security research, software archaeology, geek of all trades
334 stories
·
7 followers

Philosophy News Network: Postmodernism Special Report

1 Comment and 4 Shares



Also, existentialism is when, like...you are too cool to care that smoking kills you, because we are all gonna die anyway and stuff.
Read the whole story
zwol
20 days ago
reply
Mountain View, CA
Share this story
Delete

The Delicate Art of Asterculture

1 Share

Star-wine is very difficult to make. It’s a complex and sometimes dangerous process. But one must have a hobby, and this is mine. Here’s how it’s done.

First, I harvest the stars. People think that you’re only supposed to harvest the ripest stars—the ones that are near to bursting out of their skins, hanging loose off their nebulae—but actually, those stars only make up about half of the crush. I also grab a few unripe ones, the ones that are still cool enough to grab with bare fingers. They warm up when they’re in the basket alongside the fully-ripe stars, but not all the way, and their slight bitterness adds complexity to the press that you can’t get from just aging. To get a really good sense of terroir, I also let a few comets and loose moons drop in with the crush. People won’t tell you to do this, because they want you to think you’re just drinking stars, but honestly… the wine that comes from people who think like that is crap. It’s three-dollar-a-bottle crap and I don’t think you should drink it. That’s my opinion.

Once I’ve got a full harvest, I wash the stars. I usually do this by blowing gently on them. This is a slightly controversial alternative to the newer, more sterile methods favored by the larger galactic wineries, but I find that a little stardust remaining in the press doesn’t hurt anything. Besides, the radiation the stars emit helps to take care of any lingering bacteriological, fungiform, or parasitic infestations. A soft breath is all it takes to dislodge large, unsightly sediment that will cause clogging and flavor issues during the pressing and aging processes. Too harsh of a breath, of course, and the stars cool. This will result in a bitter press if you’re not careful, and is, in my opinion, the reason so much large-press star-wine has sugar added to it between aging and bottling. But then, I’m a traditionalist.

Orion Nebula; Credit: NASA, ESA, M. Robberto (Space Telescope Science Institute/ESA) and the Hubble Space Telescope Orion Treasury Project Team

Once the stars are clean, they go into a sterile metal bucket. It doesn’t have to be anything special—you can probably get one at your local hardware store! With wine, as with people, it’s what’s inside the container that counts most.

Next, the pressing. I would say that this is the most important part of making star-wine, but truly, it’s just the hardest part. It’s hard because it’s not complex, and it’s not intricate, and it’s not delicate. You can’t be taught how to press stars well, not by studying and not through an apprenticeship and certainly not by watching. The only way to get the hang of pressing stars is by doing it wrong a thousand times over before you get it right. You have to learn it for yourself. It’s frustrating, but if you’re really dedicated to making good star-wine, you’ll put in the work! It’s worth it.

Most people start by wishing too small. They wish for world peace, or for an end to hunger, and the stars don’t budge. Think about it: If wishes like that could break the skin on a star, they wouldn’t survive to a ripeness suitable for drinking! The stars seem so delicate at peak ripeness that it’s easy for even a veteran harvester to forget that they’ve weathered a lot in their centuries of growth. They’ve heard a lot of wishes—they’ve grown fat and juicy with them—and you’re not going to get them to burst open with a small wish like the first one that popped into your head. The toughest part is that when the stars are still burning, they can still soak in the wishes and sweeten further. If you get it wrong too many times, they’ll start to either cool or rot. I recommend practicing on very small batches while you figure it out.

Everyone has their own methods, but I find that the trick is to wish for something so big as to be impossible. Something you wouldn’t dare to wish for unless you meant to break the stars open. So, an end to hunger and poverty won’t do the job. A wish for peace and goodwill between peoples isn’t going to work either. You’ve got to wish for something that puts a strain on the star and makes it finally, finally split. You’ll have to find the ones that work for you, obviously, but try to think of the things that nothing could ever make happen, and wish for those things. I wish that I could hear him laugh like he did when he was a child, or I wish that I could have fixed things before the end, or I wish that the dark, alone place inside of me could be reached by sunlight. Whatever wish you use, it should be the kind of wish you can only make once. It should leave you feeling husked and hollow and broken.

Crab Nebula; Credit: NASA, ESA and Allison Loll/Jeff Hester (Arizona State University). Acknowledgement: Davide De Martin

Once you find the right wish, the skins on the stars will split, and the juice will immediately start running into your press. This is the fun part—my favorite part, really. This is the part where you reach in with both hands and squeeze the cores out of the stars. This part is tiring, and the sensation of the stars bursting between your fingers is reminiscent of reaching into a mouth to pluck out a tongue, or trying to catch a snake as it slides through your garden. There’s no going back once you’ve caught it. There’s no going back once you’ve done it. Now, I always leave a healthy number of skins in with the cores and juice during the fermentation process—like I said, I’m a traditionalist! But if you want a darker batch of star-wine with a less complex flavor, you can strain the skins out. Why you would do something like that, I can’t imagine, but hey, to each their own. The result of your pressing is called the “must.”

Add honey. Some people add sugar, and those people are charlatans who would be better off working at a soda fountain than making star-wine. I use honey from bats that gather pollen from my own nebulae, which is how it’s been done for a long time—but if you don’t tend your own nebulae, or if there’s an eclipse going on at the time of your harvest, or if your bats aren’t producing well, store-bought is fine. I usually add just enough honey to make the must smell like summer, but if you want to make a stronger batch of star-wine, add enough honey to make the must smell like regret.

Don’t worry about yeast. It’s taken care of.

Next, you’ll want to transfer the must into a container to age. This container will impart complexity and depth to the flavor of your star-wine. I like to use oak barrels, but some people prefer pine. Loosely cover the mouth of the barrel with a lightweight cloth woven from the first hairs that fell from your daughter’s head when she was a baby. You might be tempted to use a rubber band or adhesive to hold the cloth in place, but don’t do it! If you’re brewing properly, the cloth will stay put of its own free will. You can always taste when someone has tried to secure the cloth with tools instead of promises—it’s a great way to sour your whole batch, and then you’ll have to start over.

Red Spider Nebula; Credit: ESA & Garrelt Mellema (Leiden University, the Netherlands)

I don’t recommend tasting your star-wine until the first time you cry without knowing why. Some people like to taste sooner, but they end up adjusting the flavor (almost always adding more honey) instead of letting the brew sweeten with time. Be patient! Trust the stars. Ignore the sounds you hear coming from inside the container. Don’t worry if the metal starts to glow and deform—it won’t melt all the way. Do not lift the cloth until it’s time.

You’ll know that your star-wine is ready to bottle when it tastes like power and magnitude and terror. Strain out any particulates, but don’t throw out the muck! I reserve the stuff that I strain out and use it to fertilize my nebulae. The roots really thrive when they’ve got moons to draw nutrients from (plus, the smell of fermented starskins acts as a handy pest repellent). I print my labels at home, because the copy shop has gotten too expensive by half and I might as well use that fancy printer. Microsoft Word has some great templates for printing labels. Make sure to wash your bottles thoroughly and seal the corks tighter than you think you have to; otherwise, when you apply the lead seal to your corks, you’ll get a lot of steam that can crack the glass and is extremely toxic to inhale. You’ll want to let the star-wine mature for at least three years inside the bottle before you drink it, so that it doesn’t turn you into something other than what you are intended to be. Store the bottles in a moonlit place.

It’s a time-consuming and difficult hobby, but once you’ve got the hang of making your own star-wine, you won’t ever want to drink store-bought again! Don’t be scared to give it a try. The worst thing that can happen is that you lose everything you love and everything you are, and what hobby isn’t like that?

Originally published in May 2017.

Hugo and Campbell award finalist Sarah Gailey is an internationally-published writer of fiction and nonfiction. Her work has recently appeared in Mashable, the Boston Globe, and Fireside Fiction. She is a regular contributor for Tor.com and Barnes & Noble. You can find links to her work here. She tweets @gaileyfrey. Her debut novella, River of Teeth, and its sequel Taste of Marrow, are available from Tor.com.

Read the whole story
zwol
22 days ago
reply
Mountain View, CA
Share this story
Delete

How have In-Flight Web Page Modification Practices Changed over the Past Ten Years?

2 Shares

When we browse the web, there are many parties and organizations that can see which websites we visit, because they sit on the path between web clients (our computers and mobile devices), and the web servers hosting the sites we request. Most obviously, Internet Service Providers (ISPs) are responsible for transmitting our web traffic, but reports (e.g. [1], [2], [3]) have shown that they may also inject ads into users’ requested web pages to increase revenue. Other parties may also intercept our web traffic for a wide variety of reasons: content-distribution networks (or CDNs) receive requests for websites that are geographically farther away to speed up response time, enterprise software and programs running on our devices may check incoming websites for added security or privacy before passing the website to our browser, and malicious adversaries may attempt to inject malware into requested web content before we receive it.

 

In 2007, a research group at the University of Washington conducted a study to measure how often these web page modifications occur in practice, and to determine who is responsible for the modifications. Web page modifications were identified using a small piece of software embedded in a test web page, a so-called “web tripwire”, that compared a known good representation of the web page with the version of the test web page users saw in their browsers. The researchers then attributed the modifications to ISPs, malicious attackers, and client software such as ad blockers, using IP addresses and by finding identifying keywords in the injected web content. They found that only about 1.3% of participating web clients saw page modifications. But much about how we interact with and browse the web has changed over the past ten years. More specifically, with the emergence of mobile technologies and new network parties such as CDNs, it is important to learn if and how these new developments have affected in-flight modification practices.

 

We invite you to take part in our research study. Following the same setup as the UW study, we have created a test web page containing a “web tripwire”. If it detects any in-flight page modifications in our test page, it sends us a copy of the modified version of our web page that your browser received. We minimize the information that we collect to detect page modifications. In addition to page modification data, we only record information that web servers normally record, such as IP address, browser type, date and time of page request, and a cookie to differentiate between users. We will permanently remove any personal information found in the page modifications before sending the modification data to our servers.

 

By participating in this study, you are helping us gather information crucial for guiding research and building tools to improve web privacy. If you’re willing to contribute to our study, it’s as simple as visiting our test web page: http://stormship.cs.princeton.edu. If possible, we also ask you to visit our page through multiple different devices and browsers, as this will help diversify our collected data. Our test page contains more details about our study, and we will post our results there when we have completed our measurements.

Please reach out to *protected email* or *protected email* with any questions, concerns, or feedback. We greatly appreciate your help in our efforts to improve web privacy!

Read the whole story
zwol
31 days ago
reply
Mountain View, CA
acdha
31 days ago
reply
Washington, DC
Share this story
Delete

Incomplete Justice: The Officer Who Killed Walter Scott Should Have Gotten Life Behind Bars

1 Comment

On Thursday, Michael Slager, a former police officer with the North Charleston, S.C. Police Department, was sentenced to twenty years in federal prison—not life imprisonment. Slager had pleaded guilty in May to a violation of Walter Scott’s civil rights, by acting under the color of law, in a shocking, caught-on-video slaying of the fleeing victim in April of 2015. Slager’s depraved actions—shooting an unarmed subject, who was running away, in the back—appear to be a clear-cut case of second-degree murder. The sentence, in my view, did not meet the gravity of the crime. The judge’s decision, however, was restricted by the limiting brackets of federal sentencing guidelines. But the message it sent reverberated throughout the nation. The perceived leniency sets our country on a path backwards, not forwards, in the efforts of law enforcement to work with communities of color.

Slager’s case is yet another criminal justice system failure to mete out appropriate punishment to a rogue “instrument of the state.” By failing to prosecute the disgraced ex-cop to the fullest extent of the law, the system will again—and should again—be questioned and challenged. Slager’s unconscionable actions cast undeserved shade on law enforcement’s administration of the complexities inherent in the “use of force” continuum. Simply put, he has made law enforcement’s job of protecting communities of color exponentially more difficult. The manner in which the case was federally charged—predicated by the state’s previous failure to convict Slager on second-degree murder charges—aggravated the damage inflicted by the system.

As a retired FBI supervisory special agent, I toiled nearly a quarter-century investigating and supervising criminal cases in places like Brownsville, Brooklyn, the South Bronx, and in New York State’s most violent enclave, per capita, the City of Newburgh. I have arrested countless drug dealers and violent street gang members. I have removed multiple weapons from inside waistbands and coat pockets, and have participated in and overseen multitudes of young black and brown men taken into custody, accused of a myriad of federal crimes.

It is a necessary but often unpleasant undertaking to place people under arrest. And the vast majority of law enforcement professionals take the responsibility seriously. They employ the minimum appropriate amount of force to effect an arrest. They treat those in their custodial care with respect, even while often enduring dangerous physical resistance and non-compliance.

Nevertheless, having worked in neighborhoods and barrios comprised of people of color, many of whom view police as an “occupying army,” I can understand their distrust and disdain. It stems from decades of fractured relationships with the law enforcement personnel sworn to protect and serve them. Even anecdotal evidence of mistreatment by one rogue cop can damage numerous positive interactions.

Now retired from the FBI, I have debated questionable police shootings in academic settings and on television panels. Often I am able to provide some context or clarity to a shaky cellphone video or decipher, for a general audience, a particular justified police tactic employed during a violent confrontation. There’s usually an explanation. Or, absent that, there’s a plausible benefit of the doubt to be considered.

In Slager’s case, there was no good explanation or benefit of the doubt. And here’s why:

The law enforcement standard for consideration during a review of the use of deadly force is asking this question: “How would a reasonable cop have responded?” “Reasonableness” for a law enforcement officer does not equate to that of a civilian—an average person. It takes into account a number of specific job-related factors, including the inherent difficulties that cops deal with in real time in their daily encounters. Police do not have the benefit of 20/20 hindsight or slow-motion rewind technology that the “online jurist” enjoys.

To wit:

Action is always faster than reaction. Even seemingly benign encounters can suddenly and unexpectedly spin out of control in a fraction of second. I know – I’ve seen it. A cop stands with gun drawn and trained on a subject. A distraction. A heartbeat. And someone with bad intentions can draw a secreted weapon and use it before the cop’s brain can cognitively assess the situation fully. But to wait can be fatal: If the suspect is armed, a bullet can instantaneously injure or kill an innocent person or the cop himself. A law enforcement officer must therefore interpret and anticipate a suspect’s movements and words, winnow out what might be a duplicitous ruse, and make a split second decision to shoot before all of the information can be completely processed.

Managing fear. Contrary to popular belief, cops are not “fearless.” They are courageous – but courage isn’t the absence of fear, only the mastery of it. Proper firearms training should strengthen a law enforcement officer’s ability to control their emotions and slow down the paralyzing physiological effects of fear on their bodies. This is critically important to law enforcement because violent confrontations can occur with little or no warning. Impulsivity or emotional reactivity has no place in law enforcement. Police recruits exhibiting aberrant behavior or an unfitness for the profession must be immediately identified and either retrained or removed from the field as soon as feasible.

And implicit biases – an attitude or stereotype that unconsciously shapes our understanding of a situation can affect every single one of us. For an agent of the state, furnished with arrest powers and a sidearm, an implicit bias can have a dangerous effect on a cop’s judgment, decisions, and potentially deadly actions. While we all may suffer from biases of this sort, cops must especially work hard to identify, acknowledge, and resist them.

Situational awareness. Law enforcement officers have considerations that go beyond neutralizing the immediate threat. For example, an officer must take in the entire scene in a split second when making the decision to shoot or not. Bodies aren’t bullet traps, and bullets don’t always expend all of their kinetic energy within the intended body they strike. Discharged rounds can also directly strike an unintended person. In short, every round a law enforcement officer discharges must be considered. The difference between one bullet and three may be the basis for an excessive use of force charge. In deciding to pull the trigger, a law enforcement officer must be able to assess how his action will affect everyone at the scene.

In short, the mental calculus that occurs in high-stress situations is one that requires cycling through a multitude of reactions and potential outcomes in a matter of seconds. The officer must then make a split decision, knowing that he will assuredly be second-guessed. The “reasonableness” standard for law enforcement is therefore more of a continuum that is highly dependent on the facts of the case, rather than a bright line.

Viewing Slager’s actions along this spectrum, he did not act “reasonably,” and here’s why:

No matter how much adrenaline that courses through a law enforcement’s professional’s body during a foot chase or a struggle, the minimum amount of force must be applied to take the subject into custody or neutralize his efforts to harm the cop or others. That is certainly a difficult exercise. Law enforcement must strive to deescalate situations when someone first seeks to turn the encounter into a contentious interaction with the potential to turn explosive.

And for those who have never been in a fight, or punched in the nose, the idea of focusing on de-escalation amidst the chaos can be an abstraction. The esoteric nature of “physical combat” with someone whom you may perceive to want to disarm you and use your weapon on you is difficult to appreciate for those who have never been in the arena. But that wasn’t what occurred in the North Charleston slaying.

There was no “struggle” ensuing when Walter Scott fled on foot. He was retreating, attempting to avoid being taken into custody. No threat. No reason to empty a weapon into his back.

The guilt in Slager’s case was confirmed by a damning cover-up attempt. The now convicted felon attempted to conceal the execution by planting evidence and lying about the details of the shooting to another responding cop. What Slager perpetrated and then attempted to pull off is exactly one of the worst-case scenarios that inner-city community members have feared for years. This, a classic case of police brutality resulting in a murder and then an attempted cover-up. But, in the immortal words of one-time Associate Supreme Court Justice Louis Brandeis, “sunlight (the cellphone video) is the best disinfectant.”

And despite his clear guilt, the 2016 state murder ended in a mistrial. Slager ultimately pleaded guilty to the federal charges last May, and U.S. District Court Judge David Norton handed down the sentence. After listening to several family members make painful emotional statements, while professing forgiveness for Slager, the judge pointed out that the “appropriate underlying offense” in the case brought against the ex-cop should have been second-degree murder.

Slager was certainly entitled to due process and his day in court. And he was afforded those rights—rights that he summarily denied Mr. Scott. The Scott family exhibited equanimity and grace under incomprehensible circumstances. Difficult though it must have been, in open court, they expressed their forgiveness for Slager. But, here, I’ll say it—the disgraced and defrocked cop should have been given a life sentence. Any “mitigating factors” and “extenuating circumstances” provided at trial honestly cannot soften the revolting videotaped images we all ingested.

A staggering number of young African-American men are murdered each year by folks who look just like them. The city of Chicago is a veritable “war zone,” and ended 2016 with 792 slayings. And while the president was lambasted for his inflammatory remarks at a rally in Pensacola, FL, on Friday evening, where he stated that Chicago was more dangerous than Afghanistan, as it relates to African-American men, he’s actually right about the painful numbers.

According to Niall McCarthy in a September 8, 2016 article for Forbes:

Since 2001, Chicago has experienced 7,916 murders (as of September 06, 2016). The number of Americans killed in the wars in Afghanistan and Iraq was 2,384 and 4,504 respectively since 2001.

This should be concerning to all of us. It is especially concerning for cops assigned to patrol tough inner-city neighborhoods in places like Chicago. Consider that when every shooting reflexively reinforces the notion that policing as a profession is “racist” and “predatory.” Law enforcement should not be viewed as the preeminent instrument of lethality to young men of color—and that’s often the message. This eclipses our ability to find any common ground to work in concert to address all forms of criminal violence.

But let’s acknowledge a clear distinction here. Law enforcement should be an institution all Americans look to for protection. Acting as an instrument of the state, under color of law, demands far different accountability than we expect of our citizens. And when an egregious officer-involved-shooting appears “sanctioned” by the state, it rattles the uneasy détente between law enforcement and communities of color.

Law enforcement is an inherently honest profession. The vast majority of those who are drawn to this type of dangerous public service just want to make a difference. They want to be that Thin Blue Line between their neighbors and those who might attempt to harm them. The pay is lousy. The hours are insufferably long. The dangers are abundant. But, sadly, much of our citizenry simply doesn’t respect the badge anymore – and cases like this one don’t help alter negative perceptions.

The policing profession is tough enough in this country without the considerable setback that Slager’s case has created for efforts to bridge the divide between law enforcement and the communities they serve.

Read the whole story
zwol
41 days ago
reply
I'm not sure I agree that this is a setback. The man _should_ have been prosecuted for second-degree murder, yes, but consider that this comes after a long string of equally well-documented cases of murder-by-cop where the offender walked away with no punishment at all. From that perspective, it's a positive development.

Also, every article on this topic should end with a call for the unilateral disarmament of all police in America. _As an institution_, they have proven themselves not trustworthy with lethal force. Yes, this means more cops will get shot, in the short term. Yes, this also means in cases where lethal force really is required, they'll have to call out the National Guard and possibly the delay will mean more civilians will die -- but I confidently predict that after two years the overall number of firearms deaths (excluding suicide) will be down.
Mountain View, CA
Share this story
Delete

Citizen Lab Launches Security Planner

1 Comment

Many of us feel we could be doing more to stay safe online, but it can be hard to decide where to start and which advice to follow. At Citizen Lab, we track digital threats targeting civil society groups that usually require complex solutions. However, we are often asked about security advice “for the rest of us.” Fortunately, experts tend to agree that there are basic steps that anyone can take to make their accounts and devices safer. We believe that these practices work like a vaccine: when more people take steps to be safer, everyone’s safety increases.

That is why we are launching Security Planner, a new approach in making the first steps of online safety easier to take, even for those who don’t feel digitally savvy. Security Planner is an easy-to-use platform with tested, peer reviewed recommendations for staying safe online. With just a few clicks, Security Planner tailors straightforward recommendations based on someone’s digital habits and the technology they use. Recommendations are presented with clear language, making it easier to decide if they are right for someone. Our goal is to put people in a position to move from learning to action.

Online security is a journey. And Security Planner is an accessible starting point for that journey, walking individuals through simple practices, like enabling two-factor authentication on important accounts, making sure software stays updated, and using encryption to protect devices from loss or theft. For some, these terms might not be familiar but Security Planner will help them move past the jargon to take more control of their online safety.

“Two shortcomings in many popular digital security guides are that they may not be regularly updated and often include inaccessible or idiosyncratic recommendations that may not be useful to everyone. By keeping it up-to-date and providing accessible advice from an expert peer review group, Security Planner will raise the security bar for average Internet users on an ongoing basis.” – Ron Deibert, Citizen Lab Director and Founder

Security Planner is designed to give everyone the tools and knowledge necessary to stay safe online.

Finally, it asks questions to identify people who, because of who they are or what they do, may face additional risks. Since these users are likely to require deeper, more personalized assistance, Security Planner points them to organizations and resources that offer these specialized services.

Security Planner is a project of the Citizen Lab, an interdisciplinary group based at the Munk School of Global Affairs at the University of Toronto that focuses on the intersection of technology and global security. Security Planner was incubated by Jigsaw and handed off to the Citizen Lab in December 2015, and receives additional funding and support from Consumers Union, the policy and mobilization division of Consumers Report.

“We find ourselves living more and more of our lives online, and it’s important that everyone is aware of the simple steps to immediately improve your digital defenses. We are thrilled to partner with Citizen Lab as a home for Security Planner going forward because digital security should be easier. Our hope is that Security Planner, a resource for updated, peer-reviewed and personalized steps to bolster anyone’s online security, makes staying safe online as simple as possible.” – Justin Kosslyn, Jigsaw Product Manager

Our recommendations are developed by a peer review committee of experts from universities, nonprofits, and the private sector. The committee has decades of combined experience in digital security and produces recommendations that balance objectivity, accountability, and accessibility. This approach ensures that no private company can exercise influence over the products or services that we recommend. Security Planner is also overseen by an advisory board whose members include some of the world’s leading thinkers and practitioners in the digital security space. Read more about the peer review committee and advisory board members here.

Threats online evolve over time, which is why we designed Security Planner to evolve as well. Citizen Lab and the peer review committee have a regular update schedule for the tool, to keep the questions and recommendations up-to-date and relevant.

Clear advice and simple steps for your personal online safety are only a few clicks away. See for yourself at Security Planner.

 

 

The post Citizen Lab Launches Security Planner appeared first on The Citizen Lab.

Read the whole story
zwol
41 days ago
reply
I haven't had a chance to look through this planner, but I trust Citizen Lab to have the expertise to get it right.
Mountain View, CA
Share this story
Delete

Learning from Near Misses

2 Shares

[Update: Steve Bellovin has a blog post]

One of the major pillars of science is the collection of data to disprove arguments. That data gathering can include experiments, observations, and, in engineering, investigations into failures. One of the issues that makes security hard is that we have little data about large scale systems. (I believe that this is more important than our clever adversaries.) The work I want to share with you today has two main antecedents.

First, in the nearly ten years since Andrew Stewart and I wrote The New School of Information Security, and called for more learning from breaches, we’ve seen a dramatic shift in how people talk about breaches. Unfortunately, we’re still not learning as much as we could. There are structural reasons for that, primarily fear of lawsuits.

Second, last year marked 25 years of calls for an “NTSB for infosec.” Steve Bellovin and I wrote a short note asking why that was. We’ve spent the last year asking what else we might do. We’ve learned a lot about other Aviation Safety Programs, and think there are other models that may be better fits for our needs and constraints in the security realm.

Much that investigation has been a collaboration with Blake Reid, Jonathan Bair, and Andrew Manley of the University of Colorado Law School, and together we have a new draft paper on SSRN, “Voluntary Reporting of Cybersecurity Incidents.”

A good deal of my own motivation in this work is to engineer a way to learn more. The focus of this work, on incidents rather than breaches, and on voluntary reporting and incentives, reflects lessons learned as we try to find ways to measure real world security. The writing and abstract reflect the goal of influencing those outside security to help us learn better:

The proliferation of connected devices and technology provides consumers immeasurable amounts of convenience, but also creates great vulnerability. In recent years, we have seen explosive growth in the number of damaging cyber-attacks. 2017 alone has seen the Wanna Cry, Petya, Not Petya, Bad Rabbit, and of course the historic Equifax breach, among many others. Currently, there is no mechanism in place to facilitate understanding of these threats, or their commonalities. While information regarding the causes of major breaches may become public after the fact, what is lacking is an aggregated data set, which could be analyzed for research purposes. This research could then provide clues as to trends in both attacks and avoidable mistakes made on the part of operators, among other valuable data.

One possible regime for gathering such information would be to require disclosure of events, as well as investigations into these events. Mandatory reporting and investigations would result better data collection. This regime would also cause firms to internalize, at least to some extent, the externalities of security. However, mandatory reporting faces challenges that would make this regime difficult to implement, and possibly more costly than beneficial. An alternative is a voluntary reporting scheme, modeled on the Aviation Safety Reporting System housed within NASA, and possibly combined with an incentive scheme. Under it, organizations that were the victims of hacks or “near misses” would report the incident, providing important details, to some neutral party. This database could then be used both by researchers and by industry as a whole. People could learn what does work, what does not work, and where the weak spots are.

Please, take a look at the paper. I’m eager to hear your feedback.

Read the whole story
zwol
47 days ago
reply
Mountain View, CA
acdha
47 days ago
reply
Washington, DC
Share this story
Delete
Next Page of Stories