ISACA has announced that the venerable SAS 70 is going away at the end of 2010:

Statement on Auditing Standard No. 70 (SAS 70) will be replaced by two new standards: an attestation standard that will guide service auditors in the conduct of an examination of, and the resulting reporting on, controls at a service organization and an auditing standard that will guide user auditors in consideration of internal control when processing is performed by a service organization.

These new standards are to be used for periods ending on or after June 15, 2010.

• International Standard on Assurance Engagements No. 3402 (ISAE 3402), Assurance Reports on Controls at a Service Organization
• Statement on Standards for Attestation Engagements No. 16 (SSAE 16), Reporting on Controls at a Service Organization

ISAE 3402 is the international standard adopted by the International Auditing and Assurance Standards Board (IAASB), while SSAE 16 is the “local” standard adopted by the Auditing Standards Board (ASB) of the American Institute of Certified Public Accountants (AICPA).

One of the big complaints about SAS 70 was that it allowed the entity being audited to drastically limit scope. A test may only include physical security, for example, while logical security controls are ignored. An ISAE 3402/SSAE 16 report still allows this gap, however the audit guidelines state that a report should clearly explain what was not included in the review and report.

Likewise, a complaint about a Type 1 SAS 70 was that it did not test for control effectiveness in operations. This is still present in the new standard, but not exactly the same. A Type 1 report is when an auditor reports if a service provider’s description “fairly presents” their system and whether controls are “suitably designed to achieve control objectives” by a deadline. A Type 2 report adds to this whether the controls operated effectively over a specified period of time.

Although the Type 2 seems similar upon first review, I noted that there is a major difference with the new standard. A SAS 70 Type 2 audit opinion used to be based upon control status on the final day of a review period. An ISAE 3402/SSAE 16 appears to require the opinion to cover the entire period under review. The new Type 2 now also requires a formal written attestation from management.

Mark Shuttleworth is in a defensive position, according to Linux Journal. His Ubuntu has come under fire yet again for contributing far fewer patches to Linux than Red Hat and Novell SuSE.

Canonical’s contribution from the 2.6.15 kernel to 2.6.27-rc6, was 100 patches.

This was against a total of 99.324 patches; Canonical’s share was 0.1 percent. Red Hat was the top contributor from among distributions, with 11,846 patches. Novell had 7222 patches.

Debian and Gentoo, both non-profits, contributed 288 and 241 patches respectively. Canonical, owned by a multi-millionaire, contributed 100 patches.

This might seem to be an odd measure of contribution, as Linux Journal points out. Marketing Linux and making it more user friendly obviously has value. The issue would then just be one of attribution, as Red Hat loyalists explain

Canonical was little more than “marketing organization masquerading as an engineering organization” taking “credit for code that Red Hat engineers wrote.”

Instead of discussing this problem of attribution and how to best fit within the different distributions, however, last week Shuttleworth came out swinging.

Tribalism is when one group of people start to think people from another group are “wrong by default”. It’s the great-granddaddy of racism and sexism. And the most dangerous kind of tribalism is completely invisible: it has nothing to do with someone’s ‘birth tribe’ and everything to do with their affiliations: where they work, which sports team they support, which linux distribution they love.

This is an interesting concept, but philosophically and historically I think he misses the mark.

First the creation of a distinct identity, even for a tribe, can have a positive effort and does not necessarily place others in the wrong. Martin Buber’s book Ich and Du gives many examples of how this might work. Differences with respect can have a more beneficial outcome than trying to form inclusions that are meant to be predictable.

Buber characterizes “I-Thou” relations as “dialogical” and “I-It” relations as “monological.” In his 1929 essay “Dialogue,” Buber explains that monologue is not just a turning away from the other but also a turning back on oneself (R’ckbiegung). To perceive the other as an It is to take them as a classified and hence predictable and manipulable object that exists only as a part of one’s own experiences. In contrast, in an “I-Thou” relation both participants exist as polarities of relation, whose center lies in the between (Zwischen).

The creation of Ubuntu, in other words, formed an identity distinct from Red Hat and SuSE — it created a new distribution with a following that some might call a tribe. Shuttleworth could have instead joined the existing groups, but he struck out on his own in an “I-Thou” effort.

Shuttleworth has an opportunity here to say that groups and tribes should celebrate their differences. The gulf between them is what makes their relationship more beneficial. Instead, he falls prey to a logical fallacy. His blog says that all absolutes are bad. He cites an example from his critics that says “The other guys have never done anything useful”. I would have just called that untrue at face value, but Shuttleworth first calls it tribalism and then equates it to racism:

So if you see someone saying ‘Microsoft is totally evil’, that’s a big red flag for tribal thinking. It’s just like someone saying ‘All black people are [name your prejudice]’. It’s offensive nonsense, and you would be advised to distance yourself from it, even if it feels like it would be fun to wave that pitchfork for a while.

It is offensive because of its content, but more importantly it is a logical fallacy. It has nothing to do with tribalism except for the fact that the I-Thou is being replaced with an I-It. Dislike or disrespect for someone, whether it be from a single person or a whole group, is the same thing.

Unfortunately, Shuttleworth, after making his giant first point about offensive nonsense that comes from generalities, gives us some offensive nonsense that comes from a generality.

Let’s be clear: tribalism makes you stupid. Just like it would be stupid not to hire someone super-smart and qualified because they’re purple, or because they are female, it would be stupid to refuse to hear and credit someone with great work just because they happen to be associated with another tribe.

He has labeled someone as tribal. He then calls tribal stupid. Therefore he wants us to believe that this other person is stupid? How is this different from what he asks everyone not to do? What if he had labeled them American, or labeled them as purple? He falls victim to the very thing he warns against.

Discrimination and hatred is what can make you stupid. An I-Thou relationship does not have to include these factors, it can be a place of reflection on ones self and respect for differences. It can lead to attribution, which is perhaps something Shuttleworth is not prepared to discuss.

More to the point a comment on his article by John Bowman gives a perfect example of someone who now wants to join the Canonical tribe. Note the emphasis on joining a tribal environment:

You make Canonical sound like a place I would enjoy working at. When can I start?

While reading this and thinking about how nice a quality that is of a company to have, about the only thing that came to mind was wonder at how the actual employees are regarding the work that they do. Is it all about the individuals works contributing to the overall product or is it a “we’re all in this together” type of an environment. If its the latter, then sign me up!

Is this person also a stupid tribalist? He responds to Shuttleworth’s rant against “in this together” tribalism by asking to join Ubuntu, if it is an “in this together” environment.

Second, humans clearly have an evolutionary need to socialize. Anthropologists suggest this is from a need for survival, a strength-in-numbers strategy. Discord will push individuals away from each other but a common bond may enable them to overcome the differences and reduce their risk of defending themselves. Moreover, controlled discord can lead to innovation that also will reduce risk. Working together thus has numerous benefits and tribalism could actually make you not only more intelligent but more safe as well. Marshall Sahlins called this the original affluent society.

The position Shuttleworth settles into at the end of his blog post, wildly inconsistent with the beginning, supports this notion. He calls on his followers to chose the right path, follow good values, and things should work out.

I would like to say this to everyone who feels associated with Ubuntu: hold fast to what you know to be true. You know your values. You know how hard you work. You know what an incredible difference your work has made. You know that you do it for a complex mix of love and money, some more the former, others the more latter, but fundamentally you are all part of Ubuntu because you think it’s the most profound and best way to spend your time. Be proud of that.

Aside from the tautological nature of that advice it reminds me of the new tribalists, as found in Daniel Quinn’s novel Ishmael:

There’s nothing fundamentally wrong with people. Given a story to enact that puts them in accord with the world, they will live in accord with the world. But given a story to enact that puts them at odds with the world, as yours does, they will live at odds with the world. Given a story to enact in which they are the lords of the world, they will act like lords of the world. And, given a story to enact in which the world is a foe to be conquered, they will conquer it like a foe, and one day, inevitably, their foe will lie bleeding to death at their feet, as the world is now.

How does one find the right story, or the right path? In conclusion, Shuttleworth is illogical at first but shows strong leadership values in the end. He must know that humans seek social networks to form a sense of value and pride, which is why he calls upon “everyone who feels associated with Ubuntu”. Shuttleworth says his organization actively tries to eliminate tribal thinking, but hopefully I have explained above how this is hypocritical as well as detrimental. Malcolm Gladwell also makes a very compelling argument why this is a bad idea in his book Tipping Point. It is far better that Shuttleworth also says his organization holds respect for others as a core value. This is a great position and as a leader he should practice the same — develop the positive aspects of an I-Thou relationship with SuSE and Red Hat — and the Linux community overall will be enhanced by more security. Then again, I am hoping for respect to come from the same person who apparently has refused to apologize for saying “Linux is hard to explain to girls” in a Linux conference keynote speech.

The BBC Northern Ireland has echoed a counterfeit brake pads warning from the Trading Standards Service

The counterfeit brake pads, branded as Volkswagen, SEAT, Skoda and Audi were seized following a tip-off from the Volkswagen group.

Examinations of the brake pads revealed they failed to meet required friction levels and are held together by glue.

When subjected to testing, the counterfeit parts showed that exceptional leg strength would be needed to apply the necessary pressure to stop an average family car.

This is an excellent example of compliance requirements in action. Without a specific level of brake pad performance required by law how would consumers know the brakes on their vehicles are capable?