I haven’t forgotten that I still need to follow up on my post about speaking The Business’ language. I’ve just been exceedingly busy. Maybe later this week, but more likely next.

Sure he’s talking about terrorism, but this paragraph, suitably find-and-replace’d, sums up the state of the Security Industry (InfoSec/Compliance/Counter-Terror/etc) about as well as possible as ~50 words can:

Since 9/11, we’ve spent hundreds of billions of dollars defending ourselves from terrorist attacks. Stories about the ineffectiveness of many of these security measures are common, but less so are discussions of why they are so ineffective. In short: much of our country’s counterterrorism security spending is not designed to protect us from the terrorists, but instead to protect our public officials from criticism when another attack occurs.

Try some of these variants. For example,

Since Sarbanes-Oxley passed, we’ve spent hundreds of billions of dollars defending ourselves from corporate fraud. Stories about the ineffectiveness of many of these security measures are common, but less so are discussions of why they are so ineffective. In short: much of our country’s compliance spending is not designed to protect us from corrupt corporate leaders, but instead to protect our public officials (and corrupt corporate leaders) from criticism when another Enron occurs.

It’s fun! You can play along at home!

Since Code Red, we’ve spent hundreds of billions of dollars defending ourselves from network worms. Stories about the ineffectiveness of many of these security measures are common, but less so are discussions of why they are so ineffective. In short: much of our country’s network security spending is not designed to protect us from worms, but instead to protect our CISO’s from criticism when another Blaster occurs.

Just remember one thing…

Since SB-1386 passed, we’ve spent hundreds of billions of dollars* defending ourselves from Information Leakage. Stories about the ineffectiveness of many of these security measures are common, but less so are discussions of why they are so ineffective. In short: much of our country’s privacy protection spending is not designed to protect us from privacy invasion or fraud, but instead to protect our public officials from criticism when another TJ Maxx occurs.

…when all is said and done, it was your money and yet you’re still the one holding the bag.

* Probably not, but give it time

Mordaxus asks us to stop with the cutesy names for attacks over at Emergent Chaos today.

Using cutesy terms is jargon at its worst. It creates a group of insiders and outsiders, where there insiders can wrap their minds around the problem and the outsiders can’t. We need to have security understood by non-experts. We need less jargon, not more.

This lack of clarity hurts people. The State of California recently defeated an proposed anti-pretexting law because the MPAA argued that there were legitimate uses for it. It’s harder to defend impersonation and fraud when it is called impersonation and fraud. Cutesiness is euphemism.

Don’t be a cutesy monkey. Use precise language. Use powerful language. Don’t let the bad guys get away with defending the indefensible, as Orwell put it, with euphemism. While you’re at it, read or re-read Orwell’s essay.

Simultaneously, Dutcher Stiles over at Another Set of Teeth points out a similar variation on what really comes down to the need to feel “special” when adding an IT flavor to crime:

The real meaty threats and red flags associated with them are a bit more nuanced, and have been hashed out in the fraud investigation field for years. Computer crime is just crime. Vandals are vandals. The computer security industry seems to be genuinely befuddled when encountering a threat that doesn’t have a 8P8C modular connector jack.

I think that the same could be said of the issue of specialized security models. I’m not talking about Bell-LaPadula or Denning’s Lattice (which should be a must-understand for anyone designing “secure” processes), etc. I think our work lives would actually be a lot less interesting if we as an industry would understand and apply the math that underlies so much of what we allegedly do.

Rather, I’m talking about the Quest for the Perfect (Threat|Risk) Model. While I applaud the efforts being made in this space as an area of general interest, what I find in practice is that it doesn’t matter how good our models are because the Information Security industry as a whole has destroyed its credibility after ten years (and counting) of FUD backed by pure, hard anecdote.

Instead, I’m finding (and I work at an engineering/manufacturing company–yymv) that analysis models which are taken from (and trusted by) “The Business” can generally be mapped pretty easily to a security-specific model with accuracy that’s within the error bounds of whatever data I have anyway. Now, rather than arguing about the validity of my model, we can focus on gaining consensus on the validity of the scores, and that’s usually a minor adjustment, then get moving on the risk management plan and control framework design. Less work for me. Less arguing with the customer/target. More trust and genuine buy-in, rather than compliance or resistance.

I’ll provide two examples, both taken from the Digital Six Sigma quality framework. First, I’ve begun using Failure Mode Effect Analysis to do my Threat Modeling. Is it perfect? No. Does it capture enough of the information I need to provide a trusted explanation to an audience who don’t necessarily believe in the need for additional security controls? Much of the time. At the very least, it provides a comfortable framework so they’ll engage me rather than going into hiding.

Second (and I know this has been mentioned elsewhere in the world), instead of talking about vulnerabilities within the Software Development Lifecycle, I just talk generically about them as a post-release defect which contributes to the Cost Of Poor Quality. That’s something which is meaningful and whose costs can be inferred back onto the organization that produced them. And since Qwality is important around here, it gets traction with the developers in a way that “security matters…really” never quite did.

So when thinking about how to explain risk issues to The Business, ask yourself: Would I rather be perfect or understood?

So I see this blog post at Street Use about a news story warning me to “Think twice before using hotel room coffee pots.”

Ask just about anyone in law enforcement, and they’ll tell you to be careful if you ever brew coffee in a hotel room.
“I know enough now that whenever I go to a hotel, regardless of how nice it is, I’ll never use a coffee pot,” said Marshall County District Attorney Steve Marshall.

…

Rick Phillips of the Marshall County Drug Enforcement Unit says there’s definitely a risk. “The coffee makers that you find in every motel room is an ideal heat source. They mix it up in the coffee pot, put it on a heat source and let it sit there and cook,” said Phillips. It’s common knowledge to those who fight meth, but a shock to your average citizen. Phillips says it’s pretty easy to tell if a coffee pot has been used to cook meth. It will have a dark reddish-orange stain.

This is handy to know, but probably only vaguely more useful than being able to differentiate poisonous from non-poisonous snakes. I’ll assume I’m good enough on the whole “clean glass/dirty, orange-stained glass” thing to keep using my hotel micro-coffee maker.

I drink coffee out of a lot of those little micro-pots. I have never seen one that was orange, but that could be because I’m staying in the wrong hotels. If I do, though, I’ll be sure to not use it. Just like I would not prepare or consume food or drinks in or from any other vessel that looked exceptionally dirty and resisted cleaning.

As a matter of fact, I drank coffee out of the little micro-pot of coffee in my hotel room for the last three mornings. I had know idea I was taking my life in my own hands by doing so. Fortunately, it was clean and tasty (as those things go). Of course, the idea that I was making potentially life-threatening risk decisions before I had my morning coffee was probably the risk I shouldn’t have accepted.

From a New York TV channel’s news site:

Several Brooklyn residents woke up to find their street empty — because someone had posted a No Parking sign and police had towed their rides.

The sign, which bans parking on a street in the DUMBO neighborhood from 8 a.m. to 6 p.m. weekdays, mysteriously appeared Monday or Tuesday, residents said, and then police started ticketing and towing cars parked there.

But the Department of Transportation says there aren’t any parking restrictions in the area and it doesn’t know who posted the placard, which looks official.

Resident David Bourgeois said he had to pay $205 to retrieve his Mini Cooper, with a $60 ticket on the windshield, from a police pound Wednesday after it was hauled away.

“It’s just outrageous,” he told the Daily News for Friday editions.

The DOT said it would try to dismiss the ticket — and take down the No Parking sign.

I especially like the statement that the DOT would “try to dismiss the ticket.” Hopefully they will do more than try, but if I were that guy, I wouldn’t get my hopes up.

I live in a zoned parking area (you must have a special sticker to park on the streets) here in downtown Chicago. We have often wondered what the results of a prank like this would be. While nobody would get towed, you could probably get a hundred cars ticketed without too much effort, and there’d be little to no chance of disputing it successfully.

I wouldn’t even need a proper sign. I could just forge and post paper “No parking” signs tied around trees but printed to match an official template which is little more than legal-sized heavy stock paper with red sans-serif printing. Getting an example would be trivial since they litter the trees & signs around any site of utility work, street work, or condo construction.

Yet another example of people unthinkingly trusting something was authoritative (in this case a sign) when it was not. Fortunately, the impact of this one was relatively minor. Unfortunately, there seems to be an upsurge “false flag” operations by serious criminals, terrorists, and resistance fighters.

I think this is symptomatic of the overall state of information overload that most people operate in all the time. As a result, any input which can be abstracted to a simple symbol (e.g. authority) immediately is, rather than considering whether or not it really makes sense. As a result, things are able to get out seriously out of control, by which time it’s too late for the victim to effectively react.

I was working on my own thoughts about the Boston non-bombing incident when Adam Mordaxus said everything I wanted to say, only better. For example:

My summary: Cartoon Network puts up magnetic signs with blinking LEDs advertising some cartoon in ten cities, including Boston. Photo of one of these in Cambridge is the accompaning photo. After two to three weeks, people in Boston notice them and think, “Oh, my God! Blinking lights, wires! It must be (cue organ) terrorists!” They shut down half the city. They postured, they arrested the perps.

This brouhaha is worthy of ridicule for two reasons. First, they were embarrassingly wrong. Second, they were two weeks late! Comparing Boston’s Finest to the Keystone Kops is a grave insult to the memory and bravery of those immortal boys in blue.

Ridicule is exactly the right word. Read what he said. Read what Schneier said (and don’t miss Schneier’s comments–there’s loads of excellent points in there).

What I wonder is, are people scared because, even if they don’t want to admit it, they know deep down inside that their country has done things which have caused a lot of people to be justifiably pissed off at us? If you were to go into a bar and start talking trash and picking fights with everyone in the place, you wouldn’t be surprised if you found your drinks watery, your glass soapy, and your “empties” picked up even though they were still 3/4 full. Why should we expect to be treated any differently as a nation when we behave on the world stage in exactly the same way?

Fear has become the Great Excuse. You can act as irrationally as you want, so long as you claim you did it because you were scared it might be a terrorist. Unfortunately, there are still too many people who are willing to play along.

If you want to be scared, go watch a horror movie. Don’t try to turn lame “guerilla” advertising into a terrorist atttack. Don’t think that you’re at risk because you live downwind of the World’s Largest Ball of String. In other words, Get a Grip.

Some other random observations from this mess:

First, the Boston Police Department does not seem to learn from experience. I can understand overreacting to the first device, even if it took them two weeks to notice it. It was, at that point, an unknown threat so some level of caution is understandable. Upon initial examination, however, they would have discovered that it was not, in fact, a bomb. So why did they continue to overreact to each additional device?

Next, Some people want to be scared (and I’m not one of them). Despite quite happily living my life as a frequent bearer of bad news, I don’t want to be scared. What I don’t understand, however, is what drives people to constantly assume that everything out of the ordinary is some sinister threat. Are people’s lives really that devoid of mental stimulation*?

People need to lay off the “24″ and get out into the world more. They might even discover that it’s filled with friendly, interesting people if they just don’t act like a paranoid asshole toward anyone who doesn’t look just like them.

Finally, the price of being scared is not worth it. I value things like civil liberties a hell of a lot more than I value your life or even mine. I use them every day, and one of the ways I do so is by refusing to buy into the culture of fear that seems to dominate some people’s thinking. This is a hard concept for a lot of people to get their heads around, since it requires rational thinking about risk.