Byte Wars 169
Byte Wars: The Impact of September 11 on Information Technology | |
author | Edward Yourdon |
pages | 300 |
publisher | Prentice Hall |
rating | 7 |
reviewer | Peter Wayner |
ISBN | 0130477257 |
summary | Plainspoken but fear-centric advice for reducing the dangers of vandals or terrorists to online systems. |
My friend who nodded as if this was the same game he played every day in the courtroom. If no one knew what was going to happen, the jury's instincts could be manipulated with a mixture of fear, sympathy and tribalism. Juries were always afraid of watching a good, relatively innocent man lose everything, he explained. Corporate executives were just as worried of the same thing happening to them.
The Y2K binge is long gone and the biggest effect on computers seems to be found in the bits representing the bank accounts of Y2K consultants. Gimmicks may fade but human nature and human fear remains the same. The destruction of the World Trade Center has given new life to the fear mongers who worry that someone may obliterate our electronic infrastructure. Edward Yourdon, the old school computer consultant who made plenty of noise about Y2K, is back with another book, Byte Wars: The Impact of September 11th on Information Technology .
When I say old school, I mean that he started programming and writing about programming in the mid 1970s and this shows in the way he spells ( "Obe Wan Kenobee") and talks about "paradigm shifts" instead of "memes." He comes from the age group that decided how much to spend on Y2K and he knows how to talk to the group that will control how much we spend on our fears of terrorism.
There is no mention of his record on Y2K on the book cover or the biography, but if you're interested, the net never forgets. The book does mention the scary days of December 1999 a bit in passing, but only to note that there was "very little awareness in the media" that some "small organizations did suffer moderate-to-severe Y2K problems." He also notes with some pride that many companies survived the turmoil after the World Trade Center attack because they made so many preparations for the turn of the millennium.
This time around Yourdon is blessed with a much more concrete threat and this both helps and hurts his cause. On one hand, no one can debate the power of airplanes as weapons in the same way we can still debate whether Y2K would make a difference to embedded controllers. On the other hand, it's not really clear what the latest attacks have to do with computer networks. He even notes that the DOD's computers were relatively unhurt by the destruction of the Pentagon. How many web sites or e-commerce sites can anyone knock out with a box cutter? One company I knew with offices on the 81st floor of the World Trade Center used a co-lo facility that survived. Their web site kept on pumping out hits even after their entire office turned to dust.
Yourdon dodges all of this by being politely vague and abstract. His chapter on risk management, for instance, counsels that we should find a "realistic assessment of risks" and weigh the probability against the danger. If we develop a process to deal with the risk, then we can ensure that the risks are shared between the stakeholders. Most of the chapter could have been written at any time about any risk , but he makes it all a bit more current by including a few references to kamikaze players who are shifting the paradigm.
Some of his advice gets so abstract that it's hard to know exactly what he is suggesting. He tells us to "examine the practical impact of increased security and decreased privacy." To him, that means warning people who rely upon the social freedom of "don't ask, don't tell" to realize that so much information about us will eventually be documented by the new security state. "Now is the time to think about such matters, not two or three years from now when you suddenly find that you can't get a job, or can't buy a house in a particular neighborhood." Should we rise up or acquiesce? Which side is he on? I'm still not sure. He does such a good job playing to everyone's fears.
Occasionally, he doles out some practical advice that is close to the needs of managers worried about the aftereffects of 9/11. We are told that terrorists may be posing as "ordinary employees" or even government employees who've "risen to high levels of trust and authority." He reminds us that "hardly anyone watches the programmers." Is some terrorist slipping in a buffer-overflow loophole? Or maybe just a crook? One of the most practical suggestions is that corporations should do more code reviews.
He's also hip to some of the latest intellectual fads. Emergent organisms like Napster can be useful and resilient. He's a big fan of empowering employees by cutting away bureaucracy so the organization can evolve some emergent intelligence. Of course, we must also be ready for more scrutiny from the security bureaucracy checking to ensure that the emergent organism isn't evolving buffer-overflow backdoors. This gets a bit confusing and he waves away much of conflict with abstract calls for balance.
In the end, Yourdon can't offer many answers because there aren't many answers to give. We had risks, terrorism, info warfare, bombs and whatnot before September 11th and we'll meet them again despite the security. Anarchists detonated a horse powered wagon filled with explosives in front of the NY Fed in the 1920s. Not much has really changed and the book ends up being a distilled version of the inchoate fears that haunt us.
The real challenge is determining how much fear we should have. Yourdon is far from the only person who automatically assumes that the attacks on New York mean more attention to cybersecurity. All of the major beltway consultants near Washington are gearing up with the new tools. The more I read the book, the more I began wondering why. Why do some kamikaze hijackers mean that the web needs to be locked down? Who really has time to worry about some al Queda l33t d00dz owning my site when so many people are dying true deaths that can't be fixed with backup tapes?
At the end of one of the chapters, Yourdon exhorts us to get our act together and secure our home computers. Our old, pre-9/11 computing style was equivalent to "living in a house with the doors and windows wide open", he says, something that was "a pleasant way to live if you were in a small town in the 1950s."
Ah, the 50s. He and everyone else should rent a copy of George Lucas's pre-Star Wars classic, "American Graffiti." In one scene, the teenagers cheerfully drop a cherry bomb down the school's toilet. In another, they destroy a police car by wrapping a chain around the rear axle. The laugh track blessed both events in the movie, but all of us know that they would bring out the SWAT teams today.
The movie managed to avoid much of the discussion about Eisenhower, Francis Gary Powers, the Russian H-Bomb, or any of the other fears rippling down our spines. The 50's seem so much more fun after editing out the fact that the Russians had (and still have) fusion bombs on the tips of missiles. No amount of frisking by airport security can keep them out of our airspace. Yet we survived and managed to laugh about kids trashing police cars.
Another solution is not to quiver and worry about Osama bin Hacker's script kiddies. We can redefine the terms of engagement in much the same way that the cops in the "American Graffiti" just laughed at those impish kids. Hacked web sites are easy to restore if you have adequate backups. Denial of service attacks from zombies on cable modems sound threatening, but they rarely last longer than Friday evening rush hour.
It's hard to argue with much of the plainspoken, largely abstract advice offered by Yourdon. All of it makes good sense. The harder problem is finding the right attitude to carry us through the night. This book is filled with worry for our future and awe of the unseen l33t d00dz hiding under the bed. There are bits of light and a stab at optimism near the end, but most of the book trades on the thoughts that will keep us up well past midnight.
Peter Wayner has two resilient books emerging this spring: Translucent Databases , an exploration of database security, and Disappearing Cryptography: Information Hiding, Steganography and Watermarks , the second edition devoted to hiding secret messages in plain sight. You can purchase Byte Wars from bn.com. Want to see your own review here? Just read the book review guidelines, then use Slashdot's handy submission form.
How to Think about Security (Score:5, Insightful)
This is very useful. Damn Useful.
here is part of the info from the RFN story:
I love the insightful simplicity of the piece.Y, C, et al (Score:3, Insightful)
I don't imagine that there are many subjects that he doesn't feel qualified to write a book about.
Why-2k again? (Score:3, Insightful)
This author looks like the run-o'-the-mill fear-mongering sort that the media loves to trot out when they've got no real news to talk about. So why on earth are we hearing about him at all?
Hmmm.... Maybe I should start writing book reviews for Slashdot! "Review: Discourses of Epictetus, a rational look at the problems of today's world politics and our individual lives"... written only 1900 years ago!
-Rick
Previously predicted... (Score:5, Insightful)
- The end of the world in Y2K
Previously retracted...
- The end of the American programmer
- The end of the world in Y2K
The stuff on structured analysis and project managemetn is useful. That's about it.
sabotage through the internet is similar to (Score:3, Insightful)
money grab (Score:2, Insightful)
I mean security has always been an issue. Perhaps 9/11 is a wake-up call but surely we don't need a book to tell us that.
Does he consider the
Re:How to Think about Security (Score:5, Insightful)
Y2K played down too much (Score:3, Insightful)
Sure. But we weren't concerned about the average number of computers crashing, we were concerned about more computers crashing than normal. And these crashes being more difficult to fix than usual because so many people wrote their own (broken) date routines - there was no single point of failure. This could lead to cascade failures and it was not clear that any natural firebreaks existed to limit the damage.
The best analogy is probably the road net and accidents. You can usually handle a single big accident without a problem. Even two. But at some point you have so many accidents that the system can't cope. But even one really bad accident can shut down traffic citywide for hours, e.g., the torpedo spill at the intersection of I-25 and I-70 in Denver.
We saw this phenomenum in action after 9/11, when the air traffic system shut down, and later when there was the anthrax scare.
Was Y2K oversold? Of course, but the worst offenders were non-techies pushing their own questionable goods or techies trying to reach management too focused on a 6- or 12-month window.
Good marketing (Score:3, Insightful)
To sell you have two fundamental resources to use:
- utility
or
- emotion (fear and safety being the 2 best).
If you use any of the above 2 you will see all advertisements and call to actions are based on it.
In this instance fear.
Buffer Overflow or Backhoe? (Score:3, Insightful)
Osama isn't employing hackers OR script kiddies, he's employing desert fighters whose expertise is real-world destruction.
Adding in safegaurds against buffer overflows may be a perfectly good idea, but it won't matter a whit to a terrorist bend on causing damage to the Internet.
Re:Why-2k again? (Score:2, Insightful)
Eh? (Score:3, Insightful)
terrorism == loss of human life != hacking (Score:5, Insightful)
Okay, terrorism is targetting and attacking unarmed civilians in order to create fear and terror on a large scale. (ie, detonating a bomb in a crowded restaurant).
It doesn't have anything to do with hacking computers. The terms "online terrorism" and "cyberterrorism" are meaningless and maybe even insulting to victims of real terrorism.
Terrorism isn't a blanket term for everything that's disruptive and annoying. I don't feel "terror" if the internet is subverted by al Queda hackers, or the 14-year next door for that matter.
Let's not dilute the meaning of the word.. It's enough we have idiots creating phrases like "industrial terrorism".
We already have a word for breaking into computers: hacking (or, uh, cracking).
BINGO! New game idea for "Post-9/11" (Score:5, Insightful)
How about a new one for playing in the car or reading the paper? Marking off stuff like cars that have fifteen american flags on them. Or reading some off the wall article that has sudden relevence because of the "Post-9/11 Era." Or discussing the way it is impacted by the "War on Terror."
Bonus points for stores that put "God Bless America!" signs up, not only in their windows but on that giant illuminated sign with the two golden arches on it.
Sorry to be overly cynnical; it's a nice thought... but it really seems to ringing hollow now. People have just gone on about their comporate business, even if they have "heightened insecurity" in their personal lives. This book probably has interesting info in it, but now everybody is marketing it with "a sense of urgency due to the new world we live in."
If I hear "In the wake of September 11th..." one more time, I'm gonna punch a broadcaster in the nose.
Now if you'll pardon me, in the wake of my bottled water and NutriGrain bar breakfast, I'm going to get a hot bowl of soup for lunch in downtown Cleveland.
Re:sabotage through the internet is similar to (Score:2, Insightful)
I think you're absolutely right, and yet I also think I'm beginning to hate how cynical statements like that sound and how cynical I must have somehow become in agreeing with statements like that.
I would like to point out, however, that sabotage through the internet is very unlike a suicide bomber in that provided you are not caught, a would-be saboteur could feasibly sabotage again, and again, and again. Successful suicide bombers have but one shot to hurt people.
I am quite convinced that because of this, despite the new fear experienced by many post-9.11, suicide bombers are still the least of our immediate first-world worries.
Re:BINGO! New game idea for "Post-9/11" (Score:2, Insightful)
Pardon me for asking, but ... (Score:3, Insightful)
I was wondering how a book that hasn't been published yet can be "resilient." Perhaps the cover is made of steel-reinforced concrete? Titanium? Galvanized rubber?
Utterly absurd (Score:1, Insightful)
Two things which closet fascists would like to see defined as 'terrorism': (1) hacking, (2) kids in balaclavas throwing rocks through Niketown's windows. Both are vandalism. Let's try to keep some sense of perspective here... terrorists use munitions, and terrorists kill.