Thursday, December 29, 2005

poem Clock

CLOCK

Still from "Cessation":
Jean-Luc's frame-by-frame

examination
of teeth entering

holes with precisely
enough clockwise turn

to advance the film
one solitary

tick and tension in
a tough medium

to click this reel of
frozen times forward.

Wednesday, December 14, 2005

fyi Cyber Security Group Flunks Washington

All:

Pointer to article: http://www.internetnews.com/security/article.php/3570596

Kobielus kommentary:
Wonderful—-a relatively non-partisan issue that I can use to bash Bush, to illustrate his cluelessness on cybersecurity issues. Does anybody seriously think, if Al Gore were elected in 2000, that he would have paid as little attention to cybersecurity as this Republican administration has? He wouldn’t have used 9/11 (and it would have happened under either party’s watch) and its aftermath (and we would have invaded Afghanistan, though probably not Iraq, under a Dem administration) as a convenient excuse to ignore every national security issue that didn’t involve wasteful militarization and irresponsible troop deployments.

Whew—-got that out of my system. To be fair to the current administration, even if the Dems were in power now, cybersecurity (as a national security issue) would be a neverending circus. It’s already a lightning rod for political grandstanding, sensationalism, paranoia. Remember the good old McCarthy days when Commies were everywhere? That’s nothing compared with the identity thieves, virus spreaders, DDoS starters, spam blasters, spyware snoops, and other betes noirs that pervade this new threatscape. Many of the baddies are inhuman, literally (bots), or are human to the extremely limited extent that an untraceable physical finger clicked on an untraceable physical mouse button at some point in the past and triggered a chain reaction that still mushrooms around us.

Name me a politician—or even a single IT industry visionary—who has crafted a comprehensive enough plan for national or global cybersecurity? I mean, a plan, program, or set of governance principles that can effectively frame collective responses to all of the cyberthreat vectors now and in the unforeseeable future? Of course you can’t.

There’s no governance structure that can past this test. Everybody would flunk. Cybersecurity gores all.

Jim

P.S. Speaking of Washington, we recovered our car last night, which was stolen last Wednesday. Was abandoned on a residential street in the southeast quadrant of the Nation's Capital. Thank you Officer Sanders, and your partner who let us use her cellphone (Nextel's signal was fine and strong), and the lady who gave Egidia tea and a warm place to hang while we were waiting to have the scene "processed" by the authorities and to restart the vehicle. The thieves did considerable damage. I doubt we'll catch them, but I do have surveillance photos of them stealing it from the parking lot of my wife's place of employment. They apparently live near where they abandoned the vehicle, because there's no nearby Metro stop or main thoroughfare nearby to facilitate a quick escape. They seemed to bolt from the vehicle in hurry, having left it running (draining gas and battery), and leaving their break-in tool. At least those are my hunches on how to identity/target/trackdown these mofos. But I'm no Columbo. Good thing we leave nothing of value in our vehicles. No sensitive identity data. A car, which many people use as a lockbox, is a potential goldmine of identity data. I will throw out the open box of Cheez-Its they left behind, though.

Tuesday, December 13, 2005

fyi GAO finds 2.3M domain names registered with false data

All:

Pointer to article: http://www.computerworld.com/developmenttopics/websitemgmt/story/0,10801,106935,00.html?source=NLT_WK&nid=106935

Kobielus kommentary:
I’d call this Internet governance issue number one: at least one out of 10 domains is registered with false contact info.

From an Internet security standpoint, so much depends on the authenticity and accuracy of domain contact info within the Whois database: prosecuting online fraud, tracking malware, canning spam, warding off DDoS, identifying intellectual property violations, and so forth.

I’m shocked that the Working Group for Internet Governance only mentions the Whois database once in its recent 285-page tome on the topic, and only with reference to protecting the privacy of domain owners. ICANN, for its part, clearly hasn’t lit a fire under registrars to investigate, vet, and proof domain owners to a greater degree before registering their domains.

No matter who governs the Internet—ICANN or some body under UN auspices—we can’t rely on a domain registry that’s not authoritative. We can’t have rogue, spoofed, façade domains. They are number one threat to everybody’s trust in the integrity of the entire Internet governance structure. They are obvious harbors for criminal activity.

Jim

Friday, December 09, 2005

fyi Wikipedia Tightens Rules For Posting

All:

Pointer to article: http://www.informationweek.com/story/showArticle.jhtml?articleID=174900789

Kobielus kommentary:
And you thought I was being melodramatic when I said reputation is a creepy concept.

Quoting the referenced article: “Wikipedia, the open online encyclopedia that's written and monitored by volunteers, has changed its rules for submitting articles after a posting incorrectly linked the assassination of Robert F. Kennedy to a former administrative assistant. A May 26 posting on John Seigenthaler Sr., an assistant to the attorney general in the early 1960s, said Seigenthaler was ‘thought to have been directly involved in the Kennedy assassinations of both (President) John (F. Kennedy), and his brother, Bobby.’ Although Wikipedia founder Jimmy Wales has said that erroneous submissions are usually corrected within minutes, the Seigenthaler "biography" stayed on the site for 132 days before it was corrected. In addition, the "scurrilous text" appeared on search engines Reference.com and Answers.com, Seigenthaler said in a Nov. 29 editorial in USA Today. ‘I have no idea whose sick mind conceived the false, malicious “biography” that appeared under my name for 132 days on Wikipedia, the popular, online, free encyclopedia whose authors are unknown and virtually untraceable,’ Seigenthaler said.”

Now, read again my earlier statement on reputation: “Reputation feels anti-governance, hence unfair. It feels oppressive. It’s the collective mass of received opinion, good and ill, weighing down on a particular identity. It feels like a court where the judge, jury, prosecuting attorney, jailer, and lord high executioner are phantoms, never showing their faces, but making their collective force felt at every turn. It feels like outer appearances, not inner character, ruling our lives….Who, if anyone, are the "reputation authorities"? What, if anything, is a "reputation assertion"? How can we--the identified reputed parties--have any assurance that our reputation isn't determined by the collective malice of bad people who mean to distort and destroy us? How can we be sure that a balanced, fair evaluation of our reputation rises above the din and confusion? Who/what, if anything, is our public reputation (PR) agent/advocate in a world of free-floating ungovernable reputation?”

Not all of us have access to the editorial pages of USA Today to defend our good names. So, if the bad people propagate lies about us through Wikipedia, even for the short time necessary to ruin our reputations, what countermeasures do we have of equal or greater force to restore ourselves, and to hunt down those who’ve destroyed us?

Wikipedia needs strong authentication on all postings. And living people who are mentioned in Wikipedia entries need to be notified immediately upon publication, so that they can immediately correct the errors.

Of course, who’s to say who’s telling the truth about somebody: The original author, the aggrieved subject, or neither of them? How often will Wikipedia’s editors get caught in a tug of war? How reliable can Wikipedia’s entries be, under such circumstances?

Wikipedia’s reputation is what’s being damaged by all this.

Jim

Wednesday, December 07, 2005

personal Year gone by

All:

One weird stressful year, since late last. Among other things, car towed once (a year ago) and stolen (today). Lost a job, then found another. Aged beyond my eldest long-departed parent. Aged enough to see my eldest child attain majority. Saw my eldest sibling get married. Worked insanely hard. Published, didn't perish. Built some new skills. Kept my weight down in the optimal. Firmed up some muscles. Accomplished a great deal, but just absolutely bone-tired. Weathered more rejection and dejection than I can normally stomach. Been a year and a half since took a real vacation. Closed out "Pieces of Fate," and started a blog. Regained my pride. Made some connections and confessions. Asserted and expressed myself. Took no guff. GMMFM, MF. Lost some hair. Gained no stature, or some, no sure. Improved my posture. Kept on developing my thinking along as many modalities as I could stand, and then some. Rolled with the arbitrariness of it all. Regulated my regularities. Consumed my coffee and my KEXP. Passed the pretty without comment. Passed the mirror of recognition time and again. Passed my 20th year in my chosen/fated career. Passed a lot of ancient tension and peculiarity out of my system. Older now, thinner, taut, not necessarily wise. I’ll leave it at that. Chat with me now and then. Don’t be a stranger. Be a friend. Do the human thing. Come calling.

Jim

Tuesday, December 06, 2005

fyi What is Web 2.0?

All:

Pointer to article: http://edgeperspectives.typepad.com/edge_perspectives/2005/09/what_is_web_20.html

Kobielus kommentary:
John Hagel provides the right balance of openness and skepticism in his commentary on this topic. One quibble I have is with his use of the term “meme.” I can’t stand this neologism and its faux-analogy with genetics. Whatever happened to “trend,” “pattern,” “theme,” or “motif”? Hmmm…if we can agree to define “meme” as a portmanteau of “motif” and “theme,” then I’ll graciously come down from my high horse and agree to accept it into my personal lexicon. Or at least make my peace with it.

But more substantively, Hagel provides the right balance between induction and deduction in his approach to “Web 2.0” as a trendy (meme-y?) topic.

On the inductive side of the fulcrum, he calls attention to the O’Reilly Media folks who coined the term and primarily discuss it in the form of a tired/wired hip list of then vs. now Web hot topics: “There’s no denying that the meme has taken hold, having been developed only about 18 months ago by Dale Dougherty of O’Reilly Media. Unfortunately, as the Wikipedia entry on Web 2.0 reports, Dale never really defined the term, using examples rather than a definition to communicate its meaning: "DoubleClick was Web 1.0; Google AdSense is Web 2.0. Ofoto is Web 1.0; Flickr is Web 2.0."

On the deductive side, Hagel attempts to divine the underlying trends that distinguish “then” (the Internet/Web in the 90s) from now. He defines “Web 2.0” as “an emerging network-centric platform to support distributed collaborative and cumulative creation by its users.” He deconstructs his definition into its constituent concepts and defines each in context of emerging patterns/trends/etc. All of it a good high-level discussion.

My problem with all of this is that “Web 2.0” is so wrongheaded a term that it undermines his and others’ discussions of what’s really going on.

First off, the “Web” is just one of many Internet environments that’s evolving, and it’s distracting to lump blogs/RSS/syndication, SIP/VoIP/IMS, mobility/WiFi, SOA/XML/SOAP/Web services, messaging/collaboration, identity federation, and other important trends under this umbrella. Tim Berners-Lee was an important figure in the evolution of all this, but it doesn’t all spring from or bear the DNA of this particular Dr. Zeus.

Secondly, the “2.0” faux-version-number is ridiculous. The distributed Internet business/tech/cultural environment is evolving continuously on so many levels that it’s absurd to conceptualize it in terms of versions, or to even hint that versions are relevant anymore in this versionless new world.

Rather than fixate on the dumb “Web 2.0” term, let’s revisit Hagel’s definition of the underlying phenomenon: “an emerging network-centric platform to support distributed collaborative and cumulative creation by its users.” This is a good and valid statement of the dominant trend, though not quite as tight as it could be.

I suggest “a continuously self-reinventing environment.” That gets to the heart of Hagel’s definition, syncs with the genesis of the Internet as a research network continuously reinventing itself, and encompasses what others are trying to suggest with their diverse then-vs-now “Web 2.0” hiplists. In fact, the hiplists themselves are the fundamental reality: when we’re all reinventing everything in our environment all the time, the most effective way of getting your head around it all is to do period “round-ups” of then-vs-now tired/wired lists. These lists mark off important milestones in the everchanging environmental landscape.

Just as critics will soon be publishing their year-end 2005 tired/wired lists for movies, TV, lifestyles, etc.

Just as cultural commentators have long used decades as a convenient grouping mechanism (50s vs 60s vs 70s vs 80s etc) to chart long-running trends.

And just as Western society has long grouped historical developments into “modern” vs. “ancient” or “traditional.” Modern this and that. It’s all just a way of declaring what you consider hip with the contemporary world and want to see serve as a basis for future development. Recognizing of course that the world is fundamentally versionless.

Walk down any street in any city and see the mix of old and new architectural styles. The modern world doesn’t bulldoze the past out of the development equation.

There are no virgin or versioned worlds. There’s no World 2.0--just World 2005, followed by World 2006 and so on and so forth.

Jim

Thursday, December 01, 2005

fyi Mail order selective disclosure of organizational role

All:

Pointer to blogpost: http://www.ldap.com/1/commentary/wahl/20051130_01.shtml

Kobielus kommentary:
Mark Wahl’s commentary is an excellent discussion of assurance in identity management. It touches on a particular type of assurance: the confidence we place in human beings’ apparent intentions, their competency, their honesty, and so forth. Their apparent halos. Their personal assurance.

Wahl notes that we tend to trust strangers more if those individuals have all the external appearances—such as clothing, glib talk, personalities, and racial/ethnic backgrounds—associated with roles, or peoples, or stations in life, that we trust. The more of those external appearances that fit into our comfort zone, the more vulnerable we are to being duped by the occasional wolf in sheep’s clothing:

• The highway robber in a cop uniform.
• “Frank Abagnale Jr, subject of the movie Catch Me If You Can, improved the effectiveness of his check fraud scam by wearing an airline pilot's uniform, pilots being regarded as ‘generally credible and respected professionals’ and so be less likely to be cashing bad checks.”
• The suits we encounter in daily life who convince us to part with our life savings, or waste a big chunk of it on some unique, useless pile of sh*t that only their company provides, and only for a limited time, and only to special customers like yourself and your lovely wife, who obviously have the intelligence and sophistication and experience with such things to recognize and truly appreciate blah blah blah……..

In other words, the social-engineering attack. The con. In one of my recent blogposts, I analyzed the notion of “reputation,” construing it as a type of personal assurance in identity management. “In the IdM context, reputation is more of an assurance or trust level—an evaluation of the extent to which someone is worthwhile to know and associate with.”

In our respective blogposts, Wahl and I were approaching the subject of personal assurance from slightly different angles. He was focusing on the assurance we place in people that we know next to nothing about, other than the fact that they look and act trustworthy—wear the suit, talk the talk, etc. By contrast, I was looking at the assurance we place in individuals about whom we think we know tons, because we have access to what we regard as reliable hearsay/gossip, which tells us that so and so is a good or bad person, an acceptable or excessive risk, etc. He was focusing on the cultural stereotypes that drive our snap judgments of personal reliability, and I was focusing on the cultural grapevine that further confirms or informs those judgments.

This got me to thinking of something I was discussing with an old acquaintance the other day. This person—his name is a common cognate of my grandfather’s Christian name—asked if I would be interested in authoring an article on the possibility of “profiling” IT personnel to measure the extent to which they posed an “insider threat”: someone who was likely to betray their employer’s trust by stealing, compromising, or damaging data, software, hardware, and other IT assets. We just engaged in general brainstorming, but didn’t agree to anything in particular. I offered a few observations, and told him that he’s free to use anything I suggested, if he wished. I assume he’s reading this blog now, and recognizes himself. He’s still welcome to take the ball and run with it.

It just occurred to me that this “insider threat profiling” topic is an application of personal assurance. Before I launch into my further thoughts, I need to come back to Wahl’s post—in particular, the following excerpt:

• “In science fiction author Philip K. Dick's novel A Scanner Darkly, the character Fred, an undercover narcotics agent, would wear a ‘scramble suit’ all the time that he was not undercover. This suit protect's the wearers identity by preventing visual identification: it would encase the wearer and project onto itself random images derived from 1.5 million possible elements of human representations: ‘As the computer looped through its banks, it projected every conceivable eye color, hair color, shape and type of nose, formation of teeth, configuration of facial bone structure--the entire shroudlike membrane took on whatever physical characteristics were projected at any nanosecond, and then switched to the next.... the wearer of a scramble suit was Everyman and in every combination (up to combinations of a million and a half sub-bits) during the course of each hour. Hence, any description of him--or her--was meaningless.’”

Hmmm…someone’s external appearance/demeanor is like a suit that they put on (consciously or otherwise), and that others use as a primary input in assessing personal reliability and integrity. Which reminds me of a teeny-tiny poem I dashed off a few years ago:

• “TAKE SHAPE//we button nerves/and join the fray/a suit's a shape/we wear all day”

We hire people and invest them with responsibilities for many reasons. One of the big reasons is that they wear a trustworthy “suit” that seems right for the role to which we plan to assign them. We’ve all heard of, and occasionally worked with, the “empty suit.” How do we submit the “suit” to a multidimensional “profiling” that allows us to fathom the depth—and angel-to-devil ratio--of the person within? Given that human beings are so complex, creative, and unpredictable, how can we even pretend to know how anybody will behave under all possible future scenarios, and whether they’ll succumb now and then to the temptation to betray their employer in order to pad their own pockets? Or just to wreak havoc for the hell of it?

The cop-out answer is to say we can’t possibly assess other people’s trustworthiness and potential for mischief. But every one of us does it all the time with everybody we know, including our closest family and friends. We do it with bosses, co-workers, customers, and business partners as well. We all rely on intuition: some of us have particularly sharp intuitions, while others are hopelessly naïve and credulous.

How can we assess the trustworthiness of IT staff? These are people in whom you’ve invested responsibility for managing your company’s most critical data, applications, systems, networks, and business processes. Identity management (IdM) systems, in particular, are the most sensitive IT assets, because they drive authentication, authorization, encryption, auditing, and other critical security services that span most applications. How much assurance can you truly place in your IdM, PKI, and trust infrastructure if you have no trust in the people who manage it?

Which brings me back to the notion of personal assurance and profiling of IT staff. Personal assurance is not something you can measure in the abstract. Temptation can bring out the worst in any person. And aren’t the temptations available to IT staff just deliciously juicy? Those temptations become ever more acute as IT personnel realize that they are the high priests and priestesses of sensitive corporate apps and systems that few others understand, and as IT people realize they can easily cover up their misdeed and erase or efface any audit trails.

To the extent that you attempt to profile individuals for their potential to pose insider threats, you must consider the interplay between character and circumstance. Who is this complex individual? And what roles are they performing with respect to places, processes, and platforms in your organization?

Who is this individual? That’s the “character” issue, and you can begin to measure character in terms of some broad personal attributes: background (i.e, resume, transcripts, etc.), aptitudes (i.e, skills, certifications, tests, inclinations, dispositions, etc.), recommendations (i.e., reputation, hearsay, references), and record (i.e., actual documented performance as attested by reliable others, not by the individual themselves).

What roles are they performing? That’s the “circumstance” issue. You can measure circumstance, hence opportunity for mischief, by looking at how much power you’ve given them—or are contemplating giving them-- over your IT environment. Absolute power corrupts absolutely.

If you have exactly one IT person who does everything, you’ve created an opportunity for absolute abuse. How much assurance do you have in that one person’s character, however measured? If they’re the only IT “insider,” and you’ve tasked no other “insider” to serve as a check/balance/whistleblower, you’ve invested that one person with absolute assurance.

Which I’m assuming they’ve earned. They’re a familiar face and name, not some anonymous schmoe you recently hired off the street without checking their references, background, criminal record, etc.

Right?

Jim