Iomega marketing materials give a good laugh on their new ix4 NAS products:

Other security features include robust username and password authorized access, and RSA BSAFE encryption technology for hacker-free installs and upgrades.

What? Does this mean if you are a hacker you are unable to choose a username, set a password, or enable RSA BSAFE? Sounds like some amazing security technology. Hacker-free? Can’t wait to get my hands on one.

Seriously, though, it’s nice to see that a self-contained automatically configured 2TB device costs under $700. Network admins should be considering rules right now to detect Iomega mac addresses. One of these things pops up on the network and you can almost bet trouble is coming — “hacker-free” trouble.

News from the US government:

The Department of Homeland Security (DHS) and the Information Technology Sector Coordinating Council (IT SCC) today released the IT Sector Baseline Risk Assessment (ITSRA) to identify and prioritize national-level risks to critical sector-wide IT functions while outlining strategies to mitigate those risks and enhance national and economic security.

The news release claims the ITSRA “validates the resiliency of key elements of IT sector infrastructure”.

That sounds suspiciously like the SAS70 approach to security where audits can be targeted to very limited areas of an organization and success is never measured across the whole.

Key elements?

Reduce scope enough and success is found somewhere. I think Calvin and Hobbes had a nice variation of this. It was a graphic of a snowman with just two balls — no head. Calvin stood back in admiration and said something about the secret to good-self esteem comes from lowering expectations until they are already met. Here’s another variation from Calvin that will have to do until I can dig up the one I remember:

I’m not saying that is now the case here, as I have not finished reading the full report yet, but the press release language is already steering me in that direction.

This paragraph in the Atlantic September 2008 article called How American Health Care Killed My Father stood out to me:

About a week after my father’s death, The New Yorker ran an article by Atul Gawande profiling the efforts of Dr. Peter Pronovost to reduce the incidence of fatal hospital-borne infections. Pronovost’s solution? Hospitals implementing Pronovost’s checklist had enjoyed almost instantaneous success, reducing hospital-infection rates by two-thirds within the first three months of its adoption. But many physicians rejected the checklist as an unnecessary and belittling bureaucratic intrusion, and many hospital executives were reluctant to push it on them. The story chronicled Pronovost’s travels around the country as he struggled to persuade hospitals to embrace his reform.

Here again is a fine example of the issues around making a simple security choice even among highly educated professionals and presumably rational thinkers. Washing hands is resisted in spite of a well documented if not obvious potential to reduce risk. The rest of the article is a very thoughtful look at what the author calls “impersonal forces” that cause distortions to risk decisions, as well as suggestions on health-care reform.

Last evening I heard two cyclists say “not tonight” when their friends asked why they did not have helmets. I’ve written at length already on helmets and risk intuition, but apparently they had not read my blog. This brought two things to mind:

First, the statistics on head trauma and bicycling are simple. Close to 90% of brain injuries sustained from bicycle accidents can be prevented by wearing a hard shell helmet. The National Highway Traffic Safety Administration (NHTSA) puts this into economic terms in their 2008 Legislative Facts document.

Every dollar spent on bicycle helmets saves society $30 in indirect medical costs and other costs.

They also note that while California was the first state to pass a mandatory helmet law in 1986 there are many states that still have no requirement at all:

Arkansas, Colorado, Idaho, Indiana, Iowa, Minnesota, Mississippi, Nebraska, North Dakota, South Dakota, South Carolina, Utah, Vermont, and Wyoming

Second, aside from all the data there are far too many empirical stories and examples that people should be aware of when they ride. One of the most known is the untimely death of Lance Armstrong’s team mate in the 1995 Tour de France.

Born on August 16, 1970 Casartelli probably would be one of the top riders in the world today. He had won an olympic gold medal in cycling at 22 years of age. Just three years later he was representing team Motorola in the Tour when he crashed on the Col de Portet d’Aspet in the Pyrenees and hit his head on the large square concrete blocks on the side of the road. The doctor who examined the injury said a helmet would have helped.

“There was a small but very violent impact to the top of the skull a few centimetres to the left of the central axis. Contrary to several reports, there were no facial injuries. The impact caused several fractures within the cranium, causing blood to emerge from the nose, ears and mouth.” Disteldorf added that had Casartelli been wearing a hard helmet “some injuries could have been avoided”.

One of the reasons to bring up the Casartelli story is also to note how the Tour’s senior doctor and the Motorola team doctor both asked that an autopsy of the injury not be performed. They then conjectured on cause of death without an examination. This lack of interest in safety and security data was echoed by the chairman of the International Cycling Union (UCI) who wanted to avoid helmet requirements at the time.

We have indicated the risk to the riders, but I believe that if you can’t apply certain rules on people it is better to drop them.

The question should not be whether we can find a person who will make a hasty conclusion or disobey a rule. Disobedience to rules without cause has what value? The question instead is whether someone will be able to make an informed and rational decision once they see and understand risks as a whole. An adult rider should think about their head’s vulnerability, the cost of prevention versus medical treatment or worse, and then examine the cost of countermeasures. This formula makes decisions easier and more accurate. It also brings forward arguments against helmets (cooling, fashion), which can then be addressed, proving that properly managed regulations are a way of stimulating innovation and market growth.

I would argue that simple common sense, backed by scientific study, has prevailed since the early 1990s and that is why helmets in races are now mandatory. I expect this to be documented by an improvement in the ratio of death and serious head injury among helmet-wearing riders to overall bicycle accidents. Although it is hard to account for threat variables (animals, other vehicles, terrain-type, etc. all differ greatly by region) the goal is to isolate and thus measure the change to a rider’s vulnerability. This is very similar to the process of assessing information security risks in organizations both large and small.

RIP Fabio Casartelli