacific time

And every link on the page is a 404 Not Found.

While the KrazyLocos have a photo of cash and drugs, these guys seem to be more into custom cars (and very nicely done, too, if that’s your thing) than anything else.

As to the forum page, I’m not sure quite what to make of it. So “Silent” died in 1994 at the age of 14. If there is really 20 hours a week worth of material for the good detective, I’d think that there would be something more current than that in there. And as to the 72 pages of comments, I looked about 10-12 of those pages (mostly toward the beginning and end) and didn’t find anything but random one-line stuff.

The XV3Gang forums would have better backed the assertion that there is an online community of gang members, although at the cost of the literacy argument. For example, they are aware the police might be reading their discussions. Of course, of the ~750 members of the forum, only 200 have ever posted. That’s a strikingly small percentage of the hundreds of thousands of gang members in the United States.

Perhaps the google check wasn’t fair, I’ll concede. Most of the 345 were dead forum links to posts stating something along the lines of, “No netbanging allowed here.” I tried to open a dozen or so with pretty poor results (not the best statistical sample, I’ll agree).

Since Darren has tasked me to prove a negative (”I hope you’ll agree that to this point I’ve already provided far more evidence for its existence than you have against it”), I’ll ask for a little more data.

Three gang experts were interviewed and agreed that there was a problem. How many were asked who did not think this was a significant trend? Not being a crime reporter myself, I can’t just start calling or emailing people to get opinions on the subject, but since that’s a key piece of the argument in favor of the trend, some perspective would add a lot of value.

What I can do is consider the data I have: four Web sites (Sorry, but the 1997 site doesn’t count) and a few hundred or thousand people who self-identify as gangsta’s (and we all know that no one ever mis-represents themselves on the ‘Net), a significant piece of scholarly research and the NCES literacy statistics. From that, I don’t see the explosion.

Any non-public or confidential comments can be sent to cubicle at halfcat dot org.

So MSNBC would have us believe that street gangs are takin’ it to the Net.

The 15-year veteran cop used to spend most of his days on the streets, drawing a bead on gang activity by reading graffiti and chatting up members. But that changed in 2004, when his investigation into a deadly drive-by shooting stalled. Some teenagers asked if he’d checked the Internet for clues. Hermanson took their advice, and found himself transported into the little-known realm of “Netbanging.” Across the nation, street gangs have taken their neighborhood feuds, colors and rituals online. Hermanson eventually found chat-room conversations that helped secure two convictions in the drive-by case. Ever since, he’s spent 15 to 20 hours a week scanning Web sites for clues about local gang activity.

Given that the average gang member is functionally illiterate, I find this extremely hard to believe that they are now Takin’ it to the ‘Net. Sure, there may be gang members who have MySpaces pages and who do dumb things like post pictures of themselves with rifles, but there’s a big difference between a few anecdotes and a trend.

When I gooogled itI found 345 references, most of them dead and what was left largely dedicated to either tagging & graffitti (some of which was very cool) or the CapCom game StreetFighter, but that was about it. Searches for some of the gangs mentioned in the story produced no results at all.

Netbanging? Yeah, right.

The conversation that took place in some MSNBC status meeting was probably something like, “The MySpace scare stories aren’t getting the hits they used to. What else can we come up with scare parents?”

“How about, ‘Nerd Gangs,’ Boss?”

“What’s so scary about that? They gonna steal some kid’s calculator?”

“I don’t know Boss. You bought one lately? My kid’s in Calculus now and her new one cost a hundred bucks.”

“Still not scary. Web gangs?”

“Sounds like a pack of spiders.”

“Spiders are scary.”

“No good google hits on ‘Web gangs,’ boss.”

“Google!? Pack your desk.”

“How about “Netbangin,’ Boss?”

“Works for me. Now turn it into a story.”

(Thanks to Tyler Cowen for the link)

Once upon a time, information security was primarily about keeping the users On the Reservation and the crackers Off. We worried about Web defacements as if they meant something more than annoyance and a late night or two of response & recovery.

Now, though, we all know it’s a whole different story. The threat has shifted from Web defacements & other forms of vanity hacks to true cybercrime–attacks targeting things which can be sold for money like credit card accounts or just going straight to the money.

This is not necessarily a Bad Thing. It means that the “Security” Industry may finally need to move beyond the realm of hobbyists, amateurs, and snake-oil salesmen and start behaving like professionals. For that to happen, there had to be a financial cost of Not Doing Security. There are now operational costs of responding to incidents and disclosure laws which aim to prevent companies from hiding their mistakes from the real victims of the crime (those whose data was lost or stolen).

Eventually, assuming we’re allowed to share data accurately, this will allow us to actually measure the risk of poor security and tie it back to good aggregated statistics . But in the meantime, there are going to be some rough days ahead for those we are supposed to be protecting.

Even more ominously, however, is that the same things also seem to be true at the Department of Homeland Security. As John Robb notes, terrorism has also evolved over the past few years:

As anticipated on this weblog, the fall-out of the “big bang” in Iraq, has accelerated system disruption’s displacement of symbolic terrorism. In fact, what’s left of symbolic terrorism is now typically restricted to attacks that can cause immediate systemic social failure (as we are seeing in Iraq right now). The combination of the Abqaiq attack and this new attempted attack on a major power station in Jordan shows that al Qaeda has adopted infrastructure disruption as its preferred method of warfare

Of course, if organized criminals and terrorists seem to have a lot in common, it’s probably because, as the IRA has clearly shown, they are often one and the same.

And you can bet that at least one of those birds-of-a-feather is a Black Swan.