Friday, 27 November 2009

Blond sensation’s message for IT security

Out of nowhere this month there erupted onto the media stage the figure of Phillip Blond, until recently an unnoticed lecturer in theology at the University of Cumbria, now installed as “Philosopher King” of the Tory party, guru to David Cameron, and founder of a new think tank called ResPublica.
Armed with a social theory called “Red Toryism” (a bit of a cocktail out of Edmund Burke, Michael Oakeshott and Catholicism) Mr Blond believes he has the right prescription to fix Britain’s so-called “broken society”, but first, he wants to tell us what’s gone wrong.
He writes pungently. In an essay called The Ownership State he denounces the modern economy’s fixation with:
“...a purely market driven approach, whose domination of the speaking parts [in the corporate narrative] is so complete that in the middle of the greatest management meltdown in history, management responsibility for the financial crisis is entirely shielded from question. Resource allocation, risk, product design, accounting, reward and governance: the visible hand of the financial and banking sector ham-fistedly got every single aspect of management wrong. Yet not only is there no investigation, no critique and no alternatives on offer to the model that has got us here; the same model that caused the crash is now expected to get us out of it again.”
And again:
“In the market sector, Wall Street and the City of London are full of firms staffed by people with the highest academic and business qualifications who are collectively so witless that they have not only burned their own houses to the ground but almost brought down the whole edifice of capitalism.”
“Discuss,” as the exam questioners say; but during the course of the 40-odd pages of Mr Blond’s essay, some other observations resonated because they seemed to bear closely on the subject of Internet Security, and the reasons why experts consistently fail to convince the laity to understand and take online safety seriously (to repeat a shocking statistic: 98 per cent of UK office workers do not see the protection of corporate electronic data as their responsibility).
At the heart of contemporary enterprise Mr Blond perceives that those in command make “pessimistic assumptions” about human behaviour which lead them to devise ever more exhaustive systems of prescription and regulation; these in turn, “by emphasising formal controls perversely make organisations less adaptable, more stupid... a system that overemphasises knavish motives – through crass incentives or rigid targeting – will accentuate them. Or to put it another way, since you get the behaviour you plan for, treating workers like knaves makes them more likely to act like knaves.”
Treating them like idiots, equally, will make them behave more idiotically. But treat them like idiots is what, in my experience, IT security experts generally do to their inexpert clients inside the organisation.
What Mr Blond proposes is a transfer of power, trust, responsibility and reward away from managers and regulators and back to the troops in the front line: to the neighbourhoods, actual and metaphorical, where the living is real, raw and anxious and has material percussion and repercussion.
It seems to me that the critical task as we enter 2010 and develop our plan to “build the human firewall” is to find ways to open up the world of security and effect this transfer and empowerment; to stop delivering sermons and patches and find ways to help the inexpert, collectively (albeit with guidance) to teach security to themselves and each other.
Elsewhere, Mr Blond bemoans the fact that modern capitalism has obliterated “the great intermediary institutions of British life and the non-professional contributor” – all the voluntary, civil associations through which individuals once acquired and shared knowledge and exercised influence.
But is that quite true? Aren’t new “intermediary institutions,” albeit virtual ones, emerging via Facebook, Twitter, LinkedIn and all the other varieties of social media?
And are there clues there to the way staff empowerment could be achieved? In order to create, in Mr Blond’s phrase, “a structure where peer-to-peer motivation builds ethos and expertise and replaces vertical sanction”? It would be useful to start a dialogue.

Thursday, 19 November 2009

Out there still, there are the eggmen

Four doors down, someone often flings his windows open late at night or in the early hours and plays I am the Walrus, repeatedly and very loudly.
You know the song?
Sitting on a cornflake, waiting for the van to come.
Corporation tee-shirt, stupid bloody Tuesday.
Man, you been a naughty boy, you let your face grow long.
I am the eggman, they are the eggmen.
I am the walrus, goo goo g'joob

It doesn’t really bother me. The nights have got cold, so now we have our doors and windows shut. And anyway, after about half an hour a nearer neighbour starts shouting obscenities in such a rage that the broadcast stops.
Before that, as the Walrus chugs along with the velocity and resonance of an old steam locomotive, I tick off various background choruses: “oompah, oompah, stick it up your jumper,” which my Dublin grandmother would have recognised, and “smoke pot, smoke pot, everybody smoke pot,” which she wouldn’t. These were added by an easy-listening group of the time called the Mike Sammes singers, which is rather akin to Julie Andrews providing soprano whoops for Johnny Rotten and Sid Vicious on Anarchy in the UK.
Boxing Day evening, 1967, 8:35. I am the Walrus is one song featured in the latest Beatles film, Magical Mystery Tour, shot in colour and premiered in black and white by the BBC across one-set UK households. There’s nowhere to hide from overindulged adults grunting “what is this rubbish?” For once, you feel pretty defenceless. The Tour (more of a meander, truth to tell) is an effort to enjoy and you sense something ending.
All the other original songs in the film – Fool on the Hill, Flying, Blue Jay Way, Your Mother Should Know and even the title track – have more or less gone under the sand.
But night after night, 42 years later, courtesy of the man down the road (I just assume he must be a man), Lennon, McCartney, Harrison, Starr and the Mike Sammes singers are belting and bellowing out I am the Walrus again and again.
How has the Walrus got its (so far) tiny tusk-hold on eternity? I trek into the web and get lost for longer than I planned in a labyrinth of fan sites.
If you have Windows XP, go play this song on your sound recorder and play it til the line “See how they smile like pigs in a sty see how they snide” and right after it ends stop it and play it backwards and listen real closely to what is heard. I heard John say, “Take this axe and his life is going out tonight.” I am serious! Try it out for yourself to hear it!
Also during the line “If the sun don’t come then you'll get a tan from the English rain” I heard something but can’t remember what...
Also, during the line “Climbing up the Eiffel Tower” backwards I heard the most creepy thing yet, “I smoke marijuana.”!!!!!! You have to really pay close attention to get the word “marijuana” so it sounds like it...

What does this writer do for a living? air traffic controller, possibly? bank clerk? software developer?
While I was trying to sharpen up the stabs at satire here, my son asked if I’d help with his art homework by taking him to the Estorick Collection.
This is a small art gallery in North London featuring paintings, drawings, etchings and ceramics by Italian artists of the first half of the twentieth century – people like Giorgio de Chirico, Mario Sironi and Giorgio Morandi.
And among them, I discover, are works by the self-styled metaphysicals, the proto-surrealists, forerunners of Dali and Magritte, where normal expectations are subverted.
De Chirico – that’s one of his paintings at the head of this – wrote:
“To become truly immortal, a work of art must escape all human limits: logic and common sense will only interfere. But once these barriers are broken, it will enter the regions of childhood vision and dream.”
Semolina pilchard, climbing up the Eiffel Tower.
Elementary penguin singing Hari Krishna.
Man, you should have seen them kicking Edgar Allan Poe.
I am the eggman, they are the eggmen.
I am the walrus, goo goo g'joob g'goo goo g'joob...

But hey, maybe not at two in the morning? Leave me to my own dreams, perchance...

Friday, 13 November 2009

Inside the mind of a betrayer

He sat unshaven at one of the bar’s outside tables, in sunlight, nursing a beer and a cigarette. Sometimes he trembled. It certainly looked as if this wasn’t the day’s first drink, nor its last.
This was Sascha Anderson, perhaps the most extraordinary exhibit in the gallery of extraordinary characters portrayed in the BBC’s feature-length documentary, The Secret Life of the Berlin Wall.
In East Berlin, when the GDR still reigned, he was a poet, a radical, a firebrand – among the most influential figures in the city’s subversive underground.
He was also an informer for the secret police, the Stasi.
“Were you a good spy?” he was asked.
He laughed shyly. He sighed and swallowed. He looked everywhere but at his interviewer or the camera. For a quarter of a minute he said nothing. And then:
“In the place that I was, I was the top informer. I have the feeling that I wasn’t just an ordinary spy.” Now a confessional moment – he looks straight at the interviewer. “Of course, I told them everything.”
Harald – we weren’t given his surname – was another radical, a photographer. “When I came to Berlin I noticed a big gap between what the party said and the reality. And that’s the area I occupied.” He took pictures of punks, ruins and desolation, physical and psychical.
The commentary tells us: per head of the population, the Stasi were twelve times more numerous than the Gestapo, thirty-five times bigger than the KGB in Russia. And that’s not counting their network of informers.
Impossible for Harald to escape their notice.
“There were about thirty-five people informing on me. I thought none of them would be close friends, but I recently realised I was wrong.”
One of them was his friend Sascha Anderson.
Harald was asked what he’d tell Sascha if he saw him now: “’Sascha, you arsehole...’”. A pause. “What am I supposed to say? He has to live with his conscience.” This isn’t said unkindly.
And Sascha himself, asked to explain his treachery:
“Someone comes and wants something from you. And if you’re egotistical and altruistic enough, then you say ‘okay – let’s do it. I’ll do what I can and you do what you can. That’s fine’. I’m not the sort of person who makes decisions based on an idea. So, if the Devil looks good, I might say to him, ‘how can I help you, dear Devil?’”
I remind myself that Goethe’s Faust is much nearer to the mental and cultural surface in Germany than Marlowe’s is in England. Then I spool back, because talk of this Devil’s pact has eclipsed the two self-describing adjectives which came before.
“Egotistical” – yes, a spy would be egotistical. But “altruistic”? Regard for others, as a principle of action; opp. to egoism or selfishness – Shorter Oxford Dictionary.
But if he doesn’t seem to have been much of an altruist, neither does he come across as a great egotist.
“I sensed they wanted something from me. Someone is taking you seriously and listening to you. So I offered myself up. Every gap in the conversation was a chance for me to say: ‘I am the right man for you’.”
Was that egotism, or an appeal for respect from someone who felt misunderstood, undervalued, overlooked? See the film, and you find it hard not to feel sympathy for him, which I found fascinating and disturbing.
He was asked whether, if he’d stopped informing, his Stasi comrades might have put him in prison. He replies, nodding:
“Usually traitors who betray the secret service are given the harshest punishments.”
“What is the punishment for traitors who only betray their friends?” he’s then asked.
He swallows. Grins unhappily. Says nothing.
Another place, another age, another interview...
FAUST: Where are you damned?
FAUST: How comes it, then, that thou art out of hell?
MEPHISTOPHILIS: Why, this is hell, nor am I out of it.
From Christopher Marlowe's The Tragical History of Doctor Faustus (1604)
The Secret Life of the Berlin Wall was produced and directed by Kevin Sim and was a Diverse Production for the BBC.

Friday, 6 November 2009

Internet Security: a conspiracy against the customer?

In the first week of July, 1980, the world would have been destroyed if computer systems had been left to their own devices.
Here’s the novelist Christa Wolf, writing her diary in what was then East Germany, on the very brow of the face-to-snarling-face confrontation between capitalism and communism:
“Meteln, July 8. Twice in the past week, the US computer has sounded the alarm: Soviet rockets are flying towards the United States. In such a case, we are told, the President has twenty-five minutes to make a decision. The computer (we hear) has now been switched off. The delusion: to make security dependent on a machine, rather than an analysis of the situation possible only to human beings”.
From the fact that we’re still here one can deduce that human intervention – probably a red-phone call between White House and Kremlin – overrode the intentions of the machine and prevented our annihilation. But now fast-forward almost thirty years to the recent RSA Europe 2009 Conference in London, and listen to a senior figure from Internet Security:
“Whenever you can take the user out of the security equation without affecting his or her performance then you’re well on the way to a security solution”.
And another speaker:
“Our systems are over-reliant on the human element. We need to completely eliminate human involvement and mitigate its influence”.
Isn’t this the same delusion at large? Doesn’t it demonstrate, if we accept George Bernard Shaw’s theory that “all professions are conspiracies against the laity” the way Internet Security is becoming a conspiracy against the very people it’s supposed to be protecting – the clients and the colleagues who are its ultimate customers? A conspiracy to exclude them, to baffle them, to talk over and round them in an unintelligible language?
The same speaker who urged us to “take the user out of the security equation” invited us to be astounded and outraged when one of the many surveys in his deck revealed that “98 per cent of UK office workers [yes, that’s almost every one of them] do not see the protection of corporate electronic data as their responsibility”.
His solution? Don’t involve them at all. Ignore them. Build a slicker system.
As if security had as its grail a kind of fully-automated Hadron Colllider which could revisit the big bang of the virtual world’s creation and reinvent it with the elimination of risk and “the human element”.
My friend and colleague Peter Wood, who runs First Base Technologies, illustrates in his lectures and practice, chillingly and entertainingly, that yes, cyber-criminals are technologically adroit, but principally, they are social engineers: the first vulnerability they seek out is not in the machine, but in the mind: greed, vanity, lust, envy, fear or innocence and trust.
So how do you patch those?
At the 21st annual conference of FIRST, the Forum of Incident Response and Security Teams, held in Kyoto this June, one of the simplest and most provocative suggestions was made by Dr Suguru Yamaguchi, member and adviser on information security at the Japanese Cabinet Office National Information Security Centre.
“We need to find ways to help corporate executives actually to visualize what goes on when a computer network is under attack”, he said. “Just explaining in words isn't enough - the words are too dense, too technical - what we should do is design special games and animations which will bring the severity of current threats vividly alive in the executives’ imaginations”.
His idea flashed around the world, and was picked up on nearly 150,000 news sites within days. He said: stop either ignoring the user or, when you deal with him or her, being technical, turgid, instructional; instead, talk to humans in ways that humans understand; start being dramatic, start playing, start investigating ways to communicate which may even be non-verbal.
It was a theme I developed in my own address to RSA Europe, telling an audience:
“The educational establishment in the UK was convulsed a few days ago by a report which recommended that the culture of targets and rigid curricula for little children should be swept aside and replaced by learning through games and play, at least until the child has reached six.
“Immediately, radio phone-ins were flooded with reports from parents about education systems abroad which applied this theory to astonishing effect. I recall one father ringing in to say that by three his daughter was speaking fluent Japanese and Chinese. She hadn’t been taught them. She’d learned them in a game.
“Of course, at some stage children have to knuckle down and address themselves to a syllabus.
“But why shouldn’t we, as adults, recapture the pleasure and the value of learning through play, and use that as a principal tool to bring the inexpert into the world of Internet Security?”
And I expect the same ideas to be percolating through FIRST’s 22nd conference next year in Miami, which has as its theme “Past the Faded Perimeter” – that is to say, how does security contend with criminals now the 20th century device of inclusive and exclusive technological ramparts has so often turned out to be flawed and permeable to the cunning of delinquent social engineers, playing on human nature?
How else but by involving and enlightening the users, the “human element”, and turning them into willing conscripts in a sort of home guard or civil defence association which becomes a human firewall?
In the UK, the three words “computer says no” have become a catchphrase. Delivered in an advertisement by a plump, bored operative to a supplicant for a loan or mortgage he’s about to disappoint, the line is an indication by a bank of the kind of financial institution it is not and will not become.
But “computer says no” also speaks to a deeper sentiment: to a public rage at and contempt for all those organizations which have replaced the discriminations of the human mind with closed and inflexible processes; which have, for example, in the justice system (one thinks of the case of Gary McKinnon) eliminated reasonable doubt – because a computer has no reason to doubt – and become all sword and no balance.
Partly out of nostalgia (or should I say, Ostalgia: I was in Berlin twenty years ago when, thanks entirely to the pressure of human sentiment, the wall came down) and partly with an eye on a future project, I have been re-reading and researching Christa Wolf, with whose words I began this blog.
In a relatively recent interview she said:
“With the wild growth of technology and global networks, it seems to me that the power of systems is on the rise. And these are becoming independent, it’s no longer possible to ascertain which people carry responsibility. Rational counterweights, like democracy for example, seem to have been hollowed out, and their influence is declining. This is not only regrettable, it also makes you fearful of what our grandchildren’s generation will have to cope with.”
In 1983 Christa Wolf published a novel called “Cassandra” in which she retold the tale of the unhappy Trojan priestess partly as an allegory – well, it’s my theory – for her predicament as an artist in what was then communist East Germany.
Let me finish by reminding you of Cassandra’s story (that’s her with the snakes at the top of this piece, by the way). It was most delicately set down, I think, by the great Dr Lempriere in his Classical Dictionary of 1834:
“CASSANDRA, daughter of Priam and Hecuba, was passionately loved by Apollo, who promised to grant her whatever she might require, if she would gratify his passion. She asked the power of knowing futurity; and as soon as she had received it, she refused to perform her promise, and slighted Apollo. The god, in his disappointment, wetted her lips with his tongue, and by this action effected that no credit or reliance should ever be put on her predictions, however true or faithful they might be… She was looked upon by the Trojans as insane, and she was even confined, and her predictions were disregarded.”
Anyone listening?