Howls of Derisive Laughter, Bruce!

By now, we all know that the concentric perimeter devised by the kangaroo jockeys assigned to protect the best and brightest of Asia and the Pacific were ineffective against comedian pranksters. (Perilocity has the lowdown.)

But what if they had been REAL pranksters? The NYC could teach those koala huggers a lesson in deterring those cats. They successfully defended the Republican National Convention against a variety of threats ranging from partial nudity, Johnny Cash impersonators, poetry, wet T-shirts and rock 'n roll. I'm confident that a couple of pranksters with a Canadian flag and a limo would not have escaped the attention of The Finest, and would have at least one entry in a database. And, oh, yes, their data would be aggregated, sooner or later. Yes.

I guess my point is two-folded:

1. A system meant to trap terrorists may not trap your prototypical Prankster 2.0, just as a system designed to trap thieves may not trap auditors. (I believe I have railed on this before.)

2. A system meant to trap terrorists may also trap Johnny Cash impersonators.

Market Fresh

A curious discussion of terror risk, and a terror prediction futures market by some GMU economist types and at the Chronicle's Footnoted blog.

I don't know enough to about econ to assess the value of such a market, but I do wish that some one would set up a Privacy Breach Futures Market so we could make the security analystas put their magic quadrants where their mouths are. (Or vice versa: whichever would be more unpleasant.) Viz, the TJX OMG!!1! MILLIONS IN PWNAGE!! NO!!BILLIONS! analysis found on Computerworld. Maybe something more along the lines of buying squares in a football pool would offer as much predictive value as the collective voices of these cats.


Photo courtesy The Prodigal Son.


And yes, this is the second consecutive post with a Broken Social Scene related title. Because Broken Social Scene are one of my top five most favorite things that are Canadian.

Dog of War or McGriff the Crime Dog?

So, solider or cop? War or Crime? Or both?

I ask this question of my own self after reading (and enjoying) Michael C. W. Research's recent posts on security framed in the context of Clauswitz. Thinking it through, though, I began to wonder if war is the context information security should frame itself. After all, as an info security practitioner, you are denied both first strike and retaliation with like force. Hampered by a bureaucracy, limited by budget and laden with metrics of questionable value, you perform awareness and outreach to a resistant, often resentful community that harbors potential adversaries. When the adversary attacks, your response is defensive, forensic, and heavily regulated. In the initial analysis, it sounds more like a cop than a soldier.

Like Mr. Peterson, I recently finished reading Robb's Brave New War. Robb describes the decline of wars between states or their proxies and the rise of the global guerrilla. The global guerrilla uses system disruption and open source warfare to break down the brittle security systems of organized and highly interdependent states. Mobile and rapidly adapting to changing tactics, this adversary is usually hidden in the state it is trying to hollow it out, cooperating with or participating in transnational organized crime. Now that threat sounds more familiar; Robb describes the phishing marketplace as a example of open source warfare.

Is War now Crime? Is the infosec defense model Clear Hold Build or Broken Windows?

Vulnerabilty v. Threat

Jeremiah Grossman's analysis of the MSNBC stock contest cheat.

It seems to me that this sort of flaw would rise to the surface quickly from a threat perspective, but slower from a vulnerability perspective. I'm not sure why though.