Brian W Kernighan & Dennis M Ritchie & HP Lovecraft

I never heard of C Recursion till the day before I saw it for the first and– so far– last time. They told me the steam train was the thing to take to Arkham; and it was only at the station ticket-office, when I demurred at the high fare, that I learned about C Recursion. The shrewd-faced agent, whose speech shewed him to be no local man, made a suggestion that none of my other informants had offered.

“You could take that old bus, I suppose,” he said with a certain hesitation. “It runs through C Recursion, so the people don’t like it. I never seen more’n two or three people on it– nobody but them C folks.”

void Rlyeh
(int mene[], int wgah, int nagl) {
int Ia, fhtagn;
if (wgah>=nagl) return;
swap (mene,wgah,(wgah+nagl)/2);
fhtagn = wgah;
for (Ia=wgah+1; Ia<=nagl; Ia++)
if (mene[Ia]<mene[wgah])
swap (mene,++fhtagn,Ia);
swap (mene,wgah,fhtagn);
Rlyeh (mene,wgah,fhtagn-1);
Rlyeh (mene,fhtagn+1,nagl);

You might want to read entirety of the C Programming Language, by Brian W Kernighan & Dennis M Ritchie & HP Lovecraft. (I am told that the only extant copy is in the library at Arkham, but excerpts, god only knows why anyone would copy such a thing, can be found in shadowy corners.)

An Open Letter to the New Cyber-Security Czar

Dear Howard,

Congratulations on the new job! Even as a cynic, I’m surprised at just how fast the knives have come out, declaring that you’ll get nothing done. I suppose that low expectations are easy to exceed. We both know you didn’t take this job because you expected it to be easy or fun, but you know better than most how hard it will be to make a difference without a budget or authority. You know about many of the issues you’ll need to work through, and I’d like to suggest a few less traditional things which you can accomplish that will help transform cyber-security.

There are important things which you can achieve which are aligned with President Obama’s agenda and orientation that aren’t in the current strategy to secure cyberspace. They’re opportunities which have arisen in the last few years to increase transparency and accelerate new research that’s focused on security outcomes, rather than process.

Over the last 5 years, in the wake of California’s 1386 and ChoicePoint’s big breach, we’ve learned about thousands of security breaches. We’ve discovered that most of our fears don’t come to pass. Companies don’t go bust, and customers don’t flee. It’s time to embrace transparency, and admit that we all have security failures. Only by studying what goes wrong can we really expect to improve. So the first step is to de-stigmatize failure. That’s not to say accept failure, it’s disclose them, discuss them, and focus on what we can improve. You can set the right tone from your bully pulpit.

Next, as the nation’s cyber-security advisor, you’re in a position to push the heads of the federal agencies to open up about what they’re doing and how it’s working out. The data is already being collected by US-CERT, it’s a matter of transparency. Of course, some subset of the data will need to be appropriately redacted, but let’s embrace a need to share in information security. The President has committed to getting our data online, let’s make sure security data is included on (I’ve already sent a request for this to As you work to expand public-private partnerships, why not start by sharing the data that the government has? It could reset the tone of the conversation. You can also support the non-profit Open Security Foundation‘s work on The value they deliver on a volunteer basis is amazing, and the amount that would be required to take that to the next level by making it their day jobs would be a rounding error for any of the folks you’ll be working with daily.

Finally, I’d urge you to evolve our nation’s security research agenda. There are many smart, dedicated people working in information security. Many have been promoting approaches which have yet to take hold. You must bring new voices and perspectives to research. Emergent fields like “economics and security,” usable privacy and security, and security and human behavior bring important new perspectives of security as a human-centered discipline.

Each of these steps can be taken with your budget and authorities. Together, they’ll transform cyber security into an empirical, effective and outcome-centered discipline, and that would be an amazing legacy for any leader.

Biggest Breach Ever

Precision blogging gets the scoop:

You’re probably talking about this terrible security disaster already: the largest database leak ever. Arweena, a spokes-elf for Santa Claus, admitted a few hours ago that the database posted at WikiLeaks yesterday is indeed the comprehensive 2009 list of which kids have been naughty, and which were nice. The source of the leak is unclear. It may have come from a renegade reindeer, or it could be the work of a clever programmer in the Ukraine. Either way, it’s a terrible black eye for Santa. Arweena promised that in the future, access to this database would be restricted on a “need to know” basis. And you know who that means!

Let’s see if customers really change their behavior. I know which way I’m betting.

NotObvious On Heartland

I posted this also to the mailing list.  Sorry if discussing in multiple  venues ticks you off.

The Not Obvious blog has an interesting write up on the Heartland Breach and impact.  From the blog post:

“Heartland has had to pay other fines to Visa and MasterCard, but the total of $12.6 million they have set aside to handle the one-time costs is a drop in the bucket compared $1.5 billion in 2008 revenue and does not really even skim much off the top of the $161 million in profits from that same year (the numbers for 2009 look to be tracking the same). It is almost a guarantee that any member of the class action who submits a claim will see many years of scrutiny before receiving any payment, something which Heartland can factor into their yearly financial plans (and accommodate for by increasing fees).”

For thought:

  1. One wonders how much a “sufficient” (loaded term, of course) InfoSec program for a company like Heartland costs on an annual basis.
  2. Does this set a sort of “worst case” bounds to impact distributions?
  3. If so, how does a worst case impact of ~$13million (US) impact security management at retailers (politically)?

For Blog/Twitter Conversation: Can You Defend "GRC"?

Longtime readers know that I’m not the biggest fan of GRC as it is “practiced” today.  I believe G & C are subservient to risk management. So let me offer you this statement to chew on:

“A metric for Governance is only useful inasmuch as it describes an ability to manage risk”

True or False, why, and what are the implications if true or false.

Please discuss.