A recent French film called “Et Soudain Tout le Monde Me Manque” (And Suddenly I Miss Everybody) is peppered with comedic security issues. From the anonymity lost in a simple cup of coffee to the risk from x-rays taped to a window…I don’t think the film was meant to be a study but it raises some funny examples that are worth considering.
It was released to the English-speaking market as “The Day I Saw Your Heart”
What better thing to do on Sunday then read and then comment on a blog post about breaking the compliance rules of Shabbat? Bromium’s Tal Klein, a self-proclaimed Bromide, provides an amusing look at religious rule-breaking:
Enter the Shabbat industry: an entire business model dedicated to keeping devout Jews in compliance with divine policy while creatively circumventing it – in search of enablement (there’s even Shabbat toilet paper).
So when IT decides to play Moses and declare a policy or implement software that puts users in a box, the expectation should be that users will find a creative way around it (and that the bad guys will find a way in), all while ostensibly in-policy.
Tal makes a typical point; to put it simply, water flows downhill so if you try and block the water you can expect it to try and flow around.
My first issue with this line of reasoning is that it over-simplifies the compliance market. Of course it is easy to say enabling is preferred to disabling, but that’s a false dichotomy. Disabling unnecessary and unused services can be justified, for example, because it reduces harm with no expected workaround or demand for flow around. It’s like finding a leaky board in a ship everyone is sailing on. Yet, Tal seems to suggest that this would be like “pretending to know what’s actually happening” and he portrays compliance as lagging and behind:
Policy can’t be a shackle. Compliance standards are by their very nature at least a generation behind modern technology. We can’t predict what users will need in order to do their jobs tomorrow, so we shouldn’t force them to work in a whitelisted box – doing so is pretending to know what’s actually happening. No enforcement can be tough enough to stop the tide of ingenuity. Not whitelisting, not remote wipe, not MDM, not DLP, not VDI. People want to go up to their floor on Shabbat, and they don’t want to take the stairs.
Back to the water analogy, stopping the flow (assuming that is the real intent) involves knowing a lot about issues involved, just like when building a dam. There are benefits to creating a box and stopping flow — disablement. Those who assess the effectiveness of the controls can in fact know a lot about harnessing the power of creative forces, as illustrated below.
Tal says that “…no enforcement can be tough enough to stop the tide…” but obviously, just like building a dam, economic and political factors influence the success of compliance more than engineering issues. The “tough” enforcement is often a question of resolve rather than technical prowess. Moreover, regulators usually do not race towards the latest technology precisely because all those who are regulated also do not race towards it; it is a commonality of acceptance rather than the choices of a few outliers that defines progress. A compliance market definitely is not as simple as a decision whether to make policy a “shackle” or not.
My second issue extends from this first point. A perfect example of the complexities of compliance is the assessment of harm. This is not a failure of compliance “awareness” but rather a burden placed on regulators by those who are regulated. Tal’s conclusion “People want to go up to their floor on Shabbat, and they don’t want to take the stairs” is an example that begs the question “so what?” The impact of elevator versus stairs for those who can use either without any consequence to themselves or anyone else is a false and mostly meaningless dichotomy (with the exception of those who can’t take the stairs). Consider instead the recent compliance case of Chevron
Federal authorities have opened a criminal investigation of Chevron after discovering that the company detoured pollutants around monitoring equipment at its Richmond refinery for four years and burned them off into the atmosphere, in possible violation of a federal court order…
Pollution is by definition harmful, unlike a soft question of stairs versus elevator and what people want. The pollution question becomes how to use compliance to spur innovation and reduce risk of harm or known harm that can have a very lasting effect.
Caterpillar in the early 2000s provide an excellent counter-example. They created more than 500 patents on clean diesel to reduce documented illness and absence for those involved in heavy machinery operations. The reduced sick-time and increased productivity was the result of a compliance framework that altered the market enough to allow for innovation — polluting was made less economically advantageous. Earlier this year the company thus cited their innovation as a partnership with regulators; both working together improve the overall result.
“For Caterpillar, it’s fitting that we’re celebrating cutting-edge technology in California as this state is the birthplace of Caterpillar innovation” […] “Today we’re marking another transformation in the industry: engines that offer our customers superior performance at near zero emissions.”
You might even say Caterpillar was doing what Bromium is positioning itself to do — bring to market a cleaner and lower-risk user experience due to compliance requirements for the same. Keep this in mind when you read Chevron’s response to the investigation of their bypass pipe:
Federal criminal investigators are trying to determine who at Chevron was aware of the bypass pipe and whether the company used it intentionally to deceive air-pollution regulators. Chevron says its use was inadvertent…
Bruce Schneier’s recent book, Liars & Outliers, gives a long and detailed analysis of this phenomenon. People often break out of group and social boundaries, resisting conformance and compliance. Their groups tolerate this in many contexts where there is some benefit but when there is harm…compliance does sometimes actually slam the door shut. An inadvertent pollution pipe will not be rewarded as innovative under societal/regulatory standards, yet it would be under Tal’s post.
There’s a nuanced relationship rather than a simple case of regulators always being “behind” or “pretending”. Often regulators understand risk more broadly than those they have to reign in for the same reason they can predict consequences better than any individual user. Regulators often see the forest for the trees, working across many different needs, which allows them to bring innovation frameworks to those regulated. One of the reasons for this complex relationship is because regulations and compliance tend to be centred around risk management; they account for some principle of consequence/harm both for the individual and groups.
So rather than just throw our hands up on compliance because user ingenuity always wins we should continue to study methods and science of stopping a tide with the aim of finding and improving the natural balance. A measured approach to compliance can be a powerful generator of ingenuity that also is beneficial to groups of users.
Tal concludes with “The challenge, then, is to develop a security policy around enablement, not the other way around.”
We have many examples of innovation in security where enablement was built around security policy. What benefit comes if we reverse this? Why not use policy to define the need for security and generate demand for Bromium? Policies of preventing and detecting breaches, for example, were not developed around enablement but still stimulated innovation in sandboxes and segmentation.
Back to Tal’s analogy of religious Jews and compliance, and to put it in terms of the famous Israeli philosopher Martin Buber, the key is perhaps to think of regulators and users as less of an Ich-Es relationship and more an Ich-Du.
Those who work together generate balanced policy, those who work opposed have imbalanced policy. Balanced policy can shackle harm while still enabling innovation. Benefits even can come from stopping a tide, with ingenuity and positive innovation being one of them:
Beaver Lodge, Richard Orr (c) Dorling Kindersley
On this day in 1863, two and a half years after the start of the Civil War, hundreds of pro-slavery Confederates led by Captain William Quantrill disguised themselves as Federal soldiers, then ambushed and killed more than 50 Wisconsin men stationed in “Bloody Kansas”.
Amongst the killed were the brigade band’s 11 men. Several of them had been pinioned to the band wagon by swords driven through them while still alive and the wagon then set afire. Among these served in this way were T.L. Davis, of Platteville, and Johnny Fritz a 15-year-old drummer boy; a sword had been driven through his thigh and then into the woodwork of the wagon.
Quantrill’s group was known to not only torture and burn men alive but kill them even after surrender. Quantrill himself had earned a reputation as a liar and spy.
By the end of 1863 his methods were a clear burden to the Confederate Army, which had to assign soldiers to protect civilians from his men. He eventually was arrested in Texas by a Confederate General in early 1864 on charges of ordering the murder of an officer.
Civilians were accosted, homes were broken into, church steeples were shot up, and a Confederate recruiting officer, Major George N. Butts, was found shot to death on the side of a road. “They regard the life of a man less than you would that of a sheep-killing dog,” said [General] McCulloch. “I regard them but one shade better than highwaymen.” In Sherman, drunken guerrillas rode their horses into a hotel lobby and shot out the gaslights.
Quantrill easily escaped arrest by McCulloch and then tried to continue his style of guerrilla raids, leading men like Jesse James on campaigns North and East of Texas. He was shot in 1865, as he claimed he wanted to march on the US President, and died while in a hospital.
The title of this post comes from a quote on Plugincars.com.
The analyst says no one expects Volvo to sell many plug-in electric-diesel hybrid cars despite a 117mpg rating (I’ve read claims of 149mpg elsewhere) and 30 mile range on the electric motor. The US$70K might be the problem, but the site also points out it’s less expensive than a Lexus. And the Lexus engineers only offer 40mpg with their hybrid!
T3 offers the following conclusion:
The V60 is every bit the luxury car and despite government grants beyond most budgets, but with exceptional energy savings, zero road tax, congestion charge and reduced fuel costs it should be a no-brainer for company car drivers who want power and their bosses who crave efficiency.
An all-wheel-drive, plug-in electric-diesel hybrid full-size luxury car that goes 0-60 in 6 seconds yet stays over 100mpg? Are you kidding me? I’ll take ten.
Dear Volvo, I would buy one and I know many others who would too…just tell me, what will it take for us to get it in America?
