Category Archives: Security

A Roman Century

Wikipedia says the Romans had a different use of the term:

a century was actually only 80 men

It is like the opposite of a “baker’s dozen”. Seriously, though, it looks like regulations modified the definition of a Centurion’s establishment.

Centurions took their title from the fact that they commanded a century. Centuries were so-called because they originally numbered roughly 100 men. Just after that they numbered 60 men each and were paired into maniples, one with greater authority. After the Marian reforms, however, the standard establishment was set at 80 men.

What, they couldn’t rename things?

Guerrila CISO on FISMA

The Guerilla CISO blog has some amusing points posted about the dismal (nine Fs) 2007 FISMA report:

I can’t believe it, but DHS scored a “B” against all odds. =) And of course, by now the response to the report card is all rote–everybody wonders what the letters really mean […] I guess it just goes to prove what we say about the classified world: the people who know don’t talk and the people who talk don’t know. In this case, everybody attacks the metric because, well, it’s a bad metric–what action are we supposed to take because of what the results are? It’s also pretty much ignored by this point anyway except for the witty sound bites from some of my “favorite people”, so it’s nothing to get all hot and bothered about.

I always felt the same way about my report cards. Go ahead, ask him what he thinks about SANS and Gartner opinions on the report.

Privacy Research Challenges Self-Regulation

Go Jen King! Awesome paper by a former colleague:

Professor Alan Westin has pioneered a popular “segmentation” to describe Americans as fitting into one of three subgroups concerning privacy: privacy “fundamentalists” (high concern for privacy), “pragmatists” (mid-level concern), and the “unconcerned” (low or no privacy concern). When compared with these segments, Californians are more likely to be privacy pragmatists or fundamentalists, and less likely to be unconcerned about privacy. Fundamentalists were much more likely to be correct in their views of privacy rules. In light of this finding, we question Westin’s conclusion that privacy pragmatists are well served by self-regulatory and opt-out approaches, as we found this subgroup of consumers is likely to misunderstand default rules in the marketplace.

At some point security becomes so expensive and time-consuming that only an elite can afford privacy. Is there a case to be made that regulation of the data market is needed to bring the cost down?

A question I often wonder about is what real costs do we bear today if we want to control our data and who benefits most from generating entropy (or lack of individual awareness/control)?