Monthly Archives: May 2008

Mass Digitization: Time to fund it properly

The always readable Dan Cohen discusses funding for digitization of public domain books. Hard not to agree – I think Harvard-Yale-Princeton (or, for that matter, Harvard alone) should just pony up the money and do it. The resulting archive would be a boon to humanities research and researchers all over the world, would yield immense dividends in the form of research and study activity for decades, and would give Harvard a signal project like that courseware project down the river, especially given the recent kvetching about the size of the Harvard endowment and the lack of visible largesse on the expense side.

Signatures by fax, and security in context

(this is a work in progress, thought I would write this in public and see what reactions I get)

Bruce Schneier, the world’s leading authority on security, writes well about why we accept signatures by fax – noting that it works because it is done in context, everyone understands how insecure it is (except in the relatively rare instances when they don’t.) One thing is that we tend to think of new technologies in terms of old technologies: The physical signature can easily be faked with a fax, even easier when we start to use scanned PDFs – in fact, gluing in a copied signature becomes the standard way of doing things for most people.

I am currently thinking about security in a next-generation employee computing setup, where corporate infrastructure has retreated behind a browser and the end user can buy whatever he or she desires – be it a Mac or PC, laptop or desktop, cell phone or public terminal. Every user comes in via the public Internet, even if he or she is physically sitting right next to the server park.

From a security standpoint, this is actually a simplification, much as you simplify PC provisioning when you switch everyone to a laptop. Sure, many of the users don’t need a laptop, and a laptop is more expensive than a desktop. But differentiation has its costs, too. And it is much easier to make a desktop out of a laptop – in essence, all you need to do is sit still – than it is to to do it the other way.

If you move to an architecture with corporate infrastructure and personal, private terminals, you remove the inside-or-outside-the-moat distinction companies often naively use as their main security barrier. Instead you must verify everyone’s identity in terms of the information and functionality they can have access to. You need to specify this as a very granular level, and will need a well defined hierarchy of access rules. You will also, like Wikipedia, need to have a way to track who has done what where, and make it easy to reverse whatever changes has been done, should it prove necessary.

I am less certain that you need much of a standard for what should run on the clients themselves – surely we have progressed to a point now (or will in the near future) where end users can take responsibility for keeping their own technology’s reasonably updated and secure? We probably need to rethink security in terms of consequence management, in the sense that we need to make the consequences of poor security become apparent to the end user. The analogy is to car safety – for all the nagging about putting on your seatbelt and monitoring speeding, nothing would reduce deaths in traffic as much as a mandatory large spike sticking out of the steering wheel, instantly impaling the driver should he or she crash or suddenly brake.

(and that is as far as I got before the telephone started chiming, and it was time to scoot off for meetings and other things that eat up your day. I will be back. Comments, of course, are most welcome.)

Thinking about warfare, the last 100 years

Martin van Creveld: The Changing Face of War: Combat from the Marne to Iraq , Presidio 2008

Martin van Creveld gained fame for The Transformation of War, a book that should have been read by the USA before venturing into Iraq (see previous review). In this surprisingly succinct volume, he summarizes the changes in thinking about warfare "from Marne to Iraq", showing how war has changed from something conducted in a short and contained spurts by an army via the "total war" first voiced by Ludendorff to today’s prolonged insurgencies, where the perpetrators blend back into the general population and advanced weapons fired from afar only can make the situation worse.

(As a digression, he characterizes the German invasion of Norway as rather risky and badly planned – it worked largely because the Norwegians were unbelievably unprepared.)

van Creveld divides war into two main phases: Before and after the atom bomb. After the atom bomb, total war was no longer possible, since it would mean mutual destruction. Instead, war has (for the most part) become guerilla war, where a militarily equipped power is battling a much weaker enemy, and, because the enemy is weak, become weak themselves.

There is almost no instances military powers successfully fighting insurgents – though since the history of fighting insurgencies are largely written by the losers, who argue that they could have won if not hindered by politicians, the press or lack of resources.

To fight an insurgency, the power in question must be legal, i.e., treat the insurgency like a criminal activity rather than a war (much as the British did in Northern Ireland, where they, incidentally, had a local police force and spoke the language.) Either that (which takes a lot of patience) or they must use cruelly applied force, with openness and without apology (as Hafez Assad did in Syria.) Trying to fight the war from a distance leads to a quagmire, but going in to fight the insurgents with their own means leads to losses and loses the war on the home front.

The book is admirably succinct when it describes the evolution in thinking about warfare up to about 1950 (showing, among other things, the increasing use of the scientific method in weapons and, to a lesser extent, tactics evolution.) It gets a bit repetitive on the question of how to fight insurgency. But the verdict on the US’ fight in Iraq leaves no doubts about what the author thinks about the technical "revolution in warfare" and what it does:

Once the main units of the Iraqi army had been defeated and dispersed, most of the sensors, data links, and computers that did so much to aid in the American victory proved all but useless. In part, this was because they had been designed to pick up the "signatures" of machines, not people. But it was also because these sensors did not function very well in the densely inhabited, extremely complex environments where the insurgents operated. Myriad methods could be used to neutralize or mislead whatever sensors did work. Worst of all, sensors are unable to penetrate people’s minds. As a result, almost four years after the war had started, the American troops still had no idea who was fighting them: Ba’athists or common criminals, foreign terrorists or devout believers. […]

Soaking up almost $450 billion a year, the mightiest war machine the world has ever seen was vainly trying to combat twenty to thirty thousand insurgents. Its ultramodern sensors, sophisticated communications links, and acres of computers could not prevent its opponents from operating where they wanted, when they wanted, and as they wanted; […] To recall the well-known, Vietnam-era song: When will they ever learn? (Ch. 6.5)

van Creveld offers few conclusions, aside from patience, people on the ground and good intelligence, all of which are hard to acquire and maintain. Otherwise, the insurgents will eventually win, if only because the military powers’ only way of winning is not participating.

Formula for spying

Mark Seal has a great article in Wired about how McLaren got hold of Ferrari’s designs and the twists and turns that followed.

What blows my mind is the size of the budgets these guys are willing to throw away. A company like McLaren spends a lot of money and develops technology that eventually goes into production cars (at least, that’s the theory), but with the hundreds of millions spent here, how can anyone recuperate it? Ferrari, at least, has a brand of car to sell, McLaren cooperates with Mercedes, but it still looks like rich man’s game to me.

Anyway, an entertaining story, showing that you better treat your employees right (how could Ferrari management not react before their chief mechanic had spilled the beans?) and do your own scanning if you are hoping to avoid betrayal or getting caught betraying.