Bureaucracy in inaction

Back in September, a group of Czech artists called EPOS 257 camouflaged themselves as city-workers, went to the Palackeho square in Prague and installed a fence. The fence was left on the square with no apparent intent or explanation.

At first, the city council didn’t know about it, and when there were told, they didn’t know how to deal with it – what if somebody put it there for a reason?

The fence stayed for 54 days before being removed.

It’s amazing how encrusted our nominally public spaces have become, and sad to see that it’s not just the US that suffers from this.

Fence in a square

Epos 257 via Guerrilla Innovation

Emergent Chaos has TSA "trolls," too

Over at We Won’t Fly, George Donnelly writes:

I was about to delete an offensive comment on this blog – one of the very few we get – and thought, hmm, I wonder where this guy is posting from? Because, really, it is quite unusual for us to get nasty comments. Lo and behold, the troll posted to our website from an IP address controlled by the federal government’s Department of Homeland Security! Here is the taxpayer-funded troll’s gem of a comment, for your entertainment:

In response to Chris’s “Ron Paul supporter inadvertently gets iPhones banned from U.S. aircraft” we got a comment from It was from Ran, and he wrote:

“What color eyes and hair did the terrorist who shot up the Holocaust museum a few days ago have? How about the guy who murdered that abortion doctor?
Are you suggesting that your blonde haired blue eyed friend should be given a pass when alarming airport metal detectors because he has an X-Ray image that he claims is of his ankle? You have got to be kidding, right?”

Which, really, isn’t a dumb comment. It’s an element of a reasonable threat assessment. Which just plays into my confirmation bias that our commenters are regularly smarter and more insightful (or at least more aware of privacy enhancing technologies and practices) than other blogs commenters.

Thank you all for a lovely year of insightful comments here at the combo.

The Only Trust Models You'll Ever Need

Lately there has been quite a bit of noise about the concept of “trust” in information security.  This has always confused me, because I tend towards @bobblakley when he says:

“trust is for suckers.”

But security is keen on having trendy new memes, things to sell you, and I thought that I might as well weigh in because we’re seeing “trust models” in everything from OSSTMM to NIST 800 series to Cloud model thingies.

The problem I have getting all excited about “trust modeling” is that it’s basically yet.another.hypothetical.construct.  We already have “security” and “risk” that our industry finds problematic to define and measure.  Why are we soooo keen on creating another problem child?

And I have to wonder, is it really necessary?  Think about it: my ability to “trust” – a person, connection, system, whatever – is simply an acknowledgement of the risk in transacting with them.  I “trust” my good friends and certain relatives because I have a bunch of experience (priors) that lead me to believe that they are “trustworthy”, which is a nice way of saying “low risk”.  I know these people will go out of their way *not* to hurt me without just cause.

Similarly, when dealing with car mechanics, salespeople, and politicians – I have very little “trust” because there is a high degree of risk in my transaction and I either have no prior experience with them, or really bad experiences with them.

So really, my amount of “trust” is the inverse of the amount of risk I perceive for whatever reason (past experience, lack of data, expected experiences given some trending data).


So in 2011, if you’re sitting in a meeting and some GRC pusher decides that they need trust models for you to be really good at your jobs, you can use the following and explain to them you already have a very nice one, thanks.


Trust = Opposite of Risk

So “Low Risk” becomes “High Trust”.


Trust = 1/Risk

So The larger the risk score, the smaller the trust score.


You don’t need to do anything.  You can say “We trust that this partner will have 10 incidents per year causing us between $50,000 and $2,000,000 in damage” or whatever.

There you go.  A Trust Program/Trust model for absolutely free.

TSA News roundup

Get this 2-page Passenger’s Rights Sheet: http://saizai.com/tsa_rights.pdf

The Emergent Chaos of Facebook relationships

This is a fascinating visualization of 10MM Facebook Friends™ as described in Visualizing Friendships by Paul Butler.

A couple of things jump out at me in this emergent look at geography. The first is that Canada is a figment of our imaginations. Sorry to my Canadian friends (at least the anglophones!)

The second is that borders seem to be remarkably effective at inhibiting friendships, especially in Asia.


Managing WordPress: How to stay informed?

We at the New School blog use WordPress with some plugins. Recently, Alex brought up the question of how we manage to stay up to date. It doesn’t seem that WordPress has a security announcements list, nor do any of our plugins.

So I asked Twitter “What’s the best way to track security updates for wordpress + plugins? I don’t want to have to look at the dashboards daily.” Zot O’Helpful responded “Wait unil your site is hacked, then update.” Mark Adams commented that “I discussed WP recently with @markstanislav. We concluded that vulns are most likely to be in plugins, not the core.” Which is fine as far as it goes, but the vulns are more likely to be discovered in the core, and more likely to be widely exploited there.

But the question remains: how do others keep up with WordPress admin duties?

For bonus points, don’t discuss why doesn’t WordPress have a security announcements blog, twitter stream, mail list or anything else?

[Update: @chrisjager pointed to feed://wordpress.org/news/category/releases/feed/, which is a good start.]

Armoring the Bombers that Came Back

Paul Kedrosky writes:

Most of us have heard the story of armoring British bombers, as it’s too good not to share, not to mention being straight from the David Brent school of management motivation. Here is the Wikipedia version:

Bomber Command’s Operational Research Section (BC-ORS), analysed a report of a survey carried out by RAF Bomber Command. For the survey, Bomber Command inspected all bombers returning from bombing raids over Germany over a particular period. All damage inflicted by German air defences was noted and the recommendation was given that armour be added in the most heavily damaged areas. Their suggestion to remove some of the crew so that an aircraft loss would result in fewer personnel loss was rejected by RAF command. [Patrick] Blackett’s team instead made the surprising and counter-intuitive recommendation that the armour be placed in the areas which were completely untouched by damage in the bombers which returned. They reasoned that the survey was biased, since it only included aircraft that returned to Britain. The untouched areas of returning aircraft were probably vital areas, which, if hit, would result in the loss of the aircraft.

…The trouble is, is it true? Did this bomber plating survey really happen, and did the the RAF, under the force of Patrick Blackett’s team’s analysis, do the contrarian thing of armoring the untouched parts of the bombers that came back?

I think it’s a fascinating question, (Paul points out how it’s spread in his post). In information security, we have a lot of ideas whose origins are lost in the mists of time. That’s all the more remarkable given that information security has been around for barely 50 years. We don’t have to lose our history.