The tough mind is sharp and penetrating, breaking through the crust of legends and myths and sifting the true from the false.
Who doubts that this toughness of mind is one of man’s greatest needs? Rarely do we find men who willingly engage in hard, solid thinking. There is an almost universal quest for easy answers and half-baked solutions. Nothing pains some people more than having to think.
Martin Luther King Jr., Strength to Love (Fortress Press, 1981) 14.
A couple of weeks ago, after I had finished the final Harry Potter novel, I wrote a couple of paragraphs about the appeal of these stories. It is a novel where kids and adults witness Harry experience new, exciting and terrifying things almost always for the first time. Even the most mundane and insignificant encounter is dramatic and memorable for Harry. Of course, in the novels, Harry experiences the fantastic as well. This transformation of the mundane into the extraordinary is something that occurs regularly in the life of a child. And this is perhaps why the novels are so appealing. As adults we may have vague memories of that transformation and through the novels we glimpse dimly into those cherished experiences. For the child reader, it is the best of both worlds. G.K. Chesterton says that these types of stories will endure because they place an ordinary character within the extraordinary.
The old fairy tale makes the hero a normal human boy; it is his adventures that are startling; they startle him because he is normal…You can make a story out of a hero among dragons; but not out of a dragon among dragons. The fairy tale discusses what a sane man will do in a mad world.
In fact, Chesterton applifies my own sentiments of this joy of discovery.
This is proved by the fact that when we are very young children we do not need fairy tales: we only need tales. Mere life is interesting enough. A child of seven is excited by being told that Tommy opened a door and saw a dragon. But a child of three is excited by being told that Tommy opened a door. Boys like romantic tales; but babies like realistic tales — because they find them romantic
I see this often in the lives of my own children. The young child is living the romantic and mystic life at every step as new encounters, people and experiences bombard his inquisitive and naive sense and open his heart and mind to the wider world around him. This is why proper education (or even facilitation) is important. This activity of timely and responsible disclosure that leads and allows children to discover the wonder of world is perhaps one of the finest things we can do. Sadly, because we have lost that feeling of wonder and live in the mundane, we have forgotten the excitement, enchantment and magic of the world that our children experience at every turn.
There is this idea driven by the combination of regulatory compliance requirements and money-hungry vendors well-intentioned solution providers that there is a malicious database administrator operating within most organizations. This database administrator is likely a part of a large network of information traders attempting to fence their ill-gotten goods to the highest bidder. They can strike at any time and are, most likely, deciding which other choice pieces of information in your organization will subsidize the purchase of their fourth Murciélago. There is no question that this scenario makes for a great (read: terrible) Hollywood film premise. Presently, however, this is nothing more than a work of fiction.
Whatever the intentions of those that are propagating this myth of the malicious DBA, the current data available does not tell us such a story. Even a cursory glance at this data paints a completely different picture. Feel free to explore the data yourself. In the chart below you can see that a malicious DBA was responsible for 3% of data-related breaches. You should also know that I was being generous with the descriptions. It was most likely *not* a DBA, but then perhaps you’d think *I* was making this up if there were no DBA-related activity.
For all this breach data there still are companies out there that tell you that their state of the art encryption technology will help you defend your organization from the malicious DBA threat. It seems odd to spend so much on the “Malicious DBA” threat when it accounts for probably less than 5% of the overall threats to confidential data. I think these product vendors know this. This is why they attempt to tell you that their database encryption products “protects the data within the DBMS and also protects against a wide range of threats, including storage media theft, well known storage attacks, database-level attacks, and malicious DBAs.”
Database encryption won’t help you with the laptop problem, it won’t help you with the paper problem, it won’t help you with process problems and it won’t help you with the hacker problem. It helps you, if you want to make the stretch (and to be charitable I will), with the tape problem (assuming your undefined processes backup data that is still important to bad guys, but is not required to be protected according to regulatory requirements), it will help you, maybe, with the disk-in-server-gone-missing problem, and it may help you with the malicious DBA problem. But, wait, there isn’t a malicious DBA problem. So what does database encryption do again?
References:
http://www.privacyrights.org/ar/ChronDataBreaches.htm#Total
http://www.ingrian.com/resources/sol_briefs/implementation-sb.pdf
Yesterday while browsing the children’s books at my local Borders I spotted Rumpelstiltskin. While it is not the version I am used to, it is very nice to look at and captures the major plot points quite simply. I’m trying to figure out why it has taken me this long to get this tale and share it with my children, but I have no answer. When I read it last night my children gasped in horror at the king’s ultimatum given to the miller’s daughter. They gasped even louder as the straw-filled rooms grew in size after each night. It was great fun and I’m sure it will become a common bedtime request.
Stories, real or imagined, have incredible power. While I’m certain that the lectures I give my oldest are quickly forgotten, I know with equal certainty that after just one reading of Rumpelstiltkin that the story will be forever locked away in her memories. This is instructive in a number of ways. Using stories to communicate moral messages, values and beliefs can be found in some of the oldest documents in antiquity. I think that as a modern society where we are surrounded by “facts” and “laws”, we quickly forget the power of story. This is especially the case when we forget that most young children are not developmentally ready to hang “facts” and “laws” onto their neural hooks and use them appropriately. Stories have this magic ability to bypass the developmental requirements and plant themselves firmly within the child’s mind with all the associated moral messages. Are stories that contain the messages we value most more effective than other methods? I don’t know, but it would seem quite foolish to completely ignore the wisdom and traditions of previous generations.
The man who cannot believe his senses, and the man who cannot believe anything else, are both insane, but their insanity is proved not by any error in their argument, but by the manifest mistake of their whole lives. They have both locked themselves up in two boxes, painted inside with the sun and stars; they are both unable to get out, the one into the health and happiness of heaven, the other even into the health and happiness of the earth.
– G.K. Chesterton, Orthodoxy (Doubleday, 2001) 22.
I took the test which allegedly tells you whether or not you have high-functioning autism. I guess I don’t. I scored 25. Unfortunately, I’m not sure whether that score is good or bad or meaningless. Perhaps that is part of the test? Try it and post your answers.
http://www.piepalace.ca/blog/asperger-test-aq-test/
I’m not sure what category to file this in, but I have to share. Perhaps this isn’t anything new to most, but this was the first time I saw anything like it. I guess in many places throughout the world public objects are modified to prevent people from sitting on them. This link will take you to photos of these modifications. Wow, I need to get out more often..as long as I bring my own chair.
I was thinking how odd it must be for the few people that find their way to this blog to see such a mix of topics. Typically, at least from my experience, you find blogs that have some sort of focus. Whether this focus is a person’s professional life, life at home, philosophical musings or specific interests there is some guiding principle that attempts to bring some coherence to the parts. I have deliberately, and perhaps I will regret this someday, attempted to resist such compartmentalization. Life is seldom so neatly divided as we’d like to present in a blog. I’m sure it isn’t the intention of many to hide other facets other their lives from their readers. I imagine it has more to do with not wanting to bore a reader with vacation exploits when what they’re expecting is a recipe of the day. So, it is with an apologetic attitude that I must inform anyone who is reading that you’ll have to scroll past what is of little interest to you on this blog to find what does interest you. I know it is terribly inconvenient.
I’m constantly amused by the romanticism surrounding the transition and transformation of Colonial America into the collection of united states. We’ve all (those who have been educated in the U.S.) been exposed to the themes of oppression, misrepresentation and tyranny that are found throughout the writings of the period. In some ways this romanticism is well-founded. We witness a loose collection of colonies fight and scrape their way toward independence. Following on the heels of this new found independence they manage to construct and implement a system of government that was an amalgam of incredible ideas and ideals. The Enlightenment, the earlier Renaissance and the Scientific Revolution were the fertile seedbeds from which the founders harvested. All of these events, which seem trivialized by my meager coverage, are worthy of respect and study regardless of your political and religious views. Despite all of this, there is this irony just below the surface; the type of irony contained within a tragedian’s masterwork.
This tragedy was not, however, written by a poet attempting to craft a contemporary version of a Homeric epic replete with fatally flawed characters. Instead, this is the story of the truly tragic. Yet, in school, in our romanticism and admiration of the great and fantastic accomplishments all that is dark and gone awry is obscured or hidden away. There can be numerous reasons and explanations of why this is the way it is. How, though are we to learn from our mistakes and improve ourselves and our nation except through gazing long and hard at our past in all its greatness and imperfection?
Very early on we see the expansion and colonization (if I can use that word) of the west. As a newly united and sovereign nation there appears some implicit expectation of entitlement. We can see the transformation of the once oppressed into the oppressor. The Thrasymachian undercurrents can be seen when battle after battle is fought to annex more territory. Might makes right is what we can read between the lines. But, how can this be? Surely there are some foundational, unalienable rights that should not, no cannot, be violated. And yet by some weird twist of fate the new republic dons the mantle of tyranny.
What entitles a sovereign nation of any size to seize or purchase territory? What entitles a sovereign nation to marginalize an indigenous population in such a way as to sell the land that they live upon? This question raises a host of complex questions, that we loathe to address. Deep down we all know the answer. But to answer the question requires a great shift in thinking and action. Could this be why we don’t think about how our lovely land was formed?
To add additional irony, I am writing this from a chair in a state that was ceded to the United States after the Spanish-American War. Without a U.S. victory, I may not have been born here or anywhere for that matter. I enjoy the freedom to write and live as peacefully as possible. I enjoy what all the wars and innumerable deaths have provided. I am truly thankful, but it sounds odd or morbid to offer any sort of thanks for these events. The founders did great things in constructing a country such as this. It is unfortunate that it came at such an incredible price both before and after the founding of our nation.
Note: This isn’t some crazy anti-war polemic. I try to resist such polarization and classification, but if you must label me, consider me a supporter of patriotism, freedom and reform. Consider me optimistic that we can be truly human by improving ourselves through honest reflection.
For all of the “growing up” that the security industry has done in recent years it is amazing that proper distinctions are not being made when it comes to testing. No, not that testing, security testing. See, it demonstrates the point. When I say security testing all sorts of concepts are cognitively connected in that moment. Unfortunately, these connections are different for each of us. When some hear security testing they may think of using a new and improved fantastic commercial tool that produces beautiful output. Others think of an uber hacker sitting in a dimly lit room reading the network-byte-ordered data from some super secret application protocol. Yet others have never heard of the term security testing. Instead, they think you’re talking about pen-testing which, for the purposes of this discussion, is a fine synonym. The challenge is not with the definitions per se, but with the perceived effectiveness.
To be honest, it isn’t really the perceived effectiveness. Well it is, but let me elaborate. The challenge lies in the way in which we swap the effectiveness. Somehow we’ve managed to equate the ability of the uber hacker to find implementation bugs with that of a tool. We’ve given the tool the title of uber hacker. A title that, despite all of its merits, it cannot bear because it cannot deliver the goods. This does not mean that tools are not an expedient way to identify and respond to low-hanging fruits. They are great for that. But, sometimes it is thought that either low-hanging fruit represents the greatest risks or that this low-hanging fruit is really all the fruit there is on the tree. I don’t think this is the case and this is the problem. We cannot presume that what a tool can identify is all that there is and that what it can identify is all the low-hanging fruit there is. In the context of the tool it may be all there is, but in the context of an uber hacker or even a not-so-uber hacker it may not.
An example may help clarify what I am talking about. In a previous life we were testing an online application that was responsible for delivering sensitive documents to users with accounts. This was a manual, exploratory type of test because there were no real design documents that described the behavior. We immediately created an account and after some time visited the ‘I forgot my password screen’. The email we received looked odd. To make an exceedingly long story short, we discovered that the application was generating a pseudo-hash as the means of authenticating the user. This hash, if you can call it that, was really a simplistic Vignere cipher using the username as the key material. Of course you can imagine what happens next.
Running the variety of commercial tools out there could not find the flaw mentioned above, but we knew this. This was why we performed this ‘other’ kind of pen/security testing. Was this flaw easy to find? It was and tools were not equipped to find it. The fact is if we continue to label automated tools as uber-hackers-in-a-box, then we may be in for quite a surprise. This is why distinctions, especially with regards to pen/security testing are important. We have to be aware of how we are testing not simply that we are testing. And even with all that we have to remember that in the end test results without any identified vulnerabilities only tell us that we were unable to find any and not that they do not exist.
Epistemological Relativism
My Wrong Opinions..
