The Onion’s A.V. Club has an amusing review of seventeen dangerous computers seen on the big screen:

From 2001: A Space Odyssey to your parents’ attempts to check their e-mail, there’s been an ongoing war between humans and computers that have gotten too big for their binary britches. Save for maybe Windows ’95, no computer-based foe has ever been as diabolical as Master Control Program, the code-munching behemoth in Disney’s Tron.

Funny stuff. Seems like they’re missing some really good ones, like Red Dwarf’s Holly who develops Computer Senility, but I like the concept. Reminds me of an old cartoon…

Or maybe this one:

Someone should put together a list of the most dangerous computers in comics and books, since they seem to be the ones that are eventually launched to the screen.

A Cryptologist named Steven P. Daugherty has been eulogized on the National Security Agency site:

One of the most important functions of any “special operations” team is to gather critical intelligence with the aim of discerning future enemy intentions. Daugherty’s role in this important process was to provide timely and effective cryptologic support to his team. By providing and protecting his unit’s most precious communications he not only contributed to coalition success on the battlefield but also saved countless lives.

Two Days after the 231st anniversary of the nation he had sworn to defend Petty Officer Daugherty was returning from a important mission with his team when their vehicle struck an improvised explosive device killing him and two other members of his unit. Daugherty would leave behind a loving family and young son but his efforts would not be in vain. Later it was confirmed that the work he and his team performed earlier that day had played a decisive role in thwarting a dangerous group of insurgents in their efforts to kill coalition forces.

Tragic news. I wonder what his real views on the war were. Some friends in the Air Force told me the other day that although they all disagreed with the war, and thought it obvious as to why, it was not their job to question authority.

The interesting thing about the Daugherty eulogy, however, is the absolutist emphasis on seeking the truth:

The famous philosopher Thomas Hobbes once noted “Hell is truth seen too late.”” Throughout his time in the United States Navy both on the sea and on land Petty Officer Steven Phillip Daugherty devoted his life to determining truth with the aim of defeating the enemies of freedom throughout the world. His work and accomplishments as a Sailor, cryptologist, father and friend will forever stand as testament to his own personal character and his devotion to his country.

John Stewart put forward a question to the biographer of Cheney that was right on target. If Cheney knew in 1994 that a quagmire would result from invasion, and there was risk of great loss of American lives in the chaos, why did he not openly discuss this, plan for it, or even allow others to raise the issue? Was Daugherty truly allowed to assess the truth to defeat enemies of freedom, or penned into a predictable disaster and a casualty of dishonesty.

Wikipedia reports that Philip Crosby is considered the forefather of the Capability Maturity Model.

I have been using this model extensively for over ten years when consulting on security controls. It is a far better way of documenting and illustrating control status rather than pass/fail, as it shows a continuum of improvement.

In other words, rather than telling a company they “failed” the security test, you can say they have achieved a initial step and only have a couple more to go.

With that in mind, I just ran into a rather funny illustration. It comes from “one of the first publications” by Crosby, meant to help reduce defects in guided missle design and manufacture.

The Control Maturity Levels, just for handy reference, are these:

0 Control is not documented

1 Control is documented

2 Control is consistently applied (implemented)

3 Control is working (tested)

4 Control is measured

Companies often mistakenly rest on their laurels after achieving level 1, documentation of controls. This is the equivalent of trust, without verification, and rarely accurate. Meanwhile security firms often look for evidence of level 3. The gap is where the friction of compliance comes from.

Tests quickly prove vulnerabilities exist, but the real challenge is to find management that is able to move a company solidly into level 2 (implementation). In other words, do they have someone who can reliably answer the question “Will it work?”

Well, in 1994 at least…