Whale-Feces Research and Security

Here is a funny perspective on the life of the security response staff at Microsoft:

What do whale-feces researchers, hazmat divers, and employees of Microsoft’s Security Response Center have in common? They all made Popular Science magazine’s 2007 list of the absolute worst jobs in science.

Come on now. Whale-feces research can’t be that bad, can it?

Popular Science says “we salute the men and women who do what no salary can adequately reward”. However, the Microsoft employees quoted in InfoWorld hardly give any indication that they lack satisfaction:

Microsoft’s Mark Griesi considers ranking among the worst as a badge of honor, in part because his grandfather read the story and thought it was “pretty cool to see my team on the list,” he said.

Look gramps, no security!

Dover Beach

by Matthew Arnold (1822-1888)

The sea is calm to-night.
The tide is full, the moon lies fair
Upon the straits; on the French coast the light
Gleams and is gone; the cliffs of England stand;
Glimmering and vast, out in the tranquil bay.
Come to the window, sweet is the night-air!
Only, from the long line of spray
Where the sea meets the moon-blanched land,
Listen! you hear the grating roar
Of pebbles which the waves draw back, and fling,
At their return, up the high strand,
Begin, and cease, and then again begin,
With tremulous cadence slow, and bring
The eternal note of sadness in.

Sophocles long ago
Heard it on the A gaean, and it brought
Into his mind the turbid ebb and flow
Of human misery; we
Find also in the sound a thought,
Hearing it by this distant northern sea.

The Sea of Faith
Was once, too, at the full, and round earth’s shore
Lay like the folds of a bright girdle furled.
But now I only hear
Its melancholy, long, withdrawing roar,
Retreating, to the breath
Of the night-wind, down the vast edges drear
And naked shingles of the world.

Ah, love, let us be true
To one another! for the world, which seems
To lie before us like a land of dreams,
So various, so beautiful, so new,
Hath really neither joy, nor love, nor light,
Nor certitude, nor peace, nor help for pain;
And we are here as on a darkling plain
Swept with confused alarms of struggle and flight,
Where ignorant armies clash by night.

Why do the pessimists always seem to get it so right?

Malware attacks on virtual world greater than on real world

MetaSecurity’s latest post cites McAfee:

McAfee now sees more malware programmed to steal passwords for World of Warcraft now than trojans aiming for banking information, said Craig Schumager of the McAfee research labs.

This is highly misleading, I say. Banking is not just a brick-and-mortar building with furniture from the 1980s, bad art, and air-conditioning in overdrive. The exchange of funds in the virtual world, in online forums, etc. is now reaching proportions that it rivals or even replaces more traditional forms of access. Call it a back-door to the same assets, if you will. MetaSecurity hints at this perspective in the same post:

In talks with Erik Larkin at PCWorld.com, he outlined why fake game gold is more attractive than real money. Primarily, there’s less risk of getting caught and easier punishments for hacking World of Warcraft than Bank of America, but the gold is still easily commutable to real-world dollars and cents.

It goes deeper than that, as they point out in terms of a “secondary” market:

As Brock Pierce of Affinity Media (formerly IGE), put it “Fraud in the secondary market is rampant. On eBay, secondary sales were resulting in 10 percent fraud at one point I think. Someone in Russia could login through a proxy to a server in the US and make a purchase with a stolen card, turn around and resell it on the secondary market, and sell it for 75 percent in a matter of minutes. Organized crime is involved, and it’s anonymous.“

Or as Raph Koster put it: “I described this years ago at a social policy conference. And they [the government representatives] said, ‘Well it’s not drug money, but it is terrorist money.’ The government will get interested.�

Good for Koster.

I see the core of the story as malware aimed at finance is shifting to the newer less regulated methods of banking. This is not really about a move from banking to non-banking, but a move from attacking bank A to bank B, and that is a big difference in security perspective if you are a bank.

I remember arguing in political science classes about what the lifetime would be for the nation-state and its boundaries (as introduced by the medieval Italians). Will virtual worlds be dragged back into the constructs that we use today (real-world banks operating virtual-world branches) in order for us to make sense of how to regulate them, or is a whole new paradigm needed (real-world banks displaced by virtual-world challengers)?

The Pain of Fixing Code

I’ve been dealing with bugs galore lately; memory leaks, overflows, etc. and it has brought forward some discussion about the difficulty in finding developers who are able to recognize flawed code, let alone make the time to repair it. I was looking for some data on quantifying the source of the problem (yes, metrics) and found this insightful article from a 1998 IEEE journal:

In the first study on the subject, Sackman, Erikson, and Grant found differences of more than 20 to 1 in the time required by different developers to debug the same problem (“Exploratory Experimental Studies Comparing Online and Offline Programming Performance.” Communications of the ACM, January 1968). This was among a group of programmers who each had at least 7 years of professional experience.

Productivity issues are certainly a concern. Managers often time-box release of code to the point where beta is production. In fact, companies like Google make beta sound so good you have to wonder if people care anymore about the concept of “finished” products. To their credit, and from a historical perspective, IBM had a similar approach and used to include an engineer with their high-end processing platforms to monitor and resolve issues on the fly (e.g. the systems were too complex for anyone to try and manage without pre-qualified professional help). I was always surprised by this and wondered if someone had investigated how to pack an engineer in the crate so she/he would just pop out and start working on the system as soon as it was plugged in. Similarly, the big V12 power-plants of the luxury cars perhaps were not really expensive because of the quality of the build, but because the things never truly had independence from the mechanics (go for a drive, go get a tuning…repeat).

Tom DeMarco and Timothy Lister conducted a coding war game in which 166 programmers were tasked to complete the same assignment (“Programmer Performance and the Effects of the Workplace,” in Proceedings of the 8th International Conference on Software Engineering, August 1985). They found that the different programmers exhibited differences in productivity of about 5 to 1 on the same small project. From a problem employee point of view, the most interesting result of the study is that 13 of the 166 programmers didn’t finish the project at all—that’s almost 10 percent of the programmers in the sample.

So maybe this is a stupid question, but do humans really classify dependability and repeatability as value/benefit worthy of expense? I think the answer is that we spend when we are confident in the return, and we only look for quality when we are in fear of the unknown. Fast food restaurants, for example, can spend on infrastructure because it is the obvious way to reduce cost for a volume of deployed meals that covers that investment. Ford thought this way, as did Edison. People look for the symbols of the industrialized product not for dependability or quality in an absolute sense, but only in relative terms to the other options (that depend on their point of reference). I could continue down this line of reasoning, but in a nutshell I guess my point is that I am finding it is reasonable to expect improvements in code quality only in development environments that understand defect tracking and resolution; the same as expecting quality of life in governments that understand justice and liberty.