Violent theft happens less often than theft- it’s a risk for the thief, requires more effort, and doesn’t result in much more reward. it’s still a crime of opportunity, but it’s not the same as pickpocketing. Mr Johnston’s statistic of 1,703 reports of violent theft in the Paris Metro is a very small fraction of the violent crime that occurs in Paris on any given day, and a much smaller fraction of the theft that occurs in the same amount of time.

Even if we just look at the ridership of the STIF itself, we’re talking about less than 0.04% of the daily users of the system (warning- link is to a PDF report) reporting violent theft in a year, and only 50% of that is related to what appears to be theft of smartphones. We’re talking about fractions of a percent, and most of these crimes are carried out by people who do this to “make a living” stealing and reselling objects of desire.

I think we’ve created this as a tangent of the supply and demand manipulation that goes on so readily in the consumer econo- Oh hey! A new iPad!

Just kidding.

While I’ll be the first to say that any violent crime is unwanted, I’m not sure that we can deter very much of it by making smartphones harder to resell after they’re stolen. This is akin to saying that we need a forensics team to prevent data breaches by ensuring that the people responsible get caught and given prison sentences. It’s only a deterrent if the would-be attacker sees it as one. While it’s true that we need forensics and incident handling, neither of those will act as a real deterrent to a motivated criminal- the same “it’ll never happen to me” mentality applies to them as it does to everyone else- Criminals are human.

As usual, the better answer is that mitigation and defence are as necessary as deterrence, and focusing too much on one is going to sacrifice the others. Especially when the focus is on technological deterrence.

Mitigation of theft and violent threats to individuals is tricky, though- it requires many of the same qualities that are needed in decent Infosec staff; vigilance, mindfulness, diligence, etcetera… Defence is harder, but it’s similar. It’s also hard for the same reasons that violent theft isn’t worth it. Go ahead and take a self defence course, though- learning a few things and practicing them might save you from trying to recover from the attack after it has happened, although the first thing most people who teach these classes will tell you is “give them what they want and get away, rather than risking assault”. Or, as another friend of mine put it “They practice the art of judonno- Ju Don’ no what I gat in ma pakit, so ya bettanat start su’n'” (read it aloud with a funny accent for kicks. It’ll make more sense). Basically, you don’t fight unless you have to because the defender is always at a disadvantage. It’s a better defence to just be aware of where the thugs are, and go back into mitigation mode, which means knowing how to spot the risks and avoid them (sound familiar?).

Violence is not something to trivialize, and violent theft needs to be mitigated as much as possible, but the smartphone isn’t the cause*, nor is it the catalyst**. Money and status is. If you really want to deter opportunistic violent theft and crime, your options on a personal level are pretty limited. You can use the basic “street sense” adages that a number of writers, self-defence “experts” and others recommend; even when the language is a little hard or direct, the ideas are still worth considering. Unfortunately, self-defence doesn’t solve the larger problems that cause this type of violence; those can only be solved by persistence, mindfulness and vigilance… on the part of the public at large and it’s various social institutions. Crime is ultimately reduced not by deterrence, but by the right kind of social involvement, education and public awareness.

* I’m not trying to say that Mr. Johnston is implying this in his article; that’s more like what a Fox News style reading of it would imply, though.
** In most cases. In situations where the attack is motivated by the attackers frustration or anger at annoying smartphone users this is obviously not the case. Thankfully, being an annoying smartphone user is still socially unacceptable, so these types of violence are rare.

I’ve kept it as a mantra for a couple of years, and it’s done me pretty well. Based on what Evan Prodromou just posted , I’m not the only one who feels this way.

It seems like quite a few people aren’t aware of what they can actually afford to lose in these games (and they are games, basically- you didn’t make the rules, there are other players, and you can lose).

Here’s a quick reminder:

“Having your business fail is harder. It’s not a joke, and it’s not fun. It is miserable. People lose their families, or go insane, or kill themselves.”

Yup.
Sure, most people get back up. Some get back on the startup bandwagon. Some don’t. It’s still hard, and it’s still unhealthy. I’m pretty sure there’s a better way, but I haven’t figured it out yet.

I think it might be worthwhile to point out that nobody ever says “I wish I had spent more time at work” on their deathbeds, even if they love their jobs. Maybe that will change when my generation start dying off in droves, but I seriously doubt it, even for the “startup types”.

So yeah, you should only bet what you can afford to lose. “yourself” and “forever” aren’t on that list.

Facebook’s new datacenter isn’t small. Facebook claims that it consumes a smaller amount of power than usual for the size it is, though. Based on some limited research, I think it’s a single source setup- their electricity comes from the big local electric company, Pacific Power. I also think that there wasn’t much of a choice for them. The other local operator is a co-op that just seems to buy MW/h blocks from Pacific and others. In terms of site selection, this leaves Facebook in a difficult situation- they’re limited by geography. They can’t go to the power company and say “give us a wind farm”, since their demands are for steady, proven and fault-tolerant power, they don’t really have the money to do it themselves, and Pacific hasn’t really set up much in terms of alternative generation.

The other option was to relocate the datacenter outside of the Pacific Power service area. Usually setting up datacenters like this requires quite a bit of planning, and the location is a big deal- it needs decent telecommunication infrastructure, has to be close-ish to a large enough city (seattle and redmond, in this case), have solid geotechnical underpinnings, be securable, and be away from any major natural hazards. Electricity is only part of the equation, so I’m guessing their options were limited. Doubly so, considering how many US power companies offer workable industrial (read, redundant, reliable, and with a 99.99999% uptime guarantee) electricity that relies on anything other than traditional (coal, nuclear) generation methods. Maybe Facebook could have moved somewhere where there is a solid, reliable alternative energy service, but that would mean putting more staff in the air to go manage the place, relocating or training workers, and generally, a much higher carbon footprint.

Really, the demand for electricity is there, and it doesn’t matter to the Datacenter where it comes from, as long as it works. Moving their operation to somewhere with wind, solar or even hydroelectric power, because it’s low on the requirements list, and it definitely conflicts with other, far more important operational and sustainability requirements. I’d also suggest that they’ve done their level best to actually lower the impact of their energy demands- some of this comes as a product of the location they’re in, which (again) limits their choice of power sources.

It’s in the best interests of any major computing center to minimse their power requirements. It’s good for the bottom line of the company, and it certainly helps when the power systems fail- your backup generators don’t have to put out gigawatts, and you can still go on working. Efficient passive cooling systems (cooling being second only to actual computing in terms of consumption of energy, and sometimes ahead of it) also mean that the machines stay happy when the power goes out, the air conditioner breaks, or any number of other unplanned bad things happen. Efficeincy and sustainability are good for security and risk management, generally speaking.

The truth is, most of the major datacenters that exist aren’t efficient. Moving electricity and changing it’s phase, lowering and raising voltages and making it less noisy are all going to take away from the power that comes down off the line. In the past, most places have just accepted that their power is both dirty and inefficient, and lived with it. Rackspace, Dell and others have actively attempted some sort of efficiency initiative (see Sun’s Datacenter in a box) and Google (probably the biggest user of large datacenters in the world at the moment) is claiming they’re reducing power consumption, but telling nobody how they do it. IBM has also actively been involved in evangelizing and implementing the efficiency and green tech in their own and their client’s datacenters for a while, but they seem to be an exception (as usual). Meanwhile, Facebook has come out and openly explained their process. Normally, I’d pick on Facebook over privacy issues and generally being a bit annoying, but this is good stuff. It’s a step in the right direction by a company that is highly visible, which will inevitably cause others to follow suit, Greenpeace approval or not.

While I fully support Greenpeace in their effort to try and make big computing more sustainable and efficient, but they’re barking up the wrong tree if they expect a multibillion dollar investment to hinge on something that is as rare as a fit, healthy person on medicare in the United States. They may want to take their petition to a bigger company who build datacenters more often and see how it’ll work there; perhaps a company that has multimillion dollar contracts with multiple utilites can sway them. I doubt it, though; until big data sees big electricity as an option, the companies that handle big data will be willing to use whatever the utilities give them.

Full disclosure- I used to work for IBM as a contractor, I’ve recommended Rackspace to clients more than once, and I have been paid by Greenpeace as a campaigner in the past- I still support them, I just disagree with some of what they say in their PR statements. I have never bought a Dell computer, and I’ve never been paid by Facebook for anything in my life (although I do have an account).

Here’s a hypothetical question: What do you do when your car dealer or garage tells you that you can’t bring your car there for a tune-up anymore, because it’s too old? Does that ever happen?

I’m asking because this is an analogy for how a number of hardware and software designers build for the market I work in.

Basically, the lifecycle is simple- Vendor makes a product; releases it to much fanfare. Lots of them are sold. Users build little shrines to the company (ok, this might be stretching it), and after a year or so, the honeymoon is over and the company releases another, newer verison. After about 2 or 3 of these, the company declares that the first version is now obsolete, and that they will no longer be providing updates for the core parts, or supporting it in any way. “Fine” you say, “I’ll just handle it myself”. And then the device crashes.

You are left with a brick. You can’t open it up to fix it (it’s made to be thrown out), and you can’t get into the software on it (you don’t have the keys, basically), so the device is nothing more than a massive paperweight. You’re probably frustrated that there are obvious environmental implications when this scales to a multi-million user ecosystem (I know I usually am). While mildly annoying (”hey, I spent $500 on this 2 years ago, and now it’s a paperweight! F**ck you, vendor!”) it’s not the end of the world. You’ll just buy a new one, and hopefully the old one will get recycled.

It could be worse, though. Fill in that last set of statements about the device failing with something else- which is far more common; the device continues chugging merrily along, with no updates, no patches, nothing so much as the odd power down. If this sounds familiar, it’s because it is- most companies, institutions and individuals don’t have the budget to buy new gadgets every year or two, so they keep the old ones running for as long as they can.

This worked fine when the mobile devices and computing hardware was limited, single-purpose stuff, but times have changed. If you expected your IPhone to continue running as long as that Nokia you bought in 2005 did, you probably should have stuck with the Nokia (I’m sure you didn’t, though). Apple’s release of the newest build of IOS (4.3) highlights this problem for short-lifecycle devices. It basically renders any IOS system built before the release of the 3gs obsolete. Sophos has taken a quick look at this. Their conclusion is one that seems obvious to anybody with half a brain- the 10.4.3 update fixed security holes, but didn’t fix the holes on the systems that apple officially ceased to support as of that update. Apple likes to boast about how many of these phones they’ve sold. I seriously doubt that they will boast about how many of them are now obsolete, since it wouldn’t be good for PR.

Lack of patching and updates becomes a big problem when you’re dealing with a device that is both tied to a network, and has a deeply integrated software/hardware system; smartphones are a good example, but tons of other consumer electonics are heading in this direction as well (think televisions, printers and routers). I fully expect the number of devices that are rendered obsolete by software updates to rise in the next 3 years to something in the hundreds, as more vendors try to copy what is an extremely successful business model for Apple, and ignore the downstream impacts. As Sophos and others have already pointed out- Security threats are here now, and they won’t go away unless the vendors and engineers take responsibility for their hardware, especially if they plan on selling it to organizations and individuals who can’t always afford to keep up with the 2 year revision cycle.

I have a useful trick for trips to places where I don’t speak the language (which is rare- I don’t like having that extra loss of situational awareness) is to compile a phrasebook of my own. This is especially useful when you have less than a week to prepare for a trip to somewhere like, say, Moscow, and you don’t have a local contact. The phrasebook is a fairly simple excercise- get a small (pocket-sized) notepad, and look for a useful language site- or Wikipedia and Google, depending on what you need translated. Write the phrase down in the book with an english translation underneath. Keep doing it until you have all the “special phrases” you need. I’d suggest you start the book with “do you speak {english, french, 3133, tcp/ip}? I don’t speak (insert language of your destination here).” This at least sets up some expectations from the person you are addressing.

The phrasebook is meant to augment or improve upon other guides you might take along (personally, I have little use for guidebooks, since the last few I have had weighed too much and were hopelessly out of date after 1 year). It shouldn’t have every possible thing you’ll need in it, just the stuff that you’re certain you’ll need. In my case, the second page was “please take me to the Sokolniki Holiday Inn” followed by “can I have a receipt?”. Things like “I am diabetic and need insulin” or “I have a life threatening allergy” are also pretty useful, while “u r hott, do u want 2 cyb3r?” probably isn’t. The beauty of this is that you have a way to loosely communciate the things you need to tell people without really speaking the language. In transcribing things by hand, you also pick up a little of the language anyway.

You’ll note that the word “thank you” is nowhere to be seen in my book- It’s one of the three things that I think you should always know how to say in any language- the other two are ‘yes’ and ‘no’. Optionally, I’d suggest ’stop’ as well.

The idea is that you carry your phrasebook with you, somewhere easily acessible. It’s not the end of the world if it gets pickpocketed. Rebuilding it might be a pain in the ass, but losing something else would be worse. I usually carry mine in the pocket I’d put my wallet in. The added uses for this book are that you can also use the phrasebook portion to translate words you see back into your own language; most of the time this works when there aren’t modifiers, and you can take notes on other things in the book itself. Mine was filled with network diagrams and todos by the end of the trip.

It’s worth pointing out that there are some very obvious safety and security risks to this method- You don’t really know what people are saying if they respond in their own language, and it’s possible that the moment you admit you don’t speak it, you’re going to get conned. These aren’t things that this method of interaction can mitgate; and if you’re worried about that, I’d suggest looking into more extensive safety and security information or training, and (more importantly) learing enough of the language of your target country to function there. Aside from that, whipping out a notebook in public can sometimes attract weird attention.

Of course, there are other solutions- mostly for the Iphone, but this is far less likely to fail, and isn’t as hard to replace when it does (you need internet access, a pencil and a new notebook).

NB: it’s probably a good idea to verify your transcriptions before using them. You wouldn’t want to fall prey
to the “chinese tatoo syndrome”.

Now, I know, in this room, some of you are the women I have been talking about. I know that. People around you may not. I am going to ask you to use every single thing you can remember about what was done to you — how it was done, where, by whom, when, and, if you know — why — to begin to tear male dominance to pieces, to pull it apart, to vandalize it, to destabilize it, to mess it up, to get in its way, to fuck it up. I have to ask you to resist, not to comply, to destroy the power men have over women, to refuse to accept it, to abhor it and to do whatever is necessary despite its cost to you to change it.”
-Andrea Dworkin, 1995
Remember; resist; do not comply

I’m not even going to say his name. I didn’t last year, and I won’t this year. I won’t say the names of the other men, driven by some twisted desire for fame or revenge that did the same things in other schools, offices and cities around the world. Instead, I will ask you to remember the victims. Remember the perpetrator as what he was- a demented, sad individual; but remember the victims. 14 women, all of whom had bright futures.

This type of violence has no place in society.

(for a longer discussion of the massacre, please see last year’s commentary)

(The quote above is from a speech at the Massey College Fifth Walter Gordon Forum, Toronto, Ontario, in a symposium on “The Future of Feminism,” April 2, 1995. First published by Massey College in the University of Toronto, May 2, 1995. Copyright (c)1995, 1996 by Andrea Dworkin.)

In theatre, I often find myself working alongside directors who are heavily concerned with the working environment’s sight lines. Obviously, this makes tons of sense when you’re trying to assure that your show comes off looking good, but there’s an additional bonus; the audience connects with the players and the story when they can see their faces clearly. I feel that the same applies in an office. The places where I’ve connected the most with the whole company (and the team I work with) have been open, wall-free, and busy environments. The ones where I’ve had the most trouble were usually cubicle farms that pretended to be open-plan- or worse, places with “open cubicles” where my colleagues and I sat in groups of four and hatched schemes to take over the company. This sort of space design leads to siloing and knitting circles, and not real work. I think the constructivists, Structuralists and a number of other people agree with me here, so I’ll take it a little further: Secure, offices are usually also open ones.

I’ll go back to the theatre example, for a moment- mostly because I’m working on a play right now, and it’s giving me plenty of thought to chew o)n. I work with different people on each production I do (I should probably plug the current one here…) and by about the second week of pre-production, we’ve usually formed a tight, working group. When someone new enters our workspace, we’re all instantly aware of the presence; we can see and hear them, and the group reacts. In most cases, this is because the theatre spaces I work in are large and open. You can see most of the space from the stage or the booth, and you are (usually) very aware of your surroundings.

In a real open office, the same applies. The last good space that I worked in, I could look up from my desk and see what everyone was doing, who was at the door, and who was in the meeting rooms. Nearly everyone else in the office could do the same. This mattered, because I knew that I wasn’t interrupting something when I asked someone a question, and I also knew that the random client that walked in for a meeting was going to need to be shown around, or entertained because the CEO and CTO were busy. It also kept people united. If you had a problem, everyone would know. Gossip was hard to do, since there wasn’t any real space to do it in the office, and it was rare that anything ever went missing or got broken.

Contrast this, then, with the “semi open” space that I had worked in prior, and the “1989-beige” cubicles I work in now- In both places, the teamwork is done over the phone, or outside the workspace; gossip and politics are constant annoyances, and much less seems to get done in a day. When people get frustrated, they retreat to their “dens” and the social structure is siloed and segmented, rather than integrated. The upside, though, is that it’s quiet most of the time.

In terms of security, though, it’s not optimal. I find that when we’re put into small-ish (scrum sized) open groups, we self police. When we’re put into silos, cubicles and boxes, we tend to shut out the world and have a “work to rule” mentality- and this is evidenced in the work ethics of the companies I’ve contracted to in the last 10 years. “I’ll secure my system, but the office is someone else’s problem” doesn’t really work when your system is accessible from the office, and the walls around your desk are just high enough that nobody can see what I’m doing to your system when I’m there. I think there’s a similar principle in defensible design- open spaces with open uses lend themselves to less criminal activity (at least, according to Newman and others) and more integration. It’s harder to get up to any of the negative things you could do when you know that your friends are watching you.

Beyond that, though, it doesn’t allow the security people to talk to the developers, or the CTO or anyone else- they live in their security cubicles, and think about whatever the micro-task they’re working on is. This kind of segmentation and siloing, combined with a lack of cross-company communication usually boils over into internal drama. While the open office had it’s share of drama, it tended to subside just as quickly as it arose, and most of us got accustomed to the ebb and flow of crazy that occured. The segmented spaces that I have worked in, on the other hand, tend to never quite finish the drama cycle. I’m sure that has as much to do with the people as the space, but I feel that the two tend to feed into one another. Your insecurity is built into those cubicles. For one, they’re harder to search in threat scenarios.

Addendum: For those of you who will inevitably highlight the security implications of an open office with regards to employee privacy and/or PII visibility, I should point out that any cubicle has the same visibility issues if you’re standing within reading distance from it since they tend to be around 4-5 feet high, which is just slightly shorter than average human height for North Americans, so we can see all that stuff on your monitor. Employees with cameras and telescopes, in my experience, are not a real risk; try pulling out a camera in an open office space and see what happens if you don’t believe me. If Access and security are your concern, then make the office entrance controlled and put the public meeting rooms in a different area. One of the things I liked about Telus’s office in Montreal (and IBM GS’s floor plan, as well) was that the design was based on the idea that anywhere that employees were was a secured area. While this doesn’t make any obvious risk reduction (readers of this blog might recall that I’m a big fan of a dedicated front desk for security reasons) it definitely gives employees a sense of space ownership, and I suspect it seriously reduces risks when combined with a decent access and entry policy.

I wonder what these were used for?

I suspect it might be some sort of language school or technology school surplus, but it’s also easy to dream up a story about them- They are, after all, wideband recievers that can listen to virtually anything from 100khz to 30Mhz… which is where all of the spies are (Just kidding- there are numbers stations, though).

It is reported to be controlled by the Russinan army, and used as an alternative frequency marker. This is a standard tactic of any comms. organization; the entire RF spectrum is spotted with beacons marking usable frequencies for specific groups.

It is transmitting from a tower outside of Moscow.

If English Russia is to be believed, the station itself is abandoned, flooded, and in an unusable state, despite the working tower http://englishrussia.com/index.php/2010/08/28/inside-the-mysterious-uvb-76-station/

It went off air in late August- and then returned yesterday with a new callsign (.

While there are a number of speculations regarding the nature of the broadcast, and it’s link to Perimetr (Периметр- the “deadman switch” for Russia’s nuclear arsenal); nobody knows the precise purpose of the signal. Obviously, the Russian Army has not released much information on this subject.

Interestingly, UVB-76’s downtime and subsequent callsign change conicdes with a reorganization of the Russian Military command structure, and (if I’m interpreting this correctly) a renaming of the 1st comms hub of the General Staff, which is now the 1st Communications Brigade, and is officially located right near the transmitter tower. Since the official purpose of the system is transmission of orders and comm channel keep-alive, it makes sense that the new callsign has occured just as the restructuring has started up. The heightened activity around the station also makes quite a bit of sense in that regard.

Of course, there are still crazy people who think it’s the voice of a doomsday device

I’m a little stunned, then, when I read about the unmitigated disaster that happened at the Love Parade in Germany (Duisburg)- there were a number of obvious mistakes made in the planning and layout of the crowd control measures, and it now seems like the organizations that were charged with the crowd control are pointing fingers at one another. The sad thing is that it could have been avoided very easily, and the risks should have been obvious to anyone doing the planning- which means all three organizations responsible for giving the party the go-ahead have failed in some respects. Based on the site design, alone, the possiblity for this type of accident was evident from the start. The site had a single public entrance, where the crowd was being funnelled through a tunnel into the main site after the parade floats paseed through. Reports indicate that for reasons that are still not clear, the police and security team closed off the far end of the tunnel when the site became overcrowded. Already, there are two planning errors here- the first is the mixing of moving vehicles and the drunken public, and the second is gate control. The third, and in my opinion the worst, is the lack of communication to the crowd. From a practical standpoint, it may have been impossible to put a manned gate with staff on it at either end of the tunnel, and then control the number of people entering (think turnstiles or doormen), on the other hand, if that was impractical, they should have had a second entry point- moving vehicles and drunk people are a bad mix. The size and width of the walkway was also too damn narrow to allow for an evacuation channel when the area became full. If you’ve ever been to an outdoor show, or a large concert, you’ve probably seen these. People like me set them up using metal gates, and then security staff man the little barriers. They’re useful if there’s a mass panic, because they can be moved quickly to reduce crowding. They’re dangerous for the same reasons.

The communication issue, I expect, will be the most ignored portion of the investigation; it’s hard to establish who said what to whom, and how the crowd was addressed (if at all) during the early part of the emergency. From experience, I can say that public address is hard, and with a group that size, it would have required either well informed, properly trained personell with radios, or (better still) people with PA systems (bullhorns, etc). The simplest thing to do would have been to give advance warning of the tunnel closure, and then let people know as it was being closed that they would need to disperse. The same applies to the tunnel entrance. It’s vital to keep choke points like that clear, and obviously this wasn’t done properly. Was anybody from the planning and management staff or the security group trying to communicate this need to the festival participants?

In any event- the tragedy that ended this otherwise wonderful festival could easily have been avoided. Blame aside, it’s horrible that this happened, and should serve as a warning to festival planners in general- success means crowds, and crowds need to be planned for. It also serves as a reminder that the crowd does not always do what you want it to.