For those of it who don’t have a subscription to IEEE’s Security & Privacy newsletter, we can still get a PDF of Dan Geer & Dave Conway’s new essay/column/article, “Security is a subset of Reliability.”

Reliability measures the deviation between the system and the specification. Security involves a sub-space of reliability—only particular deviations—thus, security must be easier than reliability. Thumbs up. Hastening over the delicate premise that the specification is always accurate and up-to-date, we can roughly align security with the subset of reliability where the cost of deviation per unit time is very high. Thumbs down. This makes us wonder about measuring how risk tolerance scales and consequently where to point our thumbs.

Similarly, since I’ve been talking to lots of engineering types about security issues of late, I’ve been using the argument that “security issues are a subset of defects, especially post-release defects, which tend to have a higher-than-average severity.” This gets their attention since PRD’s are something they worry about, even if they consider it somehow “unfair” that they’re a category of defect that they aren’t very good at.

I’ll definitely be passing this article along to a few people I know.

Despite coming from a somewhat-unlikely source, this Boing-Boing post is a re-print from last year analyzing how press releases from the National Retail Association get turned into “news” is a good example of metrics (or, more likely, made up crap) get turned into “facts” by an uncritical media, specifically CNN:

[I] examined the retail numbers cited by the National Retail Federation about sales over Thanksgiving, and so-called Black Friday. I made the point that this news is fake news, coming from a press release generated by a retail trade organization and then spoon-fed to us by uncritical reporters. While the stories credit the source, the headlines give the impression that the retail industry wants, using numbers they provide. (Reporters like a story with specific numbers, no matter how contrived they are. Independent backup for the numbers is never provided.) There’s every reason for NRF to present numbers that favor their view that consumers will be buying more. It’s like asking the fox to count the eggs in the hen house and report on the health of the chickens.

And imagine if they were one and the same! Well, they could be: Somali Pirates in Discussions to Acquire Citigroup

By Andreas Hippin
November 20 (Bloomberg) — The Somali pirates, renegade Somalis known for hijacking ships for ransom in the Gulf of Aden, are negotiating a purchase of Citigroup.

The pirates would buy Citigroup with new debt and their existing cash stockpiles, earned most recently from hijacking numerous ships, including most recently a $200 million Saudi Arabian oil tanker. The Somali pirates are offering up to $0.10 per share for Citigroup, pirate spokesman Sugule Ali said earlier today. The negotiations have entered the final stage, Ali said.

“You may not like our price, but we are not in the business of paying for things. Be happy we are in the mood to
offer the shareholders anything,” said Ali.

The pirates will finance part of the purchase by selling new Pirate Ransom Backed Securities. The PRBS’s are backed by the cash flows from future ransom payments from hijackings in the Gulf of Aden. Moody’s and S&P have already issued their top investment grade ratings for the PRBS’s.

Happy Friday, everyone!

Reading on NPR this evening:

How A-Bomb Testing Changed Our Trees

Back in the 1950s, the Americans, the British, the French and the Russians tried to impress each other by “testing” atomic weapons. This involved blowing up multi-megaton bombs in the air in remote places, but the explosions didn’t stay local.

This is an interesting tale of Carbon-14 created by our “activity”. Carbon-14 in the trees, Carbon-14 in Human DNA. This is allowing the study of cell life, etc..

I am not sure where to take this other than to tell you all about it!

The police in Meghalaya have decided that an ID requirement will reduce electronic crime.

Superintendent of Police (Shillong) Claudia A Lyngwa said strict directives have been issued to cyber cafés and CTCs in running their centres.

‘’Every visitor to a cyber café should produce an authenticated photo identity card (ID) like passport, college ID, PAN Card, election card, driving license or office ID,'’ Ms Lyngwa told UNI here today.

…

The cyber café owner have also been instructed to maintain a daily ‘in and out’ register with details mentioning the time of logging in and logging off for each visitor with name and address, she informed.

The SP said that licensed cyber café will also have to maintain a physical log book of users to be filled in by the user.

Ms Lyngwa said, ‘’cyber café should not have fully enclosed cubicles which isolate a computer user from other users.'’ The café will also have to maintain an Internet Protocol allocation/access log allocated to which machine when a blog of IP addresses used directly on different machines.

I’m ignoring the implicit falsehood that privacy somehow equates to insecurity.

Instead, I’m wondering what percentage of Indian cyber cafes are licensed? I’d be willing to take a bet that the number is fairly small.

Compliance with the law will be a tax on the law-abiding, making them less competitive and effectively driving more of the business to unlicensed providers–just what India, a country with massive street-level corruption problems does not need.

I know it seems obvious, but when attempting to solve a problem, the solution should not to create incentives that make both the original problem as well as tangential problems worse.

Hiring the head of risk for a failed investment bank to assess bank soundness seems a bit through the looking glass, don’tcha think? Even if he’s the best thing to happen to risk management since the invention of gambling, this going to be a tough sell on the credibility front any way you slice it.

In a move that is sure to put to rest the notion that there are no second acts in American life, former Bear Stearns chief risk officer Michael Alix has landed a job in the office of the Federal Reserve charged with assessing the safety and soundness of domestic banking institutions.

We suppose that Alix at least has plenty of experience with unsound banking institutions. He was the chief risk officer of Bear Stearns from 2006 until 2008. So, basically, he was the guy on the mast charged with yelling “iceberg” just before the titantic introduced its bow to a floating hunk of ice. Prior to that he ran credit risk management for Bear from 1996 to 2006, Jon Keehner at Bloomberg points out. That worked out just great.

Sometimes words almost fail me.

In many respects, this is similar to the people who hire (hopefully) former computer criminals as if they somehow know more about protecting networks just because they have hands-on experience with how not to do it.

In both cases, however, one of the bigger deterrents for many would-be miscreants, whether of the white collar or other more traditional criminal activities is the future deterrent of being forever unwelcome in what would otherwise be a chosen career or passion. This is part of why it is not illegal or even gauche to discriminate against convicted criminals in employment matters. By overlooking this bias at higher levels, it erodes respect for it at lower levels, which in turn reduces its deterrent effects (which are already minimal due to discounting) further down the ladder.

It doesn’t matter how good Alix supposedly was at his job. When you’re the CRO of a bank that fails due to poor risk practices, you should be a pariah, plain and simple. At least Nick Leeson paid his debt to society, which is more than Michael Alix will ever be able to say.

Update: More good commentary from Mark Thoma at Economist’s View on this one:

It seems that as chairman of the Securities Industry Association’s risk management committee, Alix was also an important part of the effort to convince regulators that investment banks didn’t need to hold nearly as much capital as their commercial bank brethren. Here’s a letter he wrote to the Federal Reserve’s board of governors in August 2003…

This, we now know, didn’t work so well, either.

But my favorite thing I found in my rooting around was Alix’s June 2004 House testimony on the topic of Basel II. One of the reasons investment banks should be allowed to use more leverage, he said, was because of the protective qualities of mark-to-market accounting…

This, we now know, not only didn’t work so well, but is also, we’re told, causing a lot of the problems we’re having.

Look, I don’t envy the position the New York Fed is in. I have the luxury of not having to go out and hire people who 1) deeply understand the operations of finance firms, and 2) are willing to take a job in the public sector. At the same time, I’m guessing I’m not the only person a little squinty-eyed over this one. …

No, Mark, you’re not.

Understanding how your environment’s controls are designed can be a very helpful thing. Consider this developer talking aboutgetting Chromium to work on Linux.

When Chromium was first announced in the beginning of September I was very surprised that it was a Windows only application given that WebKit is very much cross platform. The past few weeks I have been spending a little bit of time here and there hacking on the source code and thought I would write an update for those who are interested on the status of the native port of Chromium on Linux.

On day one you could checkout the source code on Linux and you could build some things. Of course all that you were building were some object files, nothing more, not even Webkit was being built. There was no test application, no linking and no Chrome.

From what I can tell nearly all of the development for Chrome was done on Windows in Visual Studio. There is even a c# tool that can be found in the sources. This lead to the case where the normal course of action when something didn’t build on Linux was to just disable it. So by the time that the release was made nearly nothing was being built. I am also pretty sure that the Chromium port was entirely different then the Android port

Starting with the glue directory I went file by file fixing the compiler errors. Developed in Windows there was fun fixes such as the Windows “String.h” include that was not used, but caused build breakage on non-Windows platforms. Many patches later a lot more builds and Linux. Linux is part of the build farm so as each file was fixed and enabled it became one more file that Windows developers could not break or their change would be reverted.

Once he gets the code to the point it will compile under Linux, he then uses the controls that exist in the software quality process to prevent the mainline Windows developers from checking in code that undoes his work on the Linux port. This is why automated software quality tools are generally a Good Thing.

Courtesy of a commenter at slashdot, source of all truly geeky wisdom, comes UNIX Russian Roulette:

[ $[ $RANDOM % 6 ] == 0 ] && rm -rf / || echo “You live”

(not that `rm -rf` is truly Russian Roulette, more like Russian Kneecapping)

Happy Friday, Everyone!

Something that I think we all know, but I had never really broken out as a coherent thought:

There are many risks which “everyone” acknowledges need to be reduced (and cannot easily be avoided), but which no one wants to accept. Of course, usually no one wants to pay to mitigate or transfer the risk, either.

Risks that are stuck in this particular form of Limbo are accepted, and no one should be allowed to claim otherwise.

Those who are not willing to either formally accept the risk or write the check to reduce it, are just contributing to the intellectual dishonesty that perpetuates the problem.

My personal favorite example of this problem is database encryption, especially for Personal Information. People inevitably claim to agree that “this must be done,” since that provides a certain degree of Get Out Of Jail Free Card, at least for notifications, but no one ever writes the check or provides the people to make it happen.

I’m suspect that you, dear reader, could also provide a few examples of your own.

According to the New York Times, I personally was a significant contributor to the current financial crisis ravaging the world economy. No, they don’t name me by name, but they do blame a capital adequacy calculation called “Value at Risk,”, along with an accused bias of risk managers in general for enabling the current crisis.

From the article:

We’ve had some bad days lately, and it turns out Bear Stearns, Lehman Brothers and maybe some others bet far too much. Their quants didn’t save them.

I called some old timers in the risk-management world to see what went wrong.

I fully expected them to tell me that the problem was that the alarms were blaring and red lights were flashing on the risk machines and greedy Wall Street bosses ignored the warnings to keep the profits flowing.

Ultimately, the people who ran the firms must take responsibility, but it wasn’t quite that simple.

In fact, most Wall Street computer models radically underestimated the risk of the complex mortgage securities, they said. That is partly because the level of financial distress is “the equivalent of the 100-year flood,” in the words of Leslie Rahl, the president of Capital Market Risk Advisors, a consulting firm.

But she and others say there is more to it: The people who ran the financial firms chose to program their risk-management systems with overly optimistic assumptions and to feed them oversimplified data. This kept them from sounding the alarm early enough.

Why do I feel blamed? Because I was the guy who actually wrote the code that the bank ran each night to calculate our VaR report and which the risk managers used to determine capital adequacy.

First off, I’ll add a caveat here, which is that I haven’t worked directly in capital markets risk management in almost ten years. Secondly, I’ll confess that I always insisted I was “just the programmer” when the discussions really got hairy–I wasn’t going to argue too much against a bunch of quants with doctorates in any or all of Mathematics, Statistics, Physics, and Economics. In general, though, their models produced what I felt was a reasonably accurate picture of VaR for our Foreign Exchange Derivatives business at the time.

That’s not to say there wasn’t pressure to produce less conservative risk estimates–traders have a “risk limit” which dictates how much money they can potentially lose at any given time. Since risk correlates to reward (through volatility–see Black-Scholes for more), that also put an upper limit on how much they could effectively earn in profit, and from that bonus. A good meta-metric of whether the models were suitably conservative was whether or not the traders were complaining about their inability to take risk: if they weren’t complaining, the models weren’t conservative enough.

Regardless of the complaints, Risk Management and the quants generally stood firm. Most of the quants were former academics, and viewed the accuracy of their models as a pursuit of truth. I was caught in the middle, with traders trying to tell me that “there’s no risk here!” for some position they wanted to take, but which the models said was too risky.

That’s not what happened in the current financial crisis that has been on-going for well over a month now (and will continue, albeit at a lower level of intensity for even longer to come). What happened here is called “Risk Layering,” where each party involved in the transaction convinces themselves that they have transferred their risk to some other counterparty. The risk doesn’t cease to exist, it just ceases to be accounted for. Risk is reduced by mitigation or avoidance. Ignoring and Layering only move it elsewhere.

In this case, the risk built up until reality finally came along and knocked the participants down. That’s not a failure of risk management as a discipline, but rather a failure of risk takers to utilize the available tools. So don’t blame the quants or the folks like myself who translated their wisdom into C, PERL and Java. That’s managing the blame, not the risk.