Archive for the ‘Uncategorized’ Category

Here are a collection of articles about applying Bronze and Iron Age concepts to modern security. Some of the ideas seem a bit radical but I think they are worth contemplating.

This is a bit off the path of information security but I wanted to share an excellent article on why you should distrust 90% of what you read (including, unfortunately, much of the computer security advice out there).

The Atlantic published this interview with Dr John Ioannidis, a medical researcher who has dedicated his career to showing that “much of what medical researchers conclude in their studies is misleading, exaggerated, or flat-out wrong.” This is true even in the ‘gold-standard’ peer-reviewed studies. The biases of funding and publication pressure are too much to overcome. Worse, even when the studies have been overturned, the medical community continues to rely on the old, disproven theories.

While his study and his research are based on medical journals and medical research, his findings are applicable to everything from physics to economics to computer science.

You can also read Dr Ioannidis’ original paper at PLoS Medicine. He lays out a detailed mathematical proof that, “assuming modest levels of researcher bias, typically imperfect research techniques, and the well-known tendency to focus on exciting rather than highly plausible theories, researchers will come up with wrong findings most of the time.” He wrote a follow-up article here specifically discussing the distortion caused by publication practices. I recommend both for anyone with an interest in the scientific method and/or an interest in sorting truth from rumor among the deluge of “good advice” on the internet.

Today’s post has nothing to do directly with information security but the article so caught my eye that I had to share it. Feel free to skip today’s post if it doesn’t interest you.

The U.S. Chamber Institute for Legal Reform recently released a report on the disproportionate share of U.S. litigation cost borne by small businesses. The full report is about 25 pages and well worth reading. The short version is:

  • Small businesses generate 64 percent of all new jobs and over half of non-farm GDP
  • Small businesses bore 81 percent of business litigation cost, yet represented only 22 percent of US business revenue
  • Small businesses pay more of their tort costs out-of-pocket rather than through insurance
  • More than one-third of surveyed small businesses had been sued – To put that number in perspective, think of any three local small businesses that you use, maybe your barber, hardware store and local laundry. Do you really think that one of every three is so evil that the only way to resolve the complaint was to go to court?
  • 62% reported making business decisions in order to avoid lawsuits and that these decisions made their products and services more expensive. 45% pulled a product or service off the market just out of fear of lawsuits and 11% have had to lay off employees as a result of lawsuits
  • For medical businesses, it’s even worse. Tort liability is 94 percent of all medical malpractice litigation for small medical practices and small medical labs. This is driving the medical profession away from small practices and toward large hospital-based and health system-based groups. In just three years, from 2005-2008, small groups dropped from two-thirds of all practices to less than half.
  • 66% of the general public agreed with this statement: “The fear of being sued is changing American society for the worse because it’s often having the effect of discouraging people from doing the right things.”

Statistically, some few of those small businesses are bad apples who should be sued, maybe even into bankruptcy. Sometimes, that is your only recourse. But I do not believe that all businesses are inherently evil and am deeply suspicious of the way the legal profession has morphed into a legal industry over the past few decades. The more I read, the more convinced I become that tort reform is desperately needed. Some form of “loser pays” like they have in Europe would be a good first step.

This post isn’t directly related to security but if you’ve never been out to workforce.com before, I recommend them. The site uses buzzwords like they’re just for HR professionals but it’s good reading for any businessperson.

This post titled The Five Biggest Lies in HR by Kris Dunn was fascinating, if a bit cynical. It’s a painfully realistic view of where we really fit in the workforce.

I read an article this morning on a non-profit called the American Widows Project and thought it sounded like a very worthy cause. In addition to helping them directly, I’d like to do my little part to get them some more publicity.

That reminded me of another recent article on allowable links on your website. That article specifically talks about the problems faced by public entities like school districts and whether they must allow links to private companies on their webpages. It’s a difficult question for any governmental organization. Under US law, they have an obligation to protect free speech but at the same time can not create the appearance of an unfair endorsement of a private opinion.

For a public entity, it depends on the exact nature of the page – if your township hosts a “forum” where citizens are allowed to express opinions and air grievances, there are very few allowable limits that can be placed on the free speech rights of the people participating in the forum. On the other hand, even public entities have non-public forums – places where completely free speech would get in the way of the very mission that the agency is supposed to carry out. Limits in those forums are more acceptable. Regardless, any limits should be

  1. clearly stated ahead of time
  2. based on reasonable protections of other rights (for example, ‘no hate speech’ or ‘stay on topic’) and
  3. be enforced with ruthless consistency.

If you work with a public entity with any online presence, I strongly urge you to read the eDiscoTech article.

As a private citizen, the calculations are different. First, you have no obligation to allow others to say anything. You are not required to let someone to take over your backyard to make their political rant even if the same speech would be strongly protected in the village square. But you want to allow interaction and linking on your personal website. That social contact is most of what makes the website valuable and brings in readers. The challenge is that your credibility is directly linked to all those outsiders. Anything you include or allow on your own website carries an implied endorsement. If there’s bad content on the other side of a link, it reflects back on you. So if you host a blog (whether Twitter or a more conventional blog like this one), you probably want to allow comments but you probably also want to keep some rights to control them if only to filter out the spam and other worthless content. And you should be fairly conservative about who you link to. Be sure they are the kind of people you want your reputation associated with.

Corporations have it hardest of all. They are private and have no legal obligation to allow their site to be used for the free speech of others but attempts to suppress or censor negative comments almost always create more backlash and ill-will than the original complaint. Corporations generally do best by enforcing clear rules (especially the “off-topic comments will be removed” rule) but otherwise allowing users to post whatever they really feel about the company’s products or services.

Ultimately, I decided to include a link to the American Widows Project – you can see it now in the blogroll on the right of the website. Deciding who you should link to is an interesting question, though.