Rossander’s Security Reader

This post is not directly related to security though it does have some connections through the broader concept of governance and leadership. It is something I’ve been think about a lot lately and I feel an obligation to write. For those of you reading just for the tactical security tips, please skip this post.

Recently, there has been a great deal of chatter about eliminating the filibuster – the rule within the Senate that effectively allows a single senator to hold up a bill by continuing to talk about it for hours, days or even weeks on end. The filibuster has been rather famously used to disrupt the passage of key bills and nominations proposed by the majority power. Filibusters are being described as a prime example of partisan bickering and legislative gridlock.

I disagree. Yes, the filibuster can be abused for purely partisan purposes but at its core the filibuster is a way for the minority party (whether currently Democrat, Republican, Whig or Federalist) to keep a stake in the operations of government and to continue to influence debate. Despite the threats about the “nuclear option”, neither party would be served by the elimination of the filibuster.

Much more importantly, the filibuster is a check against the tyranny of the majority. By allowing a mechanism to raise the threshold for a vote from simple majority (50% plus 1) to a super-majority, it acts as a check against the ability of the majority to vote themselves unlimited privileges. 51% of the population could, for example, decide to fund the government by taxing just the other 49% – or less obviously, to skew the burden of taxation onto the minority. Or the 51% could vote in a particular moral code which may not be held by – may even be anathema to – the 49%.

The majority could do so even in a situation where the the 51% felt only weak agreement but the 49% disagreed vehemently. Our simple majority voting system is prone to bias and sub-optimal decisions when the voting groups have different degrees of preference for a result or where multiple options could/should be considered. (Wikipedia has an excellent discussion of alternative voting structures, some of which are less susceptible to this bias though they each have their own limitations in turn.)

Our legislative system is also susceptible to a recency bias. Get 51% today and even if you can only keep your majority for the time it takes to vote, the effects will long outlast the majority opinion. In theory, it should be as easy to rescind a law as it was to pass it but in practice, it is remarkably hard to undo a law even in the face of convincing evidence that it is ineffective.

The filibuster is not the only check and balance in our system against the tyranny of the majority and recency bias and it’s not a perfect one but it is an important one. A 61% majority might still impose their will on the remaining 39% but that higher threshold gives the affected minority a chance to raise the stakes and to force additional scrutiny on the debate.

Now there are those who say that the filibuster was a mistake – a minor omission in the procedural rules of the Senate that took on a life of its own. If it was a mistake, it ranks as an outstanding example of serendipity. It subtly encourages one arm of the government to be more deliberative and circumspect in their aims.

I will concede, however, that some of the procedural rules changes within the Senate make it easier to use than was historically the case. In particular, when the Senate allowed “tracking” in early 1960s, the connection between the objection and visible debate was broken. Jimmy Stewart in Mr Smith Goes to Washington is no more. Under the current rules, a Senator lodges a procedural filibuster, the bill is tabled and the Senate moves on to other business. No dramatic and colorful endurance exercises on the floor. No pain at all, either for the Senator doing the filibustering or for his peers who should be listening to it. Perhaps they should feel some pain though. It might encourage them to actually address the underlying issues instead of adopting waiting games and back-room deals for votes. A little bit of pain and a lot of visibility might might put some skin back in the game. It might return the filibuster to the status it once held – an important and special legislative tactic to be used only when truly needed.

Either way, it remains an invaluable protection for the rights of the minority.

I read an article this morning on a non-profit called the American Widows Project and thought it sounded like a very worthy cause. In addition to helping them directly, I’d like to do my little part to get them some more publicity.

That reminded me of another recent article on allowable links on your website. That article specifically talks about the problems faced by public entities like school districts and whether they must allow links to private companies on their webpages. It’s a difficult question for any governmental organization. Under US law, they have an obligation to protect free speech but at the same time can not create the appearance of an unfair endorsement of a private opinion.

For a public entity, it depends on the exact nature of the page – if your township hosts a “forum” where citizens are allowed to express opinions and air grievances, there are very few allowable limits that can be placed on the free speech rights of the people participating in the forum. On the other hand, even public entities have non-public forums – places where completely free speech would get in the way of the very mission that the agency is supposed to carry out. Limits in those forums are more acceptable. Regardless, any limits should be

1. clearly stated ahead of time
2. based on reasonable protections of other rights (for example, ‘no hate speech’ or ’stay on topic’) and
3. be enforced with ruthless consistency.

If you work with a public entity with any online presence, I strongly urge you to read the eDiscoTech article.

As a private citizen, the calculations are different. First, you have no obligation to allow others to say anything. You are not required to let someone to take over your backyard to make their political rant even if the same speech would be strongly protected in the village square. But you want to allow interaction and linking on your personal website. That social contact is most of what makes the website valuable and brings in readers. The challenge is that your credibility is directly linked to all those outsiders. Anything you include or allow on your own website carries an implied endorsement. If there’s bad content on the other side of a link, it reflects back on you. So if you host a blog (whether Twitter or a more conventional blog like this one), you probably want to allow comments but you probably also want to keep some rights to control them if only to filter out the spam and other worthless content. And you should be fairly conservative about who you link to. Be sure they are the kind of people you want your reputation associated with.

Corporations have it hardest of all. They are private and have no legal obligation to allow their site to be used for the free speech of others but attempts to suppress or censor negative comments almost always create more backlash and ill-will than the original complaint. Corporations generally do best by enforcing clear rules (especially the “off-topic comments will be removed” rule) but otherwise allowing users to post whatever they really feel about the company’s products or services.

Ultimately, I decided to include a link to the American Widows Project – you can see it now in the blogroll on the right of the website. Deciding who you should link to is an interesting question, though.

How many times have you seen someone talking to a reporter and ask “did he really just say that?” What was he possibly thinking? Sometimes people do say stupid things but sometimes they just get caught because they are not used to speaking to reporters. This is especially true when you are responding to a crisis. Remember that the reporter has one set of goals – and they are not your goals.

When you get into a crisis, it’s too late to be deciding who and how to talk to the media. Have a plan and practice it before the crisis hits so you don’t get caught off guard. The list below has some helpful thoughts about dealing with reporters. It was originally developed at a crisis communications workshop at a Florida Beekeepers meeting in 1992 in response to scaremongering about africanized honey bees. These rules are still relevant today and apply no matter what your crisis is.

1. Individual Rights – No one from the press has the right to violate your individual rights.
2. Honesty – Never mislead or lie to a reporter. If the situation is under litigation, say this is so; if there is a question about profits, dollars or proprietary information, you can defer/refuse answering based on not informing competitors in the marketplace.
3. Buzz Words – Never repeat an expression or inflammatory statement made by a reporter. As an example, if you are asked to what do you attribute this catastrophe, do not repeat the word “catastrophe.” It then becomes attributable to you and you alone; you will “own” it.
4. Hostility – Never get angry; keep cool and remember the reporter always has the last word.
5. Off the Record – There is no such thing; if you don’t want it reported, don’t say it.
6. Estimates – Never make numerical estimates in time or dollars. Say that the incident is under investigation and you will provide accurate information when it becomes available.
7. Reporter Verification – Ask for identification, the purpose of a reporter’s activities, media affiliation and telephone number.
8. Bridging – Try to bridge the gap between a reporter’s wish to be negative and providing a positive statement about your activity.
9. Statistics – If you are not aware of statistics provided by a reporter, say so and ask for them in writing before commenting.
10. Deadlines – All reporters are on deadlines, but you are not. Take all the time necessary to avoid hasty comments. The fact that a microphone is stuck in your face doesn’t mean you have to say something. Dead air time is not likely to appear on television.

This was originally posted on 13 Sep 2009. I accidentally deleted the post the next week. Here it is again “for the record”.

These days, security is a Red Queen’s race where “it takes all the running you can do, to keep in the same place.” Hackers are constantly raising the bar and making old protections worth less than they were the day before.

The company that hosts this blog recently posted a very good article on the problem. They recommend (and I strongly agree) that you need to keep your software fully up-to-date and patched. You might not be perfectly protected from every hacker attack but you’ll be protected from most and often that can be enough.

There’s an old essay by Mike Pilgrim comparing computer security to the Club and to Lojack. If you remember the club, it was a lock that fit on the steering wheel of the car, making it almost impossible for a thief to steer as he’s trying to get away. It wasn’t perfect security – a really determined thief who specifically wanted your car could drill the lock or just cut a section from the steering wheel. But it was pretty good protection from a thief who just wanted a car. As long as easier pickings are available, the thief will follow the path of least resistance.

A more grizzly way to say it is in the old joke about the two hikers who surprise a bear in the woods. They start running and the bear chases. One of them stops to change into sneakers and the other says “You’re crazy – even in sneakers you’ll never outrun a bear.” The other replies “I don’t have to be faster than the bear … I only have to be faster than you!”

That “faster than you” attitude can be enough to deflect the hacker to an easier target. On the other hand, if you don’t keep your software patched, you’re choosing to be the guy still in boots – the easy meat. Patch your software and keep it current. If you can, use a tool such as Secunia to help stay current. It’s a lot of work but it’s better than joining the bear for dinner.

Security Theater is a difficult topic for any security person to talk about. First what is it – Security Theater in my mind are those ’security’ restrictions that don’t actually improve security. They’re put in place to make somebody feel better or to give the appearance of improved security regardless of their actual effect. They may be well-intentioned but they are generally poorly thought out.

For example, the early restrictions imposed at the airports which attempted to stop people from bringing “weapons” on the plane used a definition of ‘weapons’ that was so bad that all kinds of immaterial tools were confiscated. Yes, a 10″ screwdriver could conceivably be sharpened and used as a punch knife. You’d need a file and a half-hour or so unobserved to sharpen it – not things likely to happen in any concourse I know of but it’s theoretically possible.

The hypocrisy, though, is that they never banned pens or pencils. A number 2 pencil is already sharper than most knives and just as dangerous.

But even assuming the most liberal interpretation of ‘weapon’, what possible harm can an evildoer perpetrate with the miniature phillips head screwdrivers that many people carry to tighten the screws on their eyeglasses? There simply is no defensible argument for that restriction. Unless you think that no one will notice as the offender sits there for another half-hour and tried to take apart the plane?

The confiscations of those tools (which, while not perfectly safe, were as safe as other routine objects allowed through) represent an unjustified sacrifice of civil liberties. Security is important. But it is not the end desire of all life or of business. Security is about managing risks and balancing the risks against the benefits.

Security folks (including myself) often have a hard time with this concept. Our job – our whole purpose in life – is often focused on thinking about security, increasing security and reducing risks. We often don’t have the perspective to see the benefits or liberties that we’re infringing with our policies. And we certainly don’t have the incentives to look for those benefits.

This, unfortunately, is why security people should never be allowed to have the final say in the security policy. If you have your own business, have someone who is responsible for security. And listen to them carefully. But make sure that you have both sides of the argument – the benefits from security and the consequences of the policy. Remember that a risk-free environment is not possible. Good security is about balance.