July 11th marks the 70th anniversary of the start of the Battle of Britain, which lasted until October 31st. This was undoubtedly the most important battle for Britain of the 20th Century.

German forces had quickly overwhelmed resistance in France and defeated the British in air battles over Europe. They next aimed to take air control of the English Channel to weaken Britain’s defenses and protect a sea assault.

Prime Minister Winston Churchill declared at that time:

What General Weygrand called the Battle of France is over, the Battle of Britain is about to begin

A day-by-day recount and calendar is available on the Royal Air Force site. Here are some statistics as they were recorded on July 11th, 1940.

Casualties:

* Enemy: Fighters – 10 confirmed, 2 unconfirmed; Bombers – 13 confirmed, 12 unconfirmed; Type unspecified – 1
o Of the above totals, AA at Portland claims 2 confirmed and 1 unconfirmed.
* Ours: 3 Hurricanes (1 pilot safe), 2 Spitfires.

Patrols:

* 119 patrols involving 447 aircraft were flown.

Balloons:

* Deployed 1077, casualties 24.

Balloons? The British really knew how to celebrate, even in 1940. But seriously, the British military industry was only just beginning to shake off the moth balls at a time when a highly trained and well-equipped German offensive was right outside their door.

Barrage balloons emerged at the end of World War I to prevent German bombers from flying close to targets such as cities and industrial centers. They were used until the end of WWII as they continued to prove effective. German efforts to destroy the balloons usually ended in heavy German casualties, or as British Air Marshal Gossage put it: “the enemy having realized that the game is not worth the candle.”

I continue to see interesting points raised by information technology security professionals getting dragged into traditional themes of power and politics, especially as they relate to war and cyberwar.

The BSides Denver conference, for example, led to a heated exchange between a military lawyer and his audience when he tried to differentiate between Cyber Attack and War. The Economist stoked things to a much wider audience with their latest issue. The Economist, for what it is worth as a conservative voice, has less concern than the Denver audience and essentially agrees with David Willson’s presentation.

It just occurred to me, however, to search my own blog for things I have written on war and cyberwar. Perhaps this is a good time to confess that I studied International History at the London School of Economics before I started working full time on information security. My research focused on post-WWII international relations, which to most people seems to mean war.

Thus it has been hard for me to avoid peppering this blog with the occasional thought on politics and wars. That is my excuse anyway.

Here is a fine example I posted in 2005 regarding a book by General Sir Rupert Smith called “The Utility of Force: The Art of War in the Modern World”:

Battles just don’t work any more. War is now waged not in the field but the street, so victory is possible only with the people’s consent

His book should have been titled The Art of Waging an Act Formerly Known as War. But seriously the term War has its own definition that is separate and distinct from modifiers. Civil War means something different from just War, in other words. Likewise Cyber War should be held to mean something different from War. In that sense, I can see how the case could be made that War alone may no longer exist.

The title of this post is based on a monarchial concept of succession. It seems very fitting to the situation I see unfolding in the debate about the future of software as a service (SaaS). The move to outsourcing led to offshoring, which then evolved to cloud and SaaS.

It does not have to be a direct progression, but each end created a new beginning.

Another way of looking at it is this: WordPress, Google and Salesforce recently reported major outages. The reason many companies hoped to put their applications into the hands of those companies was to avoid major outages. So what is new?

With this in mind I read an InfoWorld review of a report by Gartner on how to approach the risk in SaaS. The author asks Is the SaaS experiment finally over?

Gartner advises its clients to perform extensive diligence before signing with any SaaS vendor. That includes not just weighing the costs and benefits of a specific solution, but also developing an in-house SaaS governance policy to help gauge the solution’s real-world performance. Such a policy should be a collaborative effort between business and IT, Gartner says, and it should consider not just the business performance of a given SaaS vendor, but its technical and operational capabilities as well. That means SaaS vendors will need to be transparent enough in their operations to instill customer confidence in their offerings.

That is good advice no matter where your application lives. Moving software outside the company still leaves you with the responsibilities of managing software, and introduces new challenges (instead of eliminating) to control security concerns such as availability.

The answer to the author’s question is therefore yes, the SaaS experiment is finally over and now begins the SaaS experiment.

In other words the SaaS should deliver fair services, but if not then hopefully the next SaaS will be fair, and if not, then hopefully things will progress…long live SaaS. All is not over or lost when there is succession. Things really can change for the better. For example, analysts from Gartner and I will discuss soon how best to put forth a more discrete set of requirements for cloud security. Dragging out my tired analogy of political systems just a little longer, I hope I can help Gartner customers clearly see why they need a Magna Carta of cloud. Remember how that worked out for the monarchies?

I have searched the city of San Francisco for a museum and historical record of the great fire of Aptil 18, 1906. The best, so far, seems to be the Virtual Museum of the City of San Francisco and a collection of images and letters on a few walls in the Bay Model Visitor Center in Sausalito. Another collection is in the Fairmont Hotel. None tells a complete story but they do reveal much controversy at the time that is probably far from anyone’s mind today.

The resident federal militia started a campaign to dynamite large sections of the city to back-burn as well as establish a fire break. This apparently is why Van Ness avenue is so wide. Some said the fires created by the Army were far worse than the quake causing far more destruction to the city. The San Francisco Museum has letters that suggest residents actually were in favor of burning down their own homes to collect insurance.

The death toll is another example. It is said to have been severely underestimated for three reasons. First, politicians wanted to paint a positive picture and keep property values high. The reality was that the city had such severe displacement that Los Angeles quickly gained prominence as a new port for commerce in the West. Second, racism prevented many thousands of people living in China Town from being counted. Third, the Army had been authorized to shoot and kill anyone suspected of looting. With more than 400,000 residents approximately 4,000 troops killed around 500 people; the quake was said to have killed 3,000.

This post, however, is not really about San Francisco. The BBC reports that the Great Fire of London in 1666 is being recast. Today we can look back at this disaster and learn a great deal about investigations and security.

Everyone learns at school that the fire raging for four days in that hot, dry summer began in a bakery in Pudding Lane.

But a new Channel 4 documentary focuses on the lesser known story of the fire – it sparked a violent backlash against London’s immigrant population, prompted by the widely-held belief at the time that it was an act of arson committed by a foreign power.

The countries already least in favor with the English, the Netherlands and France, were quickly suspected of some involvement. The BBC tells of how the British Navy attacked the Dutch weeks before the fire. That created a sense of victory that turned to guilt and led people to believe the Dutch were counter-attacking. The desire to find a cause of terror also led many to blame Catholics, whom they already disliked. Interrogation practices during an investigation ended with officials placing blame on immigrants from France, and one man in particular:

At the end of September, the parliamentary committee was appointed to investigate the fire, and a French Protestant watchmaker, Robert Hubert, confessed to having deliberately started the fire at the bakery with 23 conspirators.

Although his confession seemed to change and flounder under scrutiny, he was tried and hanged. Afterwards, colleagues told the inquiry Hubert had been at sea with them at the time, and the inquiry concluded the fire had indeed been an accident. No-one knows why he confessed.

I suspect the toll from this fire is wildly underestimated and there was likely to be conspiracy that made the fires spread, similar to San Francisco. Wanton destruction could have been a natural reaction to the plague of 1665. While the San Francisco fire is a study of human behavior relative to technology and liability a clear lesson in the London fire is how prejudice dictates a sense of security. We must fight the urge to satisfy ourselves with false resolutions and declarations, such as this one:

Until the 19th Century, the plaque at London’s Monument stated that followers of the Pope were to blame, says Ms Horth, and named Hubert as the fire-starter. It was only after Catholic emancipation in the 19th Century that the government decided the plaque was inflammatory and had those inscriptions removed.

Speaking of plagues, we know today that the disease was spread by rats and fleas. Those who washed regularly as part of their customs were unlikely to be infected. Some deduced in the 1300s that this meant a group of people were to blame. Those who practiced clean living and did not get the plague were thus attacked for being its cause.

Monty Python’s “She’s a Witch” skit does a fair job of reenacting how fear can have a powerful yet absurd influence on the concepts of security and justice.