Books Worth Reading: Q2 2019 (Apollo Edition)

  • A Man on the Moon, Andrew Chaikin is probably the best of the general histories of the moon landings.
  • Failure is not an Option, by Gene Kranz, who didn’t actually say that during Apollo 13.
  • Marketing The Moon by David Scott and Richard Jurek. I was surprised what a good history this was, and how much it brought in the overall history of the program and put it in context.
  • Spacesuit: Fashioning Apollo, as mentioned previously.
  • Full Moon. Gorgeous photography, printed from very high quality scans; the author convinced NASA to provide access to first generation negatives. You may need to search on Amazon to find a reasonably priced copy.

Also worthwhile: From the Earth to The Moon (DVD, Blue Ray), and the Museum of Flight Apollo exhibit, in Seattle through September 2nd.

Safety and Security in Automated Driving

Safety First For Automated Driving” is a big, over-arching whitepaper from a dozen automotive manufacturers and suppliers.

One way to read it is that those disciplines have strongly developed safety cultures, which generally do not consider cybersecurity problems. This paper is the cybersecurity specialists making the argument that cyber will fit into safety, and how to do so.

In a sense, this white paper captures a strategic threat model. What are we working on? Autonomous vehicles. What can go wrong? Security issues of all types. What are we going to do? Integrate with and extend the existing safety discipline. Give specific threat information and mitigation strategies to component designers.

I find some parts of it surprising. (I would find it more surprising if I were to look at a 150 page document and not find anything surprising.)

Contrary to the commonly used definition of an [minimal risk condition, (MRC)], which describes only a standstill, this publication expands the definition to also include degraded operation and takeovers by the vehicle operator. Final MRCs refer to MRCs that allow complete deactivation of the automated driving system, e.g. standstill or takeover by the vehicle operator.

One of the “minimal risk” maneuvers listed (table 4) is an emergency stop. And while an emergency stop may certainly be a risk minimizing action in some circumstances, describing it as such is surprising, especially when presented in contrast to a “safe stop” maneuver.

It’s important to remember that driving is incredibly dangerous. In the United States in 2018, an estimated 40,000 people lost their lives in car crashes, and 4.5 million people were seriously injured. (I’ve seen elsewhere that a million of those are hospitalized.) A great many of those injuries are caused by either drunk or distracted drivers, and autonomous vehicles could save many lives, even if imperfect.

Which brings me to a part that I really like, which is the ‘three dimensions of risk treatment’ figure (Figure 8, shown). Words like “risk” and “risk management” encompass a lot, and this figure is a nice side contribution of the paper.

I also like Figure 27 & 28 (shown), showing risks associated with a generic architecture. Having this work available allows systems builders to consider the risks to various components they’re working on. Having it available lets us have a conversation about the systematic risks that exist, but also, allows security experts to ask “is this the right set of risks for systems builders to think about?”

A chart of system components in an autonomous vehicle

The Road to Mediocrity

Google Docs has chosen to red-underline the word “feasible,” which, as you can see, is in its dictionary, to suggest “possible.” “Possible,” possibly, was not the word I selected, because it means something different.

Good writing is direct. Good writing respects the reader. Good writing doesn’t tax the reader accidentally. It uses simple words when possible, effectively utilizing, no wait, utilize means you’re attempting to make your writing sound fancier than it need be. Never use “utilize” when its feasible to say “use.”

Good writing tools are unobtrusive. They don’t randomize the writer away from what they’re working on to try to figure out why in holy hell it’s wrong to be using the word feasible and why it needs to be replaced.

The road to mediocre writing is paved with over-simplification and distraction.

My current go-to is Pinker’s The Sense of Style. What else helps you think about writing?

The Unanimous Declaration of the Thirteen United States of America

(Reading the declaration of independence is a useful reminder of why we chose to dissolve the political bands that connected us to another. It’s not about jingoism, or the results of a plebiscite, but about a “long train of abuses and usurpations, pursuing invariably the same Object,” and the proper response to such acts.)

In CONGRESS, July 4, 1776

The unanimous Declaration of the thirteen united States of America,

When in the Course of human events, it becomes necessary for one people to dissolve the political bands which have connected them with another, and to assume among the powers of the earth, the separate and equal station to which the Laws of Nature and of Nature’s God entitle them, a decent respect to the opinions of mankind requires that they should declare the causes which impel them to the separation.

We hold these truths to be self-evident, that all men are created equal, that they are endowed by their Creator with certain unalienable Rights, that among these are Life, Liberty and the pursuit of Happiness. –That to secure these rights, Governments are instituted among Men, deriving their just powers from the consent of the governed, –That whenever any Form of Government becomes destructive of these ends, it is the Right of the People to alter or to abolish it, and to institute new Government, laying its foundation on such principles and organizing its powers in such form, as to them shall seem most likely to effect their Safety and Happiness. Prudence, indeed, will dictate that Governments long established should not be changed for light and transient causes; and accordingly all experience hath shewn, that mankind are more disposed to suffer, while evils are sufferable, than to right themselves by abolishing the forms to which they are accustomed. But when a long train of abuses and usurpations, pursuing invariably the same Object evinces a design to reduce them under absolute Despotism, it is their right, it is their duty, to throw off such Government, and to provide new Guards for their future security. —Such has been the patient sufferance of these Colonies; and such is now the necessity which constrains them to alter their former Systems of Government. The history of the present King of Great Britain [George III] is a history of repeated injuries and usurpations, all having in direct object the establishment of an absolute Tyranny over these States. To prove this, let Facts be submitted to a candid world.

Continue reading

Passwords Advice

Bruce Marshall has put together a comparison of OWASP ASVS v3 and v4 password requirements: OWASP ASVS 3.0 & 4.0 Comparison. This is useful in and of itself, and is also the sort of thing that more standards bodies should do, by default.

It’s all too common to have a new standard come out without clear diffs. It’s all too common for new standards to build closely on other standards, without clearly saying what they’ve altered and why. This leaves the analysis of ‘what’s different’ to each user of the standards. It increases the probability of errors. Both drive cost and waste effort. We should judge standards on their delivery of these important contextual documents.

DNS Security

I’m happy to say that some new research by Jay Jacobs, Wade Baker, and myself is now available, thanks to the Global Cyber Alliance.

They asked us to look at the value of DNS security, such as when your DNS provider uses threat intel to block malicious sites. It’s surprising how effective it is for a tool that’s so easy to deploy. (Just point to a DNS server like

The report is available from GCA’s site: Learn About How DNS Security Can Mitigate One-Third of Cyber Incidents

When security goes off the rails

New at Dark Reading, my When Security Goes Off the Rails, Cyber can learn a lot from the highly regulated world of rail travel. The most important lesson: the value of impartial analysis.

(As I watch the competing stories, “Baltimore City leaders blame NSA for ransomware attack,” and “N.S.A. Denies Its Cyberweapon Was Used in Baltimore Attack, Congressman Says,” I’d like to see an investigations capability that can give us facts.)