Losses of 2007

2007 has been a trying year. Too many people close to me, my family, and my friends have died. Alas, given our ages--at 55, I am in the middle of my friends--this won't be the last such year.

A metaphor occurred to me a couple of weeks ago that helps when thinking of those who have gone. I don't pretend that it is profound, it only helps. We go through life as if it were a subway ride. The ride begins when we climb aboard. We travel to the end of the line. As we go, other people climb aboard. When they do, they have their own histories, their own stories to tell. We converse (this is unlike most rides), we get to know them. They leave. Where do they go? We do not know. Perhaps to continue their stories, their histories. They were fine companions when they joined us. Their absence leaves a hole as we continue our ride.

I never feel I have known my companions well enough or long enough. Their history will always be half-known at best. That is a part of the immeasurable loss that their departure leaves.

Here are those whose loss I felt keenly this year, but their memory includes treasures that will be held close until my ride ends:

Dave Stryker. He was a Morris man whom I had known for more than two decades. He was hardly a friend, an acquaintance, really. And I can't say that I liked him much. But his trial, which stretched from March through May, affected me strongly. Those who knew him well did well by him, keeping the rest of us informed as he slowly moved toward death, and telling us how they remembered him. This was no soppy, dew-filled flower of memories of one passing away. Well, there was a little of that. But his fault-filled humanity was not hidden as his strength ebbed. Morris was his passion, as it is one of mine.He died well, filled and, I think, had his life extended by the strength of that passion. His ashes were placed in a mug. I'll drink happily and heartily from it when it comes my way.

Len Erb. He was my step-father, loved by my mother in the years before her death, a friend of both my parents when my brother and I were children. He was also one of the finest men I have known. Career Navy, he fought in submarines during World War II, commanded one of the first Polaris submarines in the 1960s, and headed the Ingalls shipyard at Pascagoula until he retired. My fondest memory was of him, my brother, and I, sitting in a restaurant in Phoenix after my mother died. We stayed for hours, listening to Len tell his tales. He died in June, a few days before I was to fly to Los Angeles to see him.. I heard many of his stories, but am ready to hear more.

David Long. My brother in law. I didn't know him as a lawyer; I knew him as a husband and father, as one of the family. We learned not long before his death how accomplished he really was as a lawyer for the Justice Department. As the Attorney General told us, they were quite remarkable. Let it be noted that his sense of honor was extraordinary, particularly in an age when honor is little valued.

A few months before he died, as his cancer had advanced far enough that we knew that death would soon come, his daughter Kathryn asked his friends and family to write what they would remember about him. This is how I remember him:

A man enthusiastic. David has had his enthusiasms, which he has pursued with contagious joy. His version of 'This Old Man' was one. A great idea, splendidly made real. His life-long love of 'The Grateful Dead' is another. I treasure his CDs of material from his vast collection. He's educated me about the 'Dead.' Just this morning, in fact, they played 'Touch of Gray' on the radio. I thought: David. And remembered his enthusiasm when it first came out. Good song. Great band. A fine guy.
The consummate host. At family events, he has always made sure I knew where the beer was and had one in hand. More than that, he has ensured that the beer at hand was something I would like. I've never thanked him for that, but it has always been appreciated, as has the courtesy with which he treats everyone who comes as a guest to his home. This is, to him, a duty and, it seems, a pleasure.
The Wee Beastie Feastie Host. David was the Swanson version of Johnny Carson. Relaxed, charming, funny. The master. Great.
One of the '51s. He launched the club at our rehearsal dinner, an event caught on tape. The skit is an indelible part of family history. As I remember it, he came up with most of the jokes. The '51s became a group because of that skit; I'm thankful to be a part of it.
A better man than he thinks himself to be. This is a man modest about his talents and his accomplishments. Like most of us, I suspect he has never achieved as much as he hoped. But he has done a lot, more than I think he realizes. Some examples:
He's a fair guitar player, but a gifted song writer. 'Poor Richard Nixon" is, after all, a minor classic.
A major accomplishment: His kids. Grown and growing, they are people to be proud of.
Another accomplishment: "The Big Vince"; the tournament for Vince Terlep. This is no small thing, not just for the effort it has taken to get it going and keep it going, but for what it says about friendship, the friendship David had for Vince.
Professional accomplishments: I don't know enough about what he did professionally, except that he took pride in doing it and did it well. I do know that David had a career given to public service, though better money could be found outside government. I envy him that.

David died at the beginning of August, after having suffered more pain than anyone I have known. It was fortunate for me that I was able to spend several evening with him in his last month. I think I helped him; I know he helped me.

Nick Robertshaw. Nick was a good friend whom I knew for many, many years. He died suddenly--shockingly--when his heart gave out at the end of October. We were stunned. He was the best musician Foggy Bottom Morris ever had and a wonderful, joyous singer. In fact, you could feel joy in everything he did, whether it was singing a slightly naughty song, drinking a good beer, picking mushrooms along a trail, or just watching a thunderstorm from his porch. As with the others lost this year, my picture of the man became broader once people began to tell how they knew him. You would do well to spend some time at the Nick Robertshaw wiki, if you have not yet done so, to learn more about this extraordinary man. Two months later, I have yet to take the full measure of his loss. I fear there is a bucket of tears waiting to fall before I do.

With Nick, and with the others, I learned more about them after they left from others still on the train. It was true of my father and mother after they died. Each time someone leaves, you realize how much you did not know about them, how much of their history was hidden and, to you, lost. For me, these four people have found their stop. For me, their ride is over, their story is finished. It feels like we were just getting to the good part.

Subprime Risk

How could some of the brightest minds in business create the sub-prime mortgage mess? Most went to business school and had decades of experience in their industry. All are highly paid, with their pay, supposedly, reflecting their talent, education and experience. The market valued their skills highly. Yet their foolishness has triggered a plunge in the stock market with financial stocks--the stock of their companies--leading the way and a recession assuredly to come (it may already have begun).

It is not the first time that the brightest in business have eagerly touched a tar-baby that left them stuck when things went bad. Enron and the Internet bubble are but two other recent examples. What they have in common is a failure to realistically consider risk. They also showed a willingness to abandon some of the simple, cardinal virtues of conducting business.

The focus here will be on risk. That has strong implications for much of what happens in public life these days, and for information security, my chosen field, in particular. What happened with these great financial schemes is that their perpetrators ignored risks that, predictably, became reality. With subprime mortgages, it was predictable that interest rates, which could hardly have been lower, would rise in the face of inflationary pressures caused by federal budget deficits and the falling dollar, among other things. When those rates rose, the poor souls whose credit-worthiness was questionable were bound to default. How could that not be seen? Similar blindness afflicted the moguls at Enron and the visionaries of the dot-com era.

It has also afflicted the Bush administration, which entered Iraq without a clear view of the risks of insurgency and civil war. And--a central point here--it afflicts many of those who decide how to allocate time and effort on information technology (IT). There are two ways that risk is dealt with poorly in IT.

First, the simple fact of risk is ignored. The recent loss of the records of 25 million people in Britain is a case in point. An employee was allowed to put those records on a laptop, unencrypted and protected only with a password. The thought of loss seems to have escaped those who established policies and procedures for the agency that allowed it. I imagine that they relieve that such things rarely happen, so why protect against an occurrence that would probably not happen. The potential cost if it did was not considered. Nor were the--low--costs of countermeasures.

Another example comes from my own experience of several years ago. A network I worked on was unprotected by anti-virus. We knew we needed it, but the project manager told us to get licenses from HQ, which had extra, already paid for, that we could have. They dawdled; so did we (and, to be fair, I did not push the issue--a lesson for me). Then The Klez virus struck, big time. The network went down. Suddenly, no price was too high for AV. We got it. It took us several days to clean up and install the anti-virus package.

Risk is also poorly analyzed all too often. One agency I worked on decided that a particular piece of malware was a major threat because the unit chief saw that it was covered prominently on CNN. Other, more severe threats were ignored. This agency, like many organizations, never did even a preliminary analysis of the risks it faced and the most effective means of countering them. Consequently, at least some the means allocated to IT security--which will always be limited--were misallocated. These organizations are prepared to stop something, but not what threatens them most.

None of that would matter if risks did not become reality. Yet, as the executives at Citibank, Countrywide, Washington Mutual, and other firms have found, they do.

The Choice in Pakistan

The Bush administration sees the choice in Pakistan as one of choosing between an errant friend and rabid enemies. General Musharaff's declaration of martial law is seen as the mistaken choice of a leader who saw his country falling apart under pressures generated by the growth of Islamist extremism. He has, the administration sees, battled Al Qaeda and its ilk, avoiding the temptation to pander to them. It has called on the general to reconsider what he has done and to return Pakistan to the status quo ante.

This is a false choice. The administration has been too gentle on the general, having defined American national interests too narrowly. Consider that Musharaff declared martial law contrary to the publicly expressed wishes of the United States. Secretary Rice herself said on November 3, as reports of Musharaff's actions were coming out:

I just want to be clear that the United States has made clear that it does not support extra-constitutional measures because those measures would take Pakistan away from the path of democracy and civilian rule.

To date, the United States has scarcely even said "Tut-Tut" in reaction, much less taken any substantive action to make its displeasure felt in Islamabad.

Now we have have pictures of Westernized Pakistanis, even Pakistani lawyers, having their demonstrations broken up by the army. At the very least, the United States looks weak. It even looks hypocritical: our oft-expressed support for democracy is shown to be mere words, or less.

Moreover, the support for Musharaff within Pakistan is virtually non-existent, according to reports. The Islamic extremists certainly oppose him. Moderate and secular Pakistanis now oppose him as well. And Benazir Bhutto and her supporters are just beginning to gear up for the struggle. How long can this ally last? We appear to be supporting the losing side.

Sanctions of some kind--a reduction in aid at the very least--should have been imposed by the end of the day on November 3. Not simply because democracy is a good thing, but out of a realistic approach to satisfying our true national interests in the region.

Not yet Soviet, but....

Russia's proposal to limit the number of election observers allowed in for the legislative elections is one more sign that Russia's flirtation with democracy is coming to an end. Dictatorship has become much more attractive.
This is not the first such sign, of course. It has been evident that Putin will continue to rule after his current term ends. How he will do so is not clear. One writer suggested that he will rule through his party, United Russia, much as the leaders of the Communist Party did in Soviet times. The more recent suggestion that Putin might serve as prime minister seems more likely. But the current calls for a change in the constitution to allow him to serve another term are, to say the least, most interesting, They do seem unlikely to have been made without prompting, or at least encouragement.

It does all seem so Soviet. But what is most discouraging about the current environment is the retreat from openness. Rather, the headlong march into obscurity. The proposal to limit observers is, again, one more sign. The accompanying noise that "Russia does not need to invite an army of observers, because the Russian electoral system is one of the most advanced in the world," resembling, as it does, the Soviet tone of self-righteous outrage, is all too familiar. Samokritika--self-criticism--may be a Soviet concept, but it never had a place in Russian/Soviet relations with the outside world. It was always as if the Soviets were above criticism, except by hypocrites. Like the United States, for example, with the irregularities about the 2000 election that they are not afraid to trumpet.

So, is the Soviet Union returning? Not quite. The dictatorship now being formed, brutal as it is, is not Soviet in nature. For one, its motivation is nationalist, not ideological. That is both a strength and a weakness. For another, it seeks less than total control of the economy--extensive control, particularly of what it regards as key sectors--but not total control.

Most important, perhaps, the Russian economy is full of weakness. It depends strongly on oil: as oil goes, it goes. There are worse reeds for an economy to lean on. But when the rest of the world finds alternatives to Russian oil, the Russian economy may well tank. Moreover, demographics dictate that Russian power will shrink over the next few decades. Among major powers. Japan does worse, but few if any other countries.

So where will that leave us? With a dictatorship stronger--politically--at home, but weaker in the world and less able to deliver the goods at home. Not a pleasant prospect.

IT Security Needs More Than English

A New York Times article on the DDOS attacks on Estonia earlier this month includes this paragraph. The attacks, of course , appear to have been launched by Russians in reaction to the removal of a statue of a Soviet solder.

Though Estonia cannot be sure of the attackers’ identities, their plans were posted on the Internet even before the attack began. On Russian-language forums and chat groups, the investigators found detailed instructions on how to send disruptive messages, and which Estonian Web sites to use as targets.

This underlines a point I made in a paper last year about the discovery of the WMF vulnerability in December 2005. The discovery and exploits of the vulnerability appear to have been made by Russians, or at least Russian speakers, about two weeks before they became known in the West. What I wrote then remains pertinent:

Most of the discussion about WMF took place in English. Some of it was translated, but translation, understandably, took a back seat to ascending the learning curve—in English—and getting the information out in the easiest form possible, which meant English. This may have hindered the ability of users and sysadmins whose speak English poorly or not at all to get the information they need. Given the growing number of users who do not speak English, that is a topic worthy of research on its own.

But another implication of this is that the blackhats can operate under the radar. Exploits of the WMF vulnerability were extant for about two weeks before they were made public—leaked—in an email message to an English language list. What if the leak had not been made? Websense may have been on the verge on discovering the vulnerability that the exploits it saw was exploiting, but few others began to move until they saw that email and the Metasploit module was released. It could easily have been several days before the vulnerability was recognized. Almost assuredly, Microsoft would have held off a patch until the January 10th, assuming that it knew enough to make one even then.

More broadly, how much is going on that we do not know about because the whitehat community as a whole has neither the language skills nor the predisposition to linger where blackhats talk in languages other than English? There are regions of the world where blackhats are developing exploits—writing them, testing them, using them—that may easily become global threats.

Businesses and governments in Europe and North America will be targeted by such exploits. We have some capability to create an early warning capability that can try to learn about what is happening in hidden hotbeds of blackhat activity like Brazil, China, and the former Soviet empire. WMF showed a little about what can be done, with iDefense and Kaspersky in particular producing essential information about the origins of the exploits. But it also showed that a stronger capability is needed, either from companies like iDefense and Symantec, or from government. Unfortunately, the required combination of skills—linguistic and technical—is scarce.

FBI Network Insecurity

The Government Accountability Office (GAO) released a report on an audit it conducted of security on one of the FBI's networks earlier this year. It found a number of problems, which is not surprising. The Bureau has made a significant effort to improve network security in the last few years, just as it has worked hard to improve its computer operations in general. To the Bureau's credit, the CIO. Zalmai Azmi, concurs with much of what GAO wrote. His disagreement with the report can be regarded as a matter of interpretation: "The FBI does not agree that it has placed sensitive information at an unacceptable risk...." The key word is "unacceptable," which is one of those words that looks different in the eye of each beholder.

The reaction of the FBI Public Affairs Office is another matter. The press release gives the impression that the GAO ignored vigorous efforts by the FBI to fix the problems. Indeed, the first paragraph gives the impression that the FBI was on top of the problems even before GAO looked at them. It was not. The awareness of security is growing at the Bureau, but the bureaucracy--renowned even in the Federal government for moving like sludge--makes it difficult to make bureau-wide improvements. Security policies are incomplete or poorly enforced. As the report states, patch management is ineffective. Again, as the report states, some of the prerequisites for effective security are not in place. A prime example is the absence of either an up-to-date risk assessment or a complete inventory of what is on the network. In short, the FBI knows neither what it needs to protect nor what it needs to protect itself from. Moreover, the monitoring capability, cited by the CIO as one of the improvements made in the last few years, is being dismantled. That is hardly the sign of an agency taking proactive steps to improve network security.

The progress the Bureau has made in recent years to secure its networks has been significant. Some strong measures have been taken; awareness of the need for security has spread, most significantly, among people working on the networks. What the GAO report points out is that much remains to be done. The risk may or may not be unacceptable. It is higher than it should be, particularly for an agency like the FBI.

The Hopes and Dangers of Talking to Teheran

The ambassador to Iraq will meet with Iranian officials sometime in the next several weeks. It's about time. This was a recommendation made by the Iraq Study Group that should have been adopted long ago.

It shows that the administration recognizes that the United States and Iraq may well have common interests in Iraq. It is not in Iran's interests, after all, to have chaos reign on its borders. There is a potential, therefore, for an agreement of some kind, an informal one, perhaps, that would have Iran help make the Maliki government stable rather than undermine it through aid to the militias of its Shiite allies.

Such an agreement is only possible, however. One can hope for it; one cannot expect it. There are three reasons for caution.

First, the talks discussed, if they are held, will be held at a low level with an agenda that has yet to be determined. The question of the agenda is one of the things that has held up talks so far, and the range of issues that divide Iran and the United States is wide. The ambassador, and his Iranian counterparts, one presumes, will have to bow to the dictates of more senior officials. Both the agenda and the seniority of the people at the table (or within earshot of it) can change if the talks continue. The point here is just that they add uncertainty to the matter.

Second, the interests of Iran and the United States are similar, but they are far from congruent. Iran would probably prefer that its Shiite allies rule in Baghdad. The United States should see that a government of all parties in Iraq would be more likely to last. The United States would be less likely to oppose allowing Kurdistan to be strongly autonomous or even independent than Iran would. Iran, after all, does have a significant Kurdish minority. But these are the kinds of things one has talks to find out.

Third, and most important, the United States has to assure the Kurds, the Sunnis, and the Sunni states of the Middle East that it will not acquiesce to a government dominated by Iran or its allies. That may be the greatest danger that these talks open up, particularly as the Maliki government has shown on many occasions that it as a proclivity to favor the Shiites over the Sunnis.

To avoid this, the United States will have to communicate clearly with the Saudis, the Egyptians, and others. It will even have to consult with them. And its actions inside Iraq, Baghdad in particular, will have to be perceived as even-handed. Achieving that perception is no easy task; efforts to achieve it may be perceived as favoring the Sunnis over the Shiites. That in itself could jeopardize the talks.

So, we have a welcome beginning, but the ending is not yet in the script.

Sitting Down with Iran and Syria

We must welcome the announcement that the United States will sit down at the same table with the Syrians and the Iranians at a conference called by Iraq. However, the administration is trying to make it clear that this does not signify a change in policy. Our hope is that those statements are mere window dressing, but let us not be surprised if they are true to their word.

Tony Snow began his briefing after making the announcement with a list that, he said gave "at least a glimpse of a number of occasions on which the U.S. and the Iranians had been seated at the same table in multilateral negotiations." Sitting and negotiating are not the same. A little later he added: "But this does not mean that there are going to be sidebars where we're having one-on-one talks with the Iranians. It doesn't mean that there's going to be any departure from past practice."

Iraq's Prime Minister Maliki has been asking for a conference for quite some time. The White House appears to have given in to those demands. We can hope that they are fruitful. But without the United States actively negotiating with Iraq's neighbors, any gains will be small. They cannot succeed in what we should regard as their main task: creating the conditions that will enable the United States to withdraw. (Indeed, it is time for the United States to withdraw, wholly or partially, but that's a topic for another time.)

This is particularly true if, as it seems, the Iraqi government is believed to be a government of, by, and for Shiites by the Sunnis. The dialogue within Iraq still needs to begin.

Cab Calloway and Nicholas Brothers

This is not the usual fare for this blog, but this clip is so good, it is well worth posting. Give it a look and listen.

In the movie Stormy Weather (1943)