The Terrorist Threat from Dirty Bananas
October 31, 2006
In a conversation today, we were discussing nuclear weaponry and radioactivity – Jim C mentioned the radioactivity contained in bananas. I didn’t believe him until I consulted the oracle of all things and came up with this paper on banana radioactivity. From the paper:
“Bananas are a good dietary source of potassium. However, 0.0117% of natural potassium is the radioactive isotope 40K…. A large banana (40g) has an activity of about 18.4 Bq (becquerel…) or 0.511 nCi (nanocuries).”
Note that, in terms of raw radiation, this works out to about 0.46 Bq/g.
From this document, depleted uranium has a typical radiation level of about 900 times that – 410 Bq/g.
Given that the always threatened dirty bomb scenario always involves a “grapefruit-sized” amount of depleted uranium, it seems equally likely that a truck-full of bananas would be just as effective in spreading radiation over a large area. (not to mention an incredibly sticky mess)
Is this the next major terrorist threat? Or simply the next piece of security theatre – are we going to start worrying about terrorists armed with Chiquitas
Honesty and Dishonesty
October 31, 2006
I spent part of the weekend reading Daniel Goleman’s new book Social Intelligence
I’m sure I’ll blog more about different parts of the book in the coming weeks – much of the book provides a genuine neurological basis for many of the social skills that I had planned on talking about anyways. The limiting factor to most success is social, and this book provides a lot of the answers to those questions.
Last night’s dinner conversation was about honesty, though. Melina and I got talking about one of the statements in Goleman’s book – he states that “the human mind defaults to honesty“, which is something I have always believed very strongly in. My wife is a bit more of a cynic than I am, and she has a tendency to believe a little less in the inherent goodness of all people.
So, we got talking about lying, and the question of understanding what the “severity” of a lie is. And we started debating about how you measure a lie. She said that the severity of a lie is related to its potential consequences – that if your lie can be reasonably forseen to be life-or-death, that it’s more severe than one that isn’t.
I’ve never been a fan of the “reasonable man” test – it sounds too much like the way that many people in information security assess risk. I call it “Potter Stuart Pornographic Risk Assessment Method” – “I don’t know how to define it, but I know it when I see it“. (This is the method that advocates of Donn Parker’s “Due Care” method of information security practice suggest).
So, if not for assessing some sort of subjective standard of “severity” based on potential damage, what are we left with? How do we assess the severity of a given act of dishonesty?
The 10 Skill Domains of a Personal Security Certification
October 30, 2006
I recently announced the idea of a Personal Security Certification in the same vein as the Personal MBA. In coming up with that that type of certification, the first question I asked myself was:
If I could build the perfect information security engineer, what technical skills would she have?
I realized that whatever I came up with, the person would have to have some background in IT to build on – the point of a personal security certification isn’t to create a program that someone with no experience could use. But, given some rudimentary background in IT (e.g. a computer science degree or a couple of years in the industry), I came up with the following 10 domains that comprise a Super-Star Security Engineer:
Domain 1 – Information Security Concepts
Domain 2 – Business Concepts
Domain 3 – Data Networking
Domain 4 – Problem Solving Skills
Domain 5 – Software Engineering / Coding
Domain 6 – Quality Assurance
Domain 7 – Time, Life & Career Management
Domain 8 – Operating System Internals
Domain 9 – Penetration and Exploits (i.e. Breaking In to Things)
Domain 10 – Reverse Engineering Software
The list isn’t meant to be in order – while there are some domains that definitely build on others, most can be taken in any order, based on experience and interest. I recommend starting with the domain that interests you best – the point is that, over the course of a year or two, mastery of each of these 10 domains is required to really become an incredible security engineer.
The next post in this series is going to be about the things you need to learn in the first domain of Information Security Concepts.
The Importance of Context
October 30, 2006
Endpoint security, making smart contextual decisions
Six Sigma and Talent
October 30, 2006
Six Sigma is often thought of as a manufacturing discipline, but lately, I’ve seen it popping up more and more in IT. There was a great story in Computerworld today about how Bank of America is using Six Sigma to improve their development methodology.
While people often think of Six Sigma as a bunch of statistics geeks running around pretending that they are martial artists (“I’m a green belt”. “Oh, yeah? I’m a Black Belt.”), the real key to Six Sigma is that it helps you create repeatable processes. I know that the idea of repeatable development doesn’t square well with the “software development as art” idea, but it really is key to long term quality.
And, more importantly, it will become even more key over the next 20-30 years as we try to deal with the loss of talent. This is how BofA is really thinking about it. From the article:
“Desoer is optimistic that the standardized methodology will reduce development time and help make developers and project team members more transferable across business units in coming years. That could be crucial if an exodus of retiring baby boomer technologists and a widely anticipated shortage of entry-level IT workers make it tougher for the bank to find and recruit people with the skills it needs, Desoer says. “We are going to be increasingly challenged to find highly qualified technology associates five to 10 years out,†she adds.”
There are three ways to deal with the increasing War for Talent that is going on out there. The first approach is to do what most people do – accept that your talent is going to be mediocre, and pretend that it’s not. The second most common approach is to work harder and harder to recruit more and more – spending like a drunken sailor on recruiters fees, internal recruiters, job boards, evaluation tests, etc. This one’s actually what the really great companies out there right now are doing. And, if you do it right (like we did when we started the Toronto office at nCircle), you can come up with incredible talent.
Of course, that strategy only works as long as most people are employing the first approach (the Ostrich method). In the long term, it will be the companies that take on the approach that B of A is using that will be truly successful – the ones that combine the intense hiring and talent screening of the second approach with a long term plan that focuses on repeatable process to ensure a minimal level of quality (whether quality means “time to market”, “bug free”, “feature rich”, etc.) that will truly win the game.
Internet Marketing Pyramid Scheme
October 29, 2006
Over at his always awesome blog, Seth mentioned MMMZR in a couple of recent entries.
MMMZR (besides being a nonsense word like LURHQ) is quite an interesting idea for marketing – it brings the traditional “pyramid scheme” format to internet advertising.
If Google had done this as a variant of Google Adwords, it might be a particularly interesting new trend in marketing.
Are you having enough sex?
October 27, 2006
Memetically, that is.
I’ve been reading O’Reilly’s Mind Performance Hacks
What is most interesting is that the metaphor suggests that any conversation of diverse ideas is “memetic sex” (i.e. the two people are swapping memetic rather than genetic material).
The question that I can’t help but consider is whether or not I’m having enough sex lately. And what kind of sex is it? Am I inbreeding too much?
How’s your memetic sex life?
The Fundamentals of Change
October 26, 2006
With all of the shifting going on in my life of late, I have been thinking a lot about change.
Chris Keeler once said that every change that you really want comes down to one of two things:
1. You want resources that you don’t have.
2. You want choices that you don’t currently perceive.
The more I think about it, the more I think that the two things are actually the same thing – the ability to perceive choice is a resource. The ability to deal with change really comes down to the ability for you to gather the resources that allow you to either deal with the choices you have at the current moment or to create new ones.
I’m not sure that I’m really disagreeing with Chris here as much as reframing it in a new way – the point is that being able to create the change that you want is a matter of having the resources to create choice as well as capitalize on it.
The Personal Security Certification
October 25, 2006
After writing about going beyond certifications recently, I got thinking about something I read a long time ago: the Personal MBA. From the website:
Business schools don’t have a monopoly on worldly wisdom. If you care more about increasing your effectiveness at work than a diploma and a few lines on your resume, the Personal MBA is for you.
The site then lists a set of learning domains and books that will teach the concepts that you’d learn in a standard MBA program – the goal being to give you the knowledge that an MBA would have. Of course, this doesn’t give you the networking benefits of an MBA (arguably the main benefit of most MBA programs).
But, then, security certifications don’t have that networking benefit. And, while the “Personal Security Certification” isn’t something that you can put on your resume, obtaining the skills of a “Super-Star Security Engineer” will make you a better security pro.
I’m going to do a series of entries around this concept, describing each of the domains of a super-star engineer, and laying out a set of books that will give you mastery each of those domains.
Dan Miller of 48 Days suggests that reading and really understanding 3 different books on a topic is enough to give you mastery of that topic – the worst that can happen by reading the Personal Security Certification blog series is that you learn a few things that you don’t know, and become a more well-rounded security engineer.
Counterpane Fire Sale
October 25, 2006
Everybody is talking today about the Counterpane acquisition. What nobody seems to be talking about is the price and how brutally bad a deal this was for Counterpane.
The speculation has this deal at about $40M USD – this is put in perspective by the fact that Counterpane took in rounds of $20 million and $24 million in just two rounds of venture capital.
It’s clear that this was a fire sale of the highest order – it’s pretty likely that the employees saw absolutely nothing out of this deal.