I'll admit it. I am a fan boy for Dr. Edward Tufte, professor emeritus
of political science, statistics and computer science at Yale. In my
opinion, he is the world's leading expert on how to display complex data
in a visual form. When I learned
last week that President Obama had appointed him to advise the Recovery
Accountability and Transparency Board, I was elated. The board's
mission is to monitor the way the US Government is spending the $787
billion stimulus package. There is not a better person for the job.
I ran into Dr. Tufte almost a decade ago when I was still in the
service. I was running the Army's Computer Emergency Response Team at
the time and we were struggling with how to convey the complex concepts
of network defense, network offense and network exploitation to Army
leadership; mostly to generals who had spent their entire Army careers
leading infantrymen, tankers and artillerymen into battle. These guys
are smart but they do not spend a lot of time in the land of Ones and
Zeros. I needed help. A friend of mine suggested Dr. Tufte's traveling seminar that just happened
to be in town that week.
I was stunned.
He spent eight hours running the audience through a historical
cornucopia of visual presentations, both bad and good, to illustrate
what works and what does not work. His famous example-- how NASA's
engineers might have failed to prevent the Challenger Space Shuttle
catastrophe in 1986 because a badly designed slide deck did not convince
NASA leadership to scrub the launch-- is bone chilling. His more
positive example-- how Dr. John Snow was able to determine the cause of
London's Cholera epidemic of 1854 by plotting the deaths on a city map
and learning that a communal water hole was the most likely source-- is
inspiring.
As a former soldier, I am most impressed with Charles Joseph Minard's chart depicting the
folly of invading into Russia. Tufte thinks that this is "[p]robably
the best statistical graphic ever drawn." On one chart, Minard displays
the gross losses of Napoleon's Army as it traveled to Moscow (Tan Line left to right) and
retreated back (Black Line right to left), the time frame it took, the weather and temperature that
accompanied the Army and the devastating personnel loss of doing
multiple river crossings in the dead of winter during a retreat. Germany's generals would have learned a lot from this chart before they tried and
failed to do the same thing in World War II.
For the price of the course, Dr. Tufte gives you all four of his books on the subject:
That night, I ran home to devour the books. Over the course of a few
evenings, I could do nothing but sift through example after example of
charts and displays from China's Railway Table of 1985 to Galileo's
proof that sun spots were not orbiting the sun, but were actually part
of it. I recommend all of the books highly and, of course, if you get
the chance to attend the seminar,
just do it. You will not be disappointed. I have since been back to
attend a second time.
You may be asking yourself just what does all of this have to do with
security. I am glad you asked.
Like most of you, I do a lot of presentations. In fact, I am a
PowerPoint Ninja. I have done so many presentations that I am getting
close to the magic 10,000 hour number that Malcolm Gladwell mentions in
his book, "Outliers: the Story of Success." I am usually educating an
audience on some security matter or trying to convince leadership to
give me something that I want. In both cases, how I present the
information is key to the success.
You will be interested to know that Dr. Tufte hates PowerPoint; at least
the default way that most people use it: Title, 3-5 bullets of text,
spinning doughnuts that have nothing at all to do with the presentation.
In his seminar, Dr. Tufte does not use it. The fact is though that
PowerPoint, and its non-Microsoft equivalents, are tools of the trade
for most businesses and especially for security people. We need to
report status, explain technical issues and beg for money to start and
maintain pet projects. We all use a PowerPoint equivalent to do it. More
importantly, we as security professionals have to build the charts and
diagrams and graphs that we stuff into those slide decks and other
written reports to make our point. Even though Dr. Tufte hates
PowerPoint, his design guidelines will help you build better decks and
reports.
According to Tufte,
"Presentations largely stand or fall on the quality, relevance, and
integrity of the content. If your numbers are boring, then you've got
the wrong numbers. If your words or images are not on point, making them
dance in color won't make them relevant. Audience boredom is usually a
content failure, not a decoration failure."
He is now helping the government explain where it is spending the
stimulus money at recovery.org.
According to Newsweek,
"The result, as anyone who has spent significant amounts of time
scouring government Web sites for information will tell you, is perhaps
the clearest, richest interactive database ever produced by the American
bureaucracy."
I am in London this week getting ready to kick off the eCrimes
conference. This is my second trip out here for this great event. I get
to travel to London, burn my tongue senseless on some very hot Thai
food (I highly recommend the Mango Tree, but I may have to go through several therapy sessions to recover) and spend the week seeing customers.
The marketing folks have me on the treadmill today. I am facilitating a
discussion with Eli Jellenc, the Manager of the iDefense International
Cyber Team, at breakfast this morning with about 25 CISOs. We are going
to touch on these topics:
Targeted attacks by criminal organizations
Invasive government activity (e.g., monitoring)
Hacking of mobile hardware devices
Increases in corporate espionage
Distribution of malware via social networking sites
Outsourcing software development to foreign countries
I am then presenting during the 9:20 a.m. keynote slot behind Paul
Hoare, the Senior Manager of UK's SOCA (Serious and Organized Crime
Agency). I am giving the Reader's Digest version of the iDefense
patented Trends Briefing -- it should be a "hoot." If you are in town,
let me know. I am buying the beer.
But, none of this is what I want to talk about today. During the RSA conference two weeks ago, Microsoft's Scott Charney suggested
that an Internet tax might be a way to reduce the cost of implementing
a vaccination-like program for consumer-infected Malware machines. This
type of program would be similar to how parents vaccinate their
children before sending them to school. He suggested that the Internet
Service Providers (ISPs) might be the designated vaccinators, scanning
and cleaning machines before they let "grandma's" machine access the
Internet. Charney noted that the business world already does this
today. Many enterprises scan computers on the fly every time someone
accesses their corporate networks. If a computer does not pass a scan,
the user cannot access the company network. In his RSA speech, Charney
asked, who does that for the consumer?
Of course, the ISPs have no incentive to do that kind of thing
today. What's in it for them? Charney suggested that the government
could compel the ISPs to conduct such scans as part of their business
license requirements. He was not naive enough, though, to suggest that
this was a no-cost operation for the ISPs. In order to offset those
costs, Charney suggested an Internet tax -- an added cost to consumers
in order for the ISPs to pay for the vaccination program.
Well, you would have thought that Charney publicly advocated the
buying and selling of babies for slave labor. Everybody jumped in to
say why this was a "horrible" idea, including Gartner's John Pescatore, Qualys' Wolfgang Kandek, ESET's Randy Abrams and nCircle's Andrew Storms.
After reading their reasons, it seems to me that some of these folks
had not understood Charney's suggestion in context. They reacted to the
tax idea without understanding the reasoning behind the tax; they
knee-jerked against the general principal of an Internet tax, as if
there could be no possible reason to hinder their God-given rights to
free use of the Internet. This all appears short sighted to me.
As Charney pointed out in his speech, "We pay a fee to put phone
service in rural areas, we pay a tax on our airline ticket for
security. You could say it's a public safety issue and do it with
general taxation."
Computerworld
quotes Microsoft statistics: "there are 3.8 million infected botnet
computers worldwide, 1 million of which are in the U.S. They are used
to steal sensitive information and send spam and were a launching point
for 190,000 distributed denial-of-service attacks in 2008."
Clearly, we have a problem. Using ISPs as vaccinators is a
wonderful idea; paying for it is problematic. An Internet tax may fit
the bill, but we should all start getting used to the idea that running
and securing this great experiment in connecting the world is not free.
This week I have been attending the annual RSA Conference held in San
Francisco. I wish I could tell you that the conference was great or
that it was horrible. Alas, I cannot. RSA is famous for being a great
networking conference; a place to come to shore up sagging business
partnerships, renew ties to great relationships and to mine the
community for new ideas and opportunities. This week, VeriSign and
iDefense did that in spades. We rented out three hotel suites and
rotated customers, potential customers and the press through them on an
hourly basis. It was great. Being able to spend an hour with many of
our great customers in a compressed time window was exhausting, but
efficient and extremely productive. Everybody I talked to had great
ideas about the iDefense service; what it is today, where we could
improve it and where it might go in the future.
Because of those meetings, I have attended exactly two sessions of the
conference. From the folks I have talked to though, this year's
presentations were nothing revolutionary (this is not the place to come
for new technical breakthroughs), but most were good at explaining some
common themes that we are all dealing with. Looking through the
conference agenda, these topics pop up a lot:
Cloud Computing
Cryptology
Social Networking
Health Care
Federal Compliance
The general consensus from the attendees is that if the phrase "Cloud
Computing" is not in the presentation title, it will definitely get
some attention during some portion of the lecture. The topic seems to
be what everybody is talking about this week.
I am on the platform at 9:00 a.m. this morning giving the patented
iDefense Trends Briefing. Among other things, I had 20 minutes of Cloud
Computing content that I just yanked out of the slide deck because I am
pretty sure that anybody that may show up for my talk will have been
completely bludgeoned by the topic at this point. I replaced 20 minutes
of slides with this "Reader's Digest" summary:
The CFO will make you buy Cloud Computing services because they are really, really cheap; get ready for it.
There are security risks, but they are manageable. I wouldn't put the
company's crown jewels into the cloud yet, but the risk is manageable
enough to put some low- and medium-end data and services there today.
We have a huge opportunity here; actually building security into these
services from the get-go instead of bolting them onto the service after
they become popular as we have done in every iteration of Internet
technology in the past. Whether or not we do that is still an open
question. The fact that everybody is talking about though is very
promising.
Yes - I got the Friday morning slot to speak. Since a lot of conference
attendees leave Friday morning because they don't' want to take the Red
Eye back home on a Friday night and since many folks attending are
doing the same thing we did here (talking to customers and not
attending the presentations), I think I may be presenting to a bunch of
crickets. Actually, that is not a big problem for me. Most people tell
me that I like to hear myself talk anyway. This is right up my alley.
I'll admit it. I am a fan boy for Dr. Edward Tufte, professor emeritus
of political science, statistics and computer science at Yale. In my
opinion, he is the world's leading expert on how to display complex data
in a visual form. When I learned
last week that President Obama had appointed him to advise the Recovery
Accountability and Transparency Board, I was elated. The board's
mission is to monitor the way the US Government is spending the $787
billion stimulus package. There is not a better person for the job.
