• Information Security Lessons from a Bronze Age Fort
• Crowd Control Lessons from Pompeii
• Infrastructure Security lessons from the Roman Aqueducts
• Cyber-security Policy Lessons from Thomas Jefferson’s response to the Barbary Pirates
• Identity Management Lessons from William the Conqueror

The Atlantic published this interview with Dr John Ioannidis, a medical researcher who has dedicated his career to showing that “much of what medical researchers conclude in their studies is misleading, exaggerated, or flat-out wrong.” This is true even in the ‘gold-standard’ peer-reviewed studies. The biases of funding and publication pressure are too much to overcome. Worse, even when the studies have been overturned, the medical community continues to rely on the old, disproven theories.

While his study and his research are based on medical journals and medical research, his findings are applicable to everything from physics to economics to computer science.

You can also read Dr Ioannidis’ original paper at PLoS Medicine. He lays out a detailed mathematical proof that, “assuming modest levels of researcher bias, typically imperfect research techniques, and the well-known tendency to focus on exciting rather than highly plausible theories, researchers will come up with wrong findings most of the time.” He wrote a follow-up article here specifically discussing the distortion caused by publication practices. I recommend both for anyone with an interest in the scientific method and/or an interest in sorting truth from rumor among the deluge of “good advice” on the internet.

The U.S. Chamber Institute for Legal Reform recently released a report on the disproportionate share of U.S. litigation cost borne by small businesses. The full report is about 25 pages and well worth reading. The short version is:

• Small businesses generate 64 percent of all new jobs and over half of non-farm GDP
• Small businesses bore 81 percent of business litigation cost, yet represented only 22 percent of US business revenue
• Small businesses pay more of their tort costs out-of-pocket rather than through insurance
• More than one-third of surveyed small businesses had been sued – To put that number in perspective, think of any three local small businesses that you use, maybe your barber, hardware store and local laundry. Do you really think that one of every three is so evil that the only way to resolve the complaint was to go to court?
• 62% reported making business decisions in order to avoid lawsuits and that these decisions made their products and services more expensive. 45% pulled a product or service off the market just out of fear of lawsuits and 11% have had to lay off employees as a result of lawsuits
• For medical businesses, it’s even worse. Tort liability is 94 percent of all medical malpractice litigation for small medical practices and small medical labs. This is driving the medical profession away from small practices and toward large hospital-based and health system-based groups. In just three years, from 2005-2008, small groups dropped from two-thirds of all practices to less than half.
• 66% of the general public agreed with this statement: “The fear of being sued is changing American society for the worse because it’s often having the effect of discouraging people from doing the right things.”

Statistically, some few of those small businesses are bad apples who should be sued, maybe even into bankruptcy. Sometimes, that is your only recourse. But I do not believe that all businesses are inherently evil and am deeply suspicious of the way the legal profession has morphed into a legal industry over the past few decades. The more I read, the more convinced I become that tort reform is desperately needed. Some form of “loser pays” like they have in Europe would be a good first step.

This post titled The Five Biggest Lies in HR by Kris Dunn was fascinating, if a bit cynical. It’s a painfully realistic view of where we really fit in the workforce.

That reminded me of another recent article on allowable links on your website. That article specifically talks about the problems faced by public entities like school districts and whether they must allow links to private companies on their webpages. It’s a difficult question for any governmental organization. Under US law, they have an obligation to protect free speech but at the same time can not create the appearance of an unfair endorsement of a private opinion.

For a public entity, it depends on the exact nature of the page – if your township hosts a “forum” where citizens are allowed to express opinions and air grievances, there are very few allowable limits that can be placed on the free speech rights of the people participating in the forum. On the other hand, even public entities have non-public forums – places where completely free speech would get in the way of the very mission that the agency is supposed to carry out. Limits in those forums are more acceptable. Regardless, any limits should be

1. clearly stated ahead of time
2. based on reasonable protections of other rights (for example, ‘no hate speech’ or ‘stay on topic’) and
3. be enforced with ruthless consistency.

If you work with a public entity with any online presence, I strongly urge you to read the eDiscoTech article.

As a private citizen, the calculations are different. First, you have no obligation to allow others to say anything. You are not required to let someone to take over your backyard to make their political rant even if the same speech would be strongly protected in the village square. But you want to allow interaction and linking on your personal website. That social contact is most of what makes the website valuable and brings in readers. The challenge is that your credibility is directly linked to all those outsiders. Anything you include or allow on your own website carries an implied endorsement. If there’s bad content on the other side of a link, it reflects back on you. So if you host a blog (whether Twitter or a more conventional blog like this one), you probably want to allow comments but you probably also want to keep some rights to control them if only to filter out the spam and other worthless content. And you should be fairly conservative about who you link to. Be sure they are the kind of people you want your reputation associated with.

Corporations have it hardest of all. They are private and have no legal obligation to allow their site to be used for the free speech of others but attempts to suppress or censor negative comments almost always create more backlash and ill-will than the original complaint. Corporations generally do best by enforcing clear rules (especially the “off-topic comments will be removed” rule) but otherwise allowing users to post whatever they really feel about the company’s products or services.

Ultimately, I decided to include a link to the American Widows Project – you can see it now in the blogroll on the right of the website. Deciding who you should link to is an interesting question, though.

When you get into a crisis, it’s too late to be deciding who and how to talk to the media. Have a plan and practice it before the crisis hits so you don’t get caught off guard. The list below has some helpful thoughts about dealing with reporters. It was originally developed at a crisis communications workshop at a Florida Beekeepers meeting in 1992 in response to scaremongering about africanized honey bees. These rules are still relevant today and apply no matter what your crisis is.

1. Individual Rights – No one from the press has the right to violate your individual rights.
2. Honesty – Never mislead or lie to a reporter. If the situation is under litigation, say this is so; if there is a question about profits, dollars or proprietary information, you can defer/refuse answering based on not informing competitors in the marketplace.
3. Buzz Words – Never repeat an expression or inflammatory statement made by a reporter. As an example, if you are asked to what do you attribute this catastrophe, do not repeat the word “catastrophe.” It then becomes attributable to you and you alone; you will “own” it.
4. Hostility – Never get angry; keep cool and remember the reporter always has the last word.
5. Off the Record – There is no such thing; if you don’t want it reported, don’t say it.
6. Estimates – Never make numerical estimates in time or dollars. Say that the incident is under investigation and you will provide accurate information when it becomes available.
7. Reporter Verification – Ask for identification, the purpose of a reporter’s activities, media affiliation and telephone number.
8. Bridging – Try to bridge the gap between a reporter’s wish to be negative and providing a positive statement about your activity.
9. Statistics – If you are not aware of statistics provided by a reporter, say so and ask for them in writing before commenting.
10. Deadlines – All reporters are on deadlines, but you are not. Take all the time necessary to avoid hasty comments. The fact that a microphone is stuck in your face doesn’t mean you have to say something. Dead air time is not likely to appear on television.

These days, security is a Red Queen’s race where “it takes all the running you can do, to keep in the same place.” Hackers are constantly raising the bar and making old protections worth less than they were the day before.

The company that hosts this blog recently posted a very good article on the problem. They recommend (and I strongly agree) that you need to keep your software fully up-to-date and patched. You might not be perfectly protected from every hacker attack but you’ll be protected from most and often that can be enough.

There’s an old essay by Mike Pilgrim comparing computer security to the Club and to Lojack. If you remember the club, it was a lock that fit on the steering wheel of the car, making it almost impossible for a thief to steer as he’s trying to get away. It wasn’t perfect security – a really determined thief who specifically wanted your car could drill the lock or just cut a section from the steering wheel. But it was pretty good protection from a thief who just wanted a car. As long as easier pickings are available, the thief will follow the path of least resistance.

A more grizzly way to say it is in the old joke about the two hikers who surprise a bear in the woods. They start running and the bear chases. One of them stops to change into sneakers and the other says “You’re crazy – even in sneakers you’ll never outrun a bear.” The other replies “I don’t have to be faster than the bear … I only have to be faster than you!”

That “faster than you” attitude can be enough to deflect the hacker to an easier target. On the other hand, if you don’t keep your software patched, you’re choosing to be the guy still in boots – the easy meat. Patch your software and keep it current. If you can, use a tool such as Secunia to help stay current. It’s a lot of work but it’s better than joining the bear for dinner.

For example, the early restrictions imposed at the airports which attempted to stop people from bringing “weapons” on the plane used a definition of ‘weapons’ that was so bad that all kinds of immaterial tools were confiscated. Yes, a 10″ screwdriver could conceivably be sharpened and used as a punch knife. You’d need a file and a half-hour or so unobserved to sharpen it – not things likely to happen in any concourse I know of but it’s theoretically possible.

The hypocrisy, though, is that they never banned pens or pencils. A number 2 pencil is already sharper than most knives and just as dangerous.

But even assuming the most liberal interpretation of ‘weapon’, what possible harm can an evildoer perpetrate with the miniature phillips head screwdrivers that many people carry to tighten the screws on their eyeglasses? There simply is no defensible argument for that restriction. Unless you think that no one will notice as the offender sits there for another half-hour and tried to take apart the plane?

The confiscations of those tools (which, while not perfectly safe, were as safe as other routine objects allowed through) represent an unjustified sacrifice of civil liberties. Security is important. But it is not the end desire of all life or of business. Security is about managing risks and balancing the risks against the benefits.

Security folks (including myself) often have a hard time with this concept. Our job – our whole purpose in life – is often focused on thinking about security, increasing security and reducing risks. We often don’t have the perspective to see the benefits or liberties that we’re infringing with our policies. And we certainly don’t have the incentives to look for those benefits.

This, unfortunately, is why security people should never be allowed to have the final say in the security policy. If you have your own business, have someone who is responsible for security. And listen to them carefully. But make sure that you have both sides of the argument – the benefits from security and the consequences of the policy. Remember that a risk-free environment is not possible. Good security is about balance.

See you soon.