Byte Wars

Peter Wayner writes: "A friend of mine who works as a public defender knows a thing or two about selling fear to the jury filled with doubts. Several months before December 31st, 1999, he asked me if we should be worried about the Y2K disasters. My answer was: The machines crash every day. Why should it matter if it happens on December 31st?" This time around though, the fears are of a different nature and scope: Peter reviews below Edward Yourdon's latest book Byte Wars, one aimed at everyone concerned about online terrorism in the post-9/11 climate.

Byte Wars: The Impact of September 11 on Information Technology
author	Edward Yourdon
pages	300
publisher	Prentice Hall
rating	7
reviewer	Peter Wayner
ISBN	0130477257
summary	Plainspoken but fear-centric advice for reducing the dangers of vandals or terrorists to online systems.

My friend who nodded as if this was the same game he played every day in the courtroom. If no one knew what was going to happen, the jury's instincts could be manipulated with a mixture of fear, sympathy and tribalism. Juries were always afraid of watching a good, relatively innocent man lose everything, he explained. Corporate executives were just as worried of the same thing happening to them.

The Y2K binge is long gone and the biggest effect on computers seems to be found in the bits representing the bank accounts of Y2K consultants. Gimmicks may fade but human nature and human fear remains the same. The destruction of the World Trade Center has given new life to the fear mongers who worry that someone may obliterate our electronic infrastructure. Edward Yourdon, the old school computer consultant who made plenty of noise about Y2K, is back with another book, Byte Wars: The Impact of September 11th on Information Technology .

When I say old school, I mean that he started programming and writing about programming in the mid 1970s and this shows in the way he spells ( "Obe Wan Kenobee") and talks about "paradigm shifts" instead of "memes." He comes from the age group that decided how much to spend on Y2K and he knows how to talk to the group that will control how much we spend on our fears of terrorism.

There is no mention of his record on Y2K on the book cover or the biography, but if you're interested, the net never forgets. The book does mention the scary days of December 1999 a bit in passing, but only to note that there was "very little awareness in the media" that some "small organizations did suffer moderate-to-severe Y2K problems." He also notes with some pride that many companies survived the turmoil after the World Trade Center attack because they made so many preparations for the turn of the millennium.

This time around Yourdon is blessed with a much more concrete threat and this both helps and hurts his cause. On one hand, no one can debate the power of airplanes as weapons in the same way we can still debate whether Y2K would make a difference to embedded controllers. On the other hand, it's not really clear what the latest attacks have to do with computer networks. He even notes that the DOD's computers were relatively unhurt by the destruction of the Pentagon. How many web sites or e-commerce sites can anyone knock out with a box cutter? One company I knew with offices on the 81st floor of the World Trade Center used a co-lo facility that survived. Their web site kept on pumping out hits even after their entire office turned to dust.

Yourdon dodges all of this by being politely vague and abstract. His chapter on risk management, for instance, counsels that we should find a "realistic assessment of risks" and weigh the probability against the danger. If we develop a process to deal with the risk, then we can ensure that the risks are shared between the stakeholders. Most of the chapter could have been written at any time about any risk , but he makes it all a bit more current by including a few references to kamikaze players who are shifting the paradigm.

Some of his advice gets so abstract that it's hard to know exactly what he is suggesting. He tells us to "examine the practical impact of increased security and decreased privacy." To him, that means warning people who rely upon the social freedom of "don't ask, don't tell" to realize that so much information about us will eventually be documented by the new security state. "Now is the time to think about such matters, not two or three years from now when you suddenly find that you can't get a job, or can't buy a house in a particular neighborhood." Should we rise up or acquiesce? Which side is he on? I'm still not sure. He does such a good job playing to everyone's fears.

Occasionally, he doles out some practical advice that is close to the needs of managers worried about the aftereffects of 9/11. We are told that terrorists may be posing as "ordinary employees" or even government employees who've "risen to high levels of trust and authority." He reminds us that "hardly anyone watches the programmers." Is some terrorist slipping in a buffer-overflow loophole? Or maybe just a crook? One of the most practical suggestions is that corporations should do more code reviews.

He's also hip to some of the latest intellectual fads. Emergent organisms like Napster can be useful and resilient. He's a big fan of empowering employees by cutting away bureaucracy so the organization can evolve some emergent intelligence. Of course, we must also be ready for more scrutiny from the security bureaucracy checking to ensure that the emergent organism isn't evolving buffer-overflow backdoors. This gets a bit confusing and he waves away much of conflict with abstract calls for balance.

In the end, Yourdon can't offer many answers because there aren't many answers to give. We had risks, terrorism, info warfare, bombs and whatnot before September 11th and we'll meet them again despite the security. Anarchists detonated a horse powered wagon filled with explosives in front of the NY Fed in the 1920s. Not much has really changed and the book ends up being a distilled version of the inchoate fears that haunt us.

The real challenge is determining how much fear we should have. Yourdon is far from the only person who automatically assumes that the attacks on New York mean more attention to cybersecurity. All of the major beltway consultants near Washington are gearing up with the new tools. The more I read the book, the more I began wondering why. Why do some kamikaze hijackers mean that the web needs to be locked down? Who really has time to worry about some al Queda l33t d00dz owning my site when so many people are dying true deaths that can't be fixed with backup tapes?

At the end of one of the chapters, Yourdon exhorts us to get our act together and secure our home computers. Our old, pre-9/11 computing style was equivalent to "living in a house with the doors and windows wide open", he says, something that was "a pleasant way to live if you were in a small town in the 1950s."

Ah, the 50s. He and everyone else should rent a copy of George Lucas's pre-Star Wars classic, "American Graffiti." In one scene, the teenagers cheerfully drop a cherry bomb down the school's toilet. In another, they destroy a police car by wrapping a chain around the rear axle. The laugh track blessed both events in the movie, but all of us know that they would bring out the SWAT teams today.

The movie managed to avoid much of the discussion about Eisenhower, Francis Gary Powers, the Russian H-Bomb, or any of the other fears rippling down our spines. The 50's seem so much more fun after editing out the fact that the Russians had (and still have) fusion bombs on the tips of missiles. No amount of frisking by airport security can keep them out of our airspace. Yet we survived and managed to laugh about kids trashing police cars.

Another solution is not to quiver and worry about Osama bin Hacker's script kiddies. We can redefine the terms of engagement in much the same way that the cops in the "American Graffiti" just laughed at those impish kids. Hacked web sites are easy to restore if you have adequate backups. Denial of service attacks from zombies on cable modems sound threatening, but they rarely last longer than Friday evening rush hour.

It's hard to argue with much of the plainspoken, largely abstract advice offered by Yourdon. All of it makes good sense. The harder problem is finding the right attitude to carry us through the night. This book is filled with worry for our future and awe of the unseen l33t d00dz hiding under the bed. There are bits of light and a stab at optimism near the end, but most of the book trades on the thoughts that will keep us up well past midnight.

---

Peter Wayner has two resilient books emerging this spring: Translucent Databases , an exploration of database security, and Disappearing Cryptography: Information Hiding, Steganography and Watermarks , the second edition devoted to hiding secret messages in plain sight. You can purchase Byte Wars from bn.com. Want to see your own review here? Just read the book review guidelines, then use Slashdot's handy submission form.

How to Think about Security

[Alien54]

as I saw yesterday on RFN [radiofreenation.net], , Bruce Schneier [counterpane.com] has an interesting piece in the latest issue of CryptoGram [counterpane.com] has an interesting article entitled How to Think about Security [counterpane.com]"

This is very useful. Damn Useful.

here is part of the info from the RFN story:

Here is

Bruce Schneier [counterpane.com]'s five step process, in brief.

This five-step process works for any security measure, past, present, or future:

1. What problem does it solve?
2. How well does it solve the problem?
3. What new problems does it add?
4. What are the economic and social costs?
5. Given the above, is it worth the costs?

Take step one above, for example. Here is part of Schneier's comment on it:

Step one: What problem does the security measure solve? You'd think this would be an easy one, but so many security initiatives are presented without any clear statement of the problem. National ID cards are a purported solution without any clear problem. Increased net surveillance has been presented as a vital security requirement, but without any explanation as to why.

I love the insightful simplicity of the piece.

Y, C, et al

[rot26]

IIRC, Yourdon is something of an egomaniac.

I don't imagine that there are many subjects that he doesn't feel qualified to write a book about.

Why-2k again?

[rdmiller3]

This review was very well done. I especially appreciated the link back to some of the author's previous (and now, dubious) work. Heh, heh, heh... Give that man a "5" for "funny"!

This author looks like the run-o'-the-mill fear-mongering sort that the media loves to trot out when they've got no real news to talk about. So why on earth are we hearing about him at all?

Hmmm.... Maybe I should start writing book reviews for Slashdot! "Review: Discourses of Epictetus, a rational look at the problems of today's world politics and our individual lives"... written only 1900 years ago!

-Rick

Previously predicted...

[PHAEDRU5]

- The end of the American programmer
- The end of the world in Y2K

Previously retracted...

- The end of the American programmer
- The end of the world in Y2K

The stuff on structured analysis and project managemetn is useful. That's about it.

sabotage through the internet is similar to

[Mr. Asdf]

suicide bombers. anyone who puts in the effort can do it. the reason or planet generally survives this is because the vast majority of people are not this way. I personally am in a position such that with the click of a few buttons, or by rewriting one line of code i could cause tens of millions of dollars of damage to multiple production facilities around the world. i probably could even injure people if i got the timing right. but I could just as easily strap on some bombs and detonate myself on a crowded subway too. yet i'm fairly certain i'll never do these things. but surely someone out there will, and we'll just have to deal with it, like we always do.

money grab

[jest3r]

Isn't this yet another example of someone trying to cash-in from 9/11?

I mean security has always been an issue. Perhaps 9/11 is a wake-up call but surely we don't need a book to tell us that.

Does he consider the /. effect cyberterrorism or free publicity?

Re:How to Think about Security

[volsung]

Forget security measures. The process you describe should be applied to every proposed solution to just about any problem, regardless of whether it relates to security, technology, or politics.

Y2K played down too much

[coyote-san]

"Computers crash every day...."

Sure. But we weren't concerned about the average number of computers crashing, we were concerned about more computers crashing than normal. And these crashes being more difficult to fix than usual because so many people wrote their own (broken) date routines - there was no single point of failure. This could lead to cascade failures and it was not clear that any natural firebreaks existed to limit the damage.

The best analogy is probably the road net and accidents. You can usually handle a single big accident without a problem. Even two. But at some point you have so many accidents that the system can't cope. But even one really bad accident can shut down traffic citywide for hours, e.g., the torpedo spill at the intersection of I-25 and I-70 in Denver.

We saw this phenomenum in action after 9/11, when the air traffic system shut down, and later when there was the anthrax scare.

Was Y2K oversold? Of course, but the worst offenders were non-techies pushing their own questionable goods or techies trying to reach management too focused on a 6- or 12-month window.

Good marketing

[moankey]

I remember back in college that was what marketing instructors would say religiously.
To sell you have two fundamental resources to use:
- utility
or
- emotion (fear and safety being the 2 best).

If you use any of the above 2 you will see all advertisements and call to actions are based on it.
In this instance fear.

Buffer Overflow or Backhoe?

[caudron]

Combating terrorism isn't about protecting against sophisticated attacks. It's about protecting against very cheap, very simple attacks that have wide-reaching effects. They are FAR more likely to backhoe a cable or bomb a server location than to try hacking into it.

Osama isn't employing hackers OR script kiddies, he's employing desert fighters whose expertise is real-world destruction.

Adding in safegaurds against buffer overflows may be a perfectly good idea, but it won't matter a whit to a terrorist bend on causing damage to the Internet.

Re:Why-2k again?

[commonchaos]

This has got to be the best book review I have read in at least a year... Even my short attention span could not distract me from it. He hit the nail on the head when he talked about the "fear-mongering" that goes on.

Eh?

[MisterBlister]

People still read Edward Yourdon's books? Hasn't this sensationalist fear-monger been discredited enough? If I were him, I'd change my name and/or move to a non-industrial country in shame...

terrorism == loss of human life != hacking

[Dr. Awktagon]

Okay, terrorism is targetting and attacking unarmed civilians in order to create fear and terror on a large scale. (ie, detonating a bomb in a crowded restaurant).

It doesn't have anything to do with hacking computers. The terms "online terrorism" and "cyberterrorism" are meaningless and maybe even insulting to victims of real terrorism.

Terrorism isn't a blanket term for everything that's disruptive and annoying. I don't feel "terror" if the internet is subverted by al Queda hackers, or the 14-year next door for that matter.

Let's not dilute the meaning of the word.. It's enough we have idiots creating phrases like "industrial terrorism".

We already have a word for breaking into computers: hacking (or, uh, cracking).

BINGO! New game idea for "Post-9/11"

[Geek In Training]

I'm sure many of you have played "Bullshit Bingo," AKA Buzzword Bingo, where you go to meetings and mark off words and phrases such as "Going Forward," "Core Business," "Changing Paradigms," etc.

How about a new one for playing in the car or reading the paper? Marking off stuff like cars that have fifteen american flags on them. Or reading some off the wall article that has sudden relevence because of the "Post-9/11 Era." Or discussing the way it is impacted by the "War on Terror."

Bonus points for stores that put "God Bless America!" signs up, not only in their windows but on that giant illuminated sign with the two golden arches on it.

Sorry to be overly cynnical; it's a nice thought... but it really seems to ringing hollow now. People have just gone on about their comporate business, even if they have "heightened insecurity" in their personal lives. This book probably has interesting info in it, but now everybody is marketing it with "a sense of urgency due to the new world we live in."

If I hear "In the wake of September 11th..." one more time, I'm gonna punch a broadcaster in the nose.

Now if you'll pardon me, in the wake of my bottled water and NutriGrain bar breakfast, I'm going to get a hot bowl of soup for lunch in downtown Cleveland.

Re:sabotage through the internet is similar to

[Liora]

I think you're absolutely right, and yet I also think I'm beginning to hate how cynical statements like that sound and how cynical I must have somehow become in agreeing with statements like that.

I would like to point out, however, that sabotage through the internet is very unlike a suicide bomber in that provided you are not caught, a would-be saboteur could feasibly sabotage again, and again, and again. Successful suicide bombers have but one shot to hurt people.

I am quite convinced that because of this, despite the new fear experienced by many post-9.11, suicide bombers are still the least of our immediate first-world worries.

Re:BINGO! New game idea for "Post-9/11"

[t_allardyce]

yep, the only way people are going to stop all of this "in the wake of september 11th" stuff is if something bigger happens. Personally i just don't think a massive electronic attack is going to cut it. Bin Laden wants everyone to know about his stunts, and lets face it, DoS'ing some servers and bringing a few routers down is just not going to get as much media attention as something more trendy like anthrax. What he could do, is use the EMP from a nuke to dissrupt something, that would be like killing 2 metophorical birds with one lump of plutonium

Pardon me for asking, but ...

[T1girl]

Peter Wayner has two resilient books emerging this spring

I was wondering how a book that hasn't been published yet can be "resilient." Perhaps the cover is made of steel-reinforced concrete? Titanium? Galvanized rubber?

Utterly absurd

[Anonymous Coward]

There is no such thing as 'online terrorism'. Period. Terrorism is a term with a well-defined meaning. American politicians and pundits have already misused many words (see "freedom", "democracy") to the point where they basically have no meaning any longer; they are merely cues which are used to evoke a vague emotional response of 'GOOD' or 'BAD' in a sheeplike populace. Let's please NOT take the word 'terrorism' and redefine it to mean "anything we don't like", ok? And how bout we stop tolerating those who use a single act of terrorism as a convenient excuse to destroy civil liberties and recreate America as a paranoid police state while we're at it?

Two things which closet fascists would like to see defined as 'terrorism': (1) hacking, (2) kids in balaclavas throwing rocks through Niketown's windows. Both are vandalism. Let's try to keep some sense of perspective here... terrorists use munitions, and terrorists kill.