Category Archives: History

Food, History, Security

National Eggnog Day

Leave a comment

December 24 is a celebration in America of copying a recipe from Britain, making an inexpensive version of it, then proclaiming it as our own.

As with most things considered distinctly American, eggnog is a tweaked and tinkered version of an import. The story, as I heard it many years ago, is that a fashionable drink that grew during the Tudor dynasty (1485-1603) called syllabub was imported and renamed in America, as it died off in England.

The drink started with the fact that only the well-to-do of England before the 1700s could own cows and afford to drink milk fresh hot from the source let alone laced with exotic spices and expensive alcohol.

THE principal sale of milk from the cow is in St. James’s Park. The once fashionable drink known as syllabubs — the milk being drawn warm from the cow’s udder, upon a portion of wine, sugar, spice, — is now unknown.

The once fashionable celebratory drink is now unknown, says this person in 18th Century London. It was relegated to the recipe books such as the 1786 “Complete English Cook“, buried among the many other options.

1786-complete-english-cook

What about Posset?

Some have written that Posset, not Syllabub, is the correct lineage for today’s celebratory drink. I find this to be a leap, given that London cookbooks of 1762 categorized Posset in this context:

I. Of Soups, Broths and Gravy.
II. Of Pancakes, Fritters, Possets, Tanseys

Pancakes, Fritters and Tanseys all are fried, which leaves Possets to be cooked into a curdled cream or even a custard.

Some have pointed to an even starker context: Shakespeare’s Macbeth reference to the posset as a healthy nightcap, a drink conveniently easy to poison before bed.

The doors are open, and the surfeited grooms
Do mock their charge with snores. I have drugg’d their possets
That death and nature do contend about them,
Whether they live or die.

The poison context seems a bit off. Spiced anything is easy to poison. Anyway the greater context is the “health” aspects of a posset, which were rooted in medieval times. Eating a cooked (sanitized) protein and alcohol slurry may have given the appearance of curing the sick because better than not eating at all. (From Eearly English Book Online “Food and Physick”, for which 18th Connect gives a sneak preview)

Another special Preservative: Take an Egge, make a hole in the top of it, take out the white, and the yolk, and fill the shell only with Saffron; roast the shell and Saffron together, in Embers of Charcole, untill the shell wax yellow; then beat shell and all together in a Morter, with half a spoonful of Mustard-Seed: Now so soon as any suspition is had of Infection, dissolve the weight of a French Crown, in ten spoonfulls of Posset-Ale, drink it luke-warm, and sweat upon it in your naked Bed

Enjoy your medicine. Yuck. In other words, the medicinal muck of a posset served in a person’s darkest hour, as they lay waiting for death, is unlikely to be a direct root for today’s party serving eggnog. There is a transition/fork at the very least from posset to syllabub, or perhaps a disconnect, when milk with spice and booze became fashionable for partying. A modern descendant of posset is more likely to be kumyss.

I mean syllabub, hot milk pulled from the udder and mixed with flavorings, is typically for celebration not solitary nightcaps or plagued deathbeds. Thus syllabub makes far more sense when you think about what you’re doing with eggnog today.

The demise and intellectual property transfer of syllabub

Serving syllabub at parties lost favor in England around the time its colony (e.g. America) was importing anything it could for celebratory significance. Dairy economics of the colonies were a key factor in transfer of high-brow beverage to common table. Privileged recipes of status in England easily were transformed into replicas with new resource abundances (also found with Cheddar cheese).

There was a small catch to the American colony use of syllabub. Import costs for fine wines and liquors forced change in the ingredients. Alcohol found easily on ships sailing in America — rum of the Caribbean — was an obvious substitute to start with. A more likely substitution later was based on variations of whiskey such as the corn-based bourbon (rum trade and imports were scuttled during the Revolution).

Americans became so accustomed to the English idea of a milk and spiced alcohol drink for celebrations, despite the decline in England, that an attempt at the US Army academy to regulate consumption in 1826 led to dangerous riots.

A few of the cadets took Thayer’s regulations [of eggnog] as a challenge and intended to outsmart the superintendent and his staff by having the best holiday celebration West Point had seen. The term “celebration” may not apply in this case, but the incident of the “Eggnog Riot” was something West Point had never experienced. At least seventy cadets took part in the shenanigans, resulting in assaults on two officers and destruction of North Barracks, as some of the students, in their inebriated state, had smashed several windows.

This level of anti-authority violence might need perspective. Consider how in the 1800s Americans carried forward another aristocratic tradition from England. The British Kingdom passed its Slavery Abolition Act in 1833. It took another 30 years and a bloody protracted Civil War started by the Southern states before America could abolish slavery. In 1913 a book called “Dishes and Beverages of The Old South” even recommended making syllabub as an “Old South” tradition for special occasions!

Harking back to the supper table – syllabub, as nearly as I recall, was made of thick cream lightly reinforced with stiffly beaten white of egg – one egg-white to each pint – sweetened, well flavored with sherry or Madeira wine, then whipped very stiff, and piled in a big bowl, also in goblets to set about the bowl…

Thus, today in America what we really celebrate is the commodity effect, aristocratic-like access made inexpensive, to fresh milk and alcohol. Eggnog is not the only product like this, borrowed and interpreted from the wealthy abroad without attribution. There are many others such as cheddar cheese mentioned above (officially only from the caves of Cheddar and at some point declared by a King the finest cheese in England).

Here’s a fun chart of eggnog showing up in menus over time in America, from the New York Public Library, where you can see price:

eggnog-menus

Isn’t big data amazing?

A new recipe

Given this history, here’s my simple recipe to celebrate America’s National Eggnog Day:

  • Six Tbsp of Grassmilk
  • Six grass-fed eggs
  • Six cups of Wild Turkey 101 Rye
  • 1 tsp fresh grated nutmeg
  • 1 tsp black pepper
  • 1Tbsp Grass-fed butter (Note: Irish butter is often cited as grass-fed. It really is only about 300 days a year of grass feed. German butter can be grass fed year round. An excellent alternative butter is from Yak)

Mix the milk, eggs and spices. Heat a saucepan with the butter. Pour the whiskey and hand remaining five cups to your guests. Take a sip of the whiskey. Pour the dairy mixture into the pan and wait until it’s cooked. Take another sip of the whiskey. Scramble the mixture in the pan, adding other ingredients as desired. Sip the whiskey. Serve scrambled eggs to your guests as you all enjoy your unspoilt American whiskey.

Now that’s American.

An old recipe

On the other hand, if you still think you want to drink the stuff of origin ala the Tudors (or at least the Victorian version of it, before it disappeared), the BBC offers this recipe from Mrs. Beeton’s 1861 “Book of Household Management

  • 570ml/1 pint sherry or white wine
  • 1/2 grated nutmeg
  • sugar to taste
  • 900ml/1 1/2 pt milk
  1. Put the wine into a bowl, with the grated nutmeg and plenty of pounded sugar, and add it to the milk.
  2. Clouted cream may be held on the top, with pounded cinnamon or nutmeg and sugar; and a little brandy may be added to the wine before the milk is put in.
  3. In some countries, cider is substituted for the wine: when this is used, brandy must always be added. Warm milk may be poured on from a spouted jug or teapot; but it must be held very high.

…and just remember when she says jug or teapot that’s a reference to an aristocrat’s cow udder tended by his milk girl.

Don’t get me started on the security issues in trusting an aristocrat’s milk girl. Seriously, auditing milk girls for fraud was important business in old England. Milk often was diluted with water, for example, if the customer wasn’t watching carefully.

Instead of that hassle, just head out to a local dairy in America and ask if they will let you pull an udder for hot milk into a large bowl to celebrate Eggnog Day.

Bring this recipe and show it to the dairy:

Reynolds, Mrs. George W. M. (1871). The Household Book of Practical Receipts. 18th ed.. London: John Dicks. p. 12.

Updated to add: Compare and contrast the original Syllabub with President Eisenhower’s Whitehouse cook book, which you can find in his archive today. Here’s a recipe for eggnog that prefers bourbon, “coffee cream” and doesn’t even mention spice until a garnish at the end.

Ikenogg

History, Poetry, Security

Algorithms, DVD CSS and Haiku

Leave a comment

My mother dropped off a book for me to read called “Coding Freedom: The Ethics and Aesthetics of Hacking” by Gabriella Coleman.

The section on poetic protest within the chapter “Code is Speech” reminded me of the haiku called

How to decrypt a
DVD, in haiku form
Thanks, Prof. D. S. T.

A quick search for the original text of the poem brought me to an interesting backstory by its author, Seth Schoen:

A strange tradition current among programmers calls for the use of the 5-7-5 pattern — preferably cleverly — to express technology, or jokes about technology, or really anything at all, just for the fun or the challenge of writing within the constraint. I remember particularly that the UC Berkeley Computer Science Undergraduate Association has a mysterious tradition of writing haiku poems about the chemical element zinc. The tradition seemed to start with a 1995 transcript of a conversation in which CS students began to write poems about zinc, but it continued within and without the Berkeley CSUA, and I know that I personally helped spread the tradition to other forums and communities.

[…]

It’s clear that the practice of writing 5-7-5 verses and calling them “haiku” seizes on only one aspect of the haiku form and entirely removes it from its original cultural context. I freely admit that my poem has no cultural continuity with the ancient Japanese haiku artform, although I think it has its own sort of literary merit.

Well, maybe if the ancient Japanese had DVD CSS to deal with…but seriously, poetry often can be revealing and controversial through indirect methods. It can be a backdoor of communication on subjects where the front door is sealed. There is perhaps more continuity than Schoen realizes.

History, Security

Why South Carolina’s Governor wants encryption NOW

Leave a comment

The leader of an American state is in the news advocating encryption be added to government compliance requirements. She has pointed blame for a serious breach of confidentiality, under her watch, towards her regulators.

Gov. Nikki Haley’s remarks on Tuesday came after a report into the breach revealed that 74.7 GB was stolen from computers belonging to South Carolina’s Department of Revenue (DOR) after an employee fell victim to a phishing email.

First, her remarks feel slightly off the mark to me. The incident response report released by her office asserts only a correlation between a phishing email and the breach.

The report very cleary states causation was not found.

The malware likely stole the user’s username and password. This theory is based on other facts discovered during the investigation; however, Mandiant was unable to conclusively determine if this is how the user’s credentials were obtained by the attacker.

The news I have seen consistently refers to a case of malware through phishing, even though the IR report warns that it is only “likely.”

Beware the difference.

Why does certainty matter so much here? Because encryption has a well-known and significant weakness: an attacker who can compromise credentials needed for decryption still can steal 74.7GB of confidential data. The strength of a safe’s walls are far less relevant if a front door is left open.

Second, if an executive passing the blame on to regulators sounds familiar it might be because Heartland’s CEO used similar rhetoric.

In the post-Enron environment, the auditors have contracts with clients that essentially absolve them of gross negligence. The false reports we got for 6 years, we have no recourse. No grounds for litigation. That was a stunning thing to learn. In fairness to QSAs, their job is very difficult, but up until this point, we certainly didn’t understand the limitations of PCI and the entire assessment process. PCI compliance doesn’t mean secure. We and others were declared PCI compliant shortly before the intrusions.

Most people might think Enron was a lesson in detecting executive negligence and fraud. A CEO saying the case centers on “gross negligence” by auditors paints an interesting perspective on management responsibility as well as history.

Consider this brief definition of gross negligence for a physician:

Gross negligence evinces a reckless disregard for the rights of others or smacks of intentional wrongdoing. In other words, gross negligence is an act or omission of an aggravated character, as distinguished from the failure to exercise ordinary care.

Heartland’s CEO appears to equate a breach of his systems to this kind of intentional wrongdoing, perhaps even intent to decieve, by those meant to help him assess his compliance with a regulation.

Enron, however, was a very different case. As Time magazine explained in 2002, auditors were found guilty of charges they helped executives of Enron hide risk from the regulators. Executives and auditors were thought to be in cahoots.

Said prosecutor Andrew Weissman: “This is a perfect example of Arthur Andersen sanitizing the record so the SEC would have less information.”

It might be useful to also mention that Enron’s auditing firm later was found not-guilty and the conviction overturned by unanimous Supreme Court decision (Andersen v. U.S., 04-368).

At trial, Andersen argued that employees who shredded tons of documents followed the policy and there was no intent to thwart the SEC investigation.
[…]
A ruling against Andersen could have had onerous consequences for businesses, whose discarding of files is an everyday occurrence. Experts say companies would have had to keep all files for fear that any disposal, however innocent, could subject them to potential prosecution.

In other words the core Enron lesson has to do with the executives intentionally misleading regulators with the help of those working for them. The Andersen case related to questions of client-independence and retention policies with oversight by regulators. The Heartland CEO characterizes the problem as executives who didn’t realize they were comitting fraud rather than asking why no one blew the whistle on Enron executives.

Back to South Carolina’s Governor, she was quick to throw mud at her regulators: “This is a new era in time where you can’t work with 1970 equipment. You can’t go with compliance standards of the federal government.” See the whole mud-slinging event here:

What she says is true to some degree, you can’t go with compliance standards of the federal government to be safe any more than you can take the South Carolina driving test and assume you will be safe on the road. A fair amount of driver intervention is required.

So if a driver has an accident should we expect them to say “…you can’t work with 1970 vehicles. You can’t just follow government driving compliance standards…?”

Third, given that (1) encryption isn’t a proper solution to the loss of credentials and (2) those in charge at the time of a breach sometimes spin blame onto those who try to guide them, do I agree with a Governor’s demand that encryption be added to regulation?

Actually, yes.

I’m obviously pro-regulation for a number of reasons but as I’ve stated for years encryption is neither difficult nor costly to implement properly. The reasons not to encrypt are fast disappearing, which begs the question of why the Governor wasn’t already adopting it. Why did she think she had to wait for regulation by the federal government before she could act?

In 2005 I presented at a conference to card brands and retailers a solution that would allow end-to-end encryption of their customer data.

Although we made great technical progress I will never forget the words of a CFO who reviewed our proposal: “Davi, we don’t want to be bleeding edge.” That used to be a typical reaction eight years ago and one of the reasons I set out to present to people around the world how to do encryption.

Most recently I ran into this sort of reaction in China, but it seems to have started to wane in America. More and more demand for encryption is starting and regulators have already written it into state laws (e.g. Nevada’s 2009 law SB 227 and Massachusetts’ 2009 law 201 CMR 17).

And while some states have moved towards explicit encryption, others have implied or suggested encryption laws. Notice, for example, that the 2009 South Carolina breach law offers an encryption safe-harbor clause:

Definition of Personal Information: The first name or first initial and last name in combination with and linked to any one or more of the following data elements that relate to a resident of this State, when the data elements are neither encrypted nor redacted

We can thank California’s 2003 SB 1386 for the rise in breach laws and encryption clauses over the past nine years but actually we can thank Heartland for most of the mindset shift after 2008 (more than just coincidence with the timing of encryption laws). In other words, I also will never forget (five years after my presentation on end-to-end encryption for PCI) the CEO of Heartland asking why no one had forced him to spend money on end-to-end encryption.

Heartland Payment Systems, the victim last year of a massive data breach of sensitive card data, vowed after that devastating event to develop new security gear based on end-to-end encryption between itself and its merchants to prevent such a breach from occurring again. That’s now taking shape, but slowly.

The fact was no matter how I characterized encryption in terms of a long history of deployment and use (don’t get me started on the Roman empire) if the regulators did not demand it now, there were always some executives I consulted with who said they didn’t see the “pressure” to do it. There were those who wanted encryption to be so far behind their adoption curve that they could hold up a requirement to prove to their constituents that it was necessary (e.g. low risk to them).

So yes, I think regulators should force South Carolina’s Governor to adopt the aging encryption controls because, as with Heartland, some leaders haven’t been able to take that step before a breach hits the fan. I also think regulators should demand South Carolina’s Governor explain how she will use encryption to protect data if keys to encryption have been stolen (e.g. as described in her incident report).

And try not to look suprised when she asks “What do the requirements say…?”

Updated to add: The IRS apparently has responded with a statement that encryption is required, as reported by WMBF news.

The governor says she’s meeting with the state’s congressmen to have the IRS require encryption in its standards. But the IRS says that’s already on the books.

Unfortunately WMBF has a vague and diplomatic quote from the IRS — no specific requirement is cited.

We have many different systems with a variety of safeguards — including encryption — to protect taxpayer data. The IRS has in a place a robust cyber security of technology, people and processes to monitor IRS systems and networks.

We work closely with the states to ensure the protection of federal tax data. We have a long list of requirements for states to handle and protect federal tax information.

History, Poetry, Security

Just Say No to Cyber

Leave a comment

Bloomberg Businessweek sat down a couple months ago with five security experts including Robert Rodriguez, chairman of the Security Innovation Network and senior adviser to the Chertoff Group. The five were asked questions like “Is it important to determine who’s responsible for security? Is it the seller of the computer, the way that a seller of an automobile is responsible for a level of safety? What’s the alternative?

An answer from Rodriguez, which built on an answer from Brvenik, recently was brought to my attention.

[SourceFire VP] Brvenik: We can make it harder, we can make it more expensive for the adversary, but they still have entry points. In order to truly solve this problem, we have to educate everybody from the start. Elementary schools should be teaching children before they’re ever online about the risks of it, and safe behaviors and how to identify bad things.

Rodriguez: I totally agree with you. Education, increasing awareness, and starting with a national ad campaign, almost like Nancy Reagan did with “Just Say No to Drugs.” It sounded silly to people in the beginning, but it was highly impactful.

While I am all for user education, I can hardly believe someone would cite Nancy Reagan’s program as “highly impactful.” I assume he means that in a positive way. I’ve always considered Reagan’s slogan a complete and abject failure due to the emphasis on an inflexible and unthinking response to a complex problem. We might as well tell people to just say no to anything “cyber” because it can cause harm.

Perhaps Michael Hecht, a Penn State professor of crime, law, and justice, put it best:

Critiqued by some for reducing a complex issue to a catch phrase, Reagan’s campaign is generally considered to have been unsuccessful, and the phrase “just say no” has become a pop-culture joke.

Hecht makes an interesting point about the slogans that work best and why:

…it is clear from a large body of research that students are more receptive when their peers are involved with delivering the message.

The nuance on these political issues is probably important. While I am for user education I am against a “Just Say No” program. Here’s another example: while I am for passenger screening I am against the Chertoff Group lobbying to sell their own product a millimeter wave scanner into airports.

I guess I would have given Bloomberg’s question a different response. I would agree with Brvenik and Rodriguez on user education but also would have disagreed with them. I would have emphasized don’t blame the victim (different from Brvenik), don’t be top-down and inflexible in reasoning (different from Rodriguez) and I would have said a reasonable level of liability should be put on manufacturers (more direct answer to the question).