Thursday, April 17, 2014

"Creative Destruction": 500 word entry for Schneier's Movie Plot Contest

Since I won last year, I wasn't going to enter this year. But my imagination started turning and this came out.  Hope you enjoy it.

Bruce Schneier's 7th Annual Movie Plot Contest

Theme: NSA wins!  But how? (full description and all entries are here)

My entry:
Creative Destruction
June 2014 – March 2015: Stock market booms.

June 2014: Snowden revelations trigger international political scandals.

July: Feinstein-Rogers Intelligence Reform Bill passes, breaks up NSA. “Largest garage sale in history”.

Headline: “NSA Nuked”

August: 10,000 NSA workers are laid off.

September – December: Open Source projects, Working Groups see influx of volunteers.

September – November: “NSA garage sale” draws small contractors and public-private partnerships spread over 50 states. Private equity firms are buyers – Flatiron Partners, Narsil Capital, and Tech Disruptions.

September – November 2014: Flurry of privacy and security scandals hit big firms. Lawsuits, investigations, and criminal indictments follow.

November: “Alt Apps Group” formed: “Secure, private, and ad-free”. Most members are majority owned by Flatiron, Narsil Capital, or Tech Disruptions.

July – December: Symantec goes on buying spree: Webroot, Cloudflare, StackExchange, Disqus, Rapid7, and MaaS360 – all funded by Flatiron, Narsil Capital, or Tech Disruptions.

December: Puerto Rico Bridge Initiative announces completion of 50GB fiber optic cable.

January 2015: Private equity firms, led by Flatiron, make offer for Symantec.

February: Loren Reynolds, rookie Equity Analyst at JPMorgan Chase working on Symantec project, is accidentally copied on email from Flatiron:
“Confirming that Launch has been accelerated to March. Don’t use email anymore.”
Loren is puzzled by the distribution list:
  • Puerto Rico Bridge Initiative (PRBI) 
  • Economic Development Corporation Utah (EDCU)
  • Fatherly (formerly GoDaddy)
  • DuckDuckGo 
  • Safebook (startup)
March: Traffic and membership surges at Alt Apps Group members. Fatherly achieves 70% share in Certificate Authority market.

March: Loren receives email from friend Zoltin, networking expert:
“PRBI isn’t 50GB. It’s 75TB – the highest capacity in the world!!! WTF! There’s more. Same capacity cables to Bermuda and to Azores. Looks like they are bypassing US-Europe cables. Big news: Big data center on PR now complete.”
April: Google earnings due 4/15; then Facebook, Apple, Twitter, Microsoft, and Verizon on 4/22.

April: Over beers, Loren hears rumors of large short positions in technology stocks from a few “weird” hedge funds.

April 4: Loren receives email from Sarah:
“EDCU is gatekeeper on NSA Utah Data Center.”
April 15: Google disappoints. Earnings down 40% on flat revenue. Stock falls 30%, overall market falls 10%. 
April 20: Loren discovers link between former NSA executives and Flatiron, Narsil Capital, and Tech Disruptions. Finds NSA people behind tech firm scandals in the previous Fall 2014. Tip of the iceberg, she suspects.

April 21: Loren sends IM to her husband, an Assistant DA in the Southern District of NY:

“Must see you ASAP. NSA & GCHQ live on. They’ve gone legit – running private businesses and funds. THEY ARE KILLING THE INTERNET AD BUSINESS.”
After clicking “send”, her computer freezes. She reaches for her smart phone to call her husband, but the directory is empty. She dials the number manually, but gets an “out of service” signal, followed by “low battery”. The phone dies.

Running down seven flights of stairs, Loren races to her car. She jumps in, starts the engine, and backs out with a screech. One turn from the exit the car engine suddenly cuts out and brakes lock. The car crashes into a cement pillar. The airbag fails to deploy. Loren is out cold.
[This has a few lines added, so it's beyond 500 word limit.  But the entry on Bruce's site is below the limit.]

Tuesday, March 25, 2014

RAND Report on Innovation in the Cybercrime Ecosystem

This is an excellent report -- well-researched and well-written -- on the growth and development of the cybercrime ecosystem:
Though it's sponsored by Juniper Networks, I don't see any evidence that the analysis or report were slanted.  This report should be useful for people in industry, government, and academia (a rare feat!).

While they do a broad survey of the cybercrime ecosystem, they examine botnets and zero-day exploit markets in detail.  What's important about this report is that it provides a thorough analysis of the innovation capabilities and trajectories in the cybercrime ecosystem.  This is vital to understand to guide investment decisions, architecture decisions, and R&D decisions beyond a 1 year time horizon.

Here's a timeline that documents the growing sophistication and innovation capability:

Black Market timeline (part 1) -- click to enlarge
Black Market timeline (part 2) -- click to enlarge

Monday, March 24, 2014

Review of Whitsitt's "B-side Cyber Security Framework" (Mapped to the Ten Dimensions)

My colleague Jack Whitsitt (@sintixerr) has proposed a B-side version of the NIST Cyber Security Framework (NIST CSF) in this blog post.  In this post I will give my comments on Jack's framework, and do so by mapping it to the Ten Dimensions.

The NIST CSF is a catalog of information security practices, organized into categories and maturity tiers. I've criticized the NIST-CSF here, here, and here, and proposed an alternative -- the Ten Dimensions.  Jack has posted commentary and critiques here, here and  here.  Jack has the advantage of participating in all five workshops, plus several side meetings with various players.

Here's a diagram of Jack's framework:

Short Summary

I like Jack's B-sides framework. I see a lot of overlap between it and my Ten Dimensions.  They aren't identical but the same themes come through in both. His has the advantage of simpler interpretation (top-down layer cake, half as many dimensions).  It has short-comings as well.  In it's current form, it lacks performance measurement and, in my opinion, as inadequate attention to "Effective Response, Recovery, & Resilience", "Effective External Engagement", "Optimize Cost of Risk", and organization learning loops.

Sunday, March 16, 2014

Precision vs Accuracy

When ever you do any kind of measurement, it's important to understand the uncertainties associated with it.  Two characteristics of measurement that are inverse to uncertainties are 'precision' and 'accuracy' (also known as 'fidelity').  The following graphic, from this blog post, nicely demonstrate the difference between these two characteristics.

Other measurement characteristics include stability (repeatability from measurement to measurement), resolution (number of significant digits), sensitivity (ability to detect very small signals), linearity, range (from smallest valid value to largest valid value), and sampling rate (time slice or number of samples to establish a valid measurement).

S Kauffman on Emergent Possibility Spaces in Evolutionary Biology, Economics, & Tech. (great lecture)

Below is a great lecture by Stuart Kauffman on the scientific and philosophical consequences of emergent possibility spaces in evolutionary biology and evolutionary economics, including technology innovation and even cyber security. This web page has the both video and lecture notes.

The lecture is very accessible anyone who reads books or watches programs on science aimed at the general public -- especially evolution, ecology, complexity, and innovation. He does mention some mathematical topics related to Newtonian physics and also Quantum Mechanics, but you don't need to know the details of any the math to follow his argument.  He gives very simple examples for all the important points he makes.

There are very important implications on epistemology (what do we know? what can be known?), scientific methods and research programs, and the causal role of cognition, conception, and creativity in economic and technological change. This last implication is an important element in my dissertation. I'll write more on that later.

Monday, March 10, 2014

Boomer weasel words: 'high net worth individuals' as euphemism for 'rich people'

For some time, I have been noticing that rich people and the people who sell services to them don't use the phrase "rich people" any more.  Instead, they say "high net worth individuals".  When did this happen and why?

(You might compare this to my previous post regarding "Baby on Board" signs.)

The following graphs are from Google Ngram Viewer, which show relative frequency of word phrases in American English books up to the year 2008. Notice that the phrase "high net worth individuals" appears first around 1980.

(click to enlarge)

Saturday, March 8, 2014

Ideal book for self-study: "Doing Bayesian Data Analysis"

In this post, I'd like to heartily recommend a book for anyone doing self-study who doesn't have much statistics or math in their background:
This book is head-and-shoulders better than the others I've seen.  I'm using it myself right now.  Here's what's good about it:
  • It builds from very simple foundations.
  • Math is minimized.  No proofs.
  • From start to finish, everything is demonstrated through R programs. Anyone learning statistics today should be learning a statistics programming language at the same time.  R is the most popular choice and by some measures the best choice.
  • It helps you learn Empirical Bayesian methods from every angle.  It does great both with the fundamental concepts and the practical applications.
  • It takes you as far as you want to go, at least into advanced territory if you want.  But you don't have to read the whole textbook to benefit.
For what it's worth, this book was voted most popular introductory book on Stack Exchange.