No plan survives contact with reality

I just finished watching a webinar about Future Proofing Identity and Access Management. Lots of good thoughts, but one of the key things I took away, which was never explicitly addressed during the presentation, is that somewhere between 50-70% of the time was dedicated not specifically to IAM/PAM, but to the difficulties almost all organizations have in getting projects across the finish line.

Unclear scope, problems with team cohesion, lack of early buyin of all departments involved, resistance to change after a project is partway finished, etc., are all problems regardless of what technology is being addressed. Also critical is that most projects are not as freestanding as we would like to believe. A particular technology such as IAM/PAM is dependent on, for example, SSO, which might not even be involved in the IAM discussion because it's seen as separate.

There aren't any magic bullets to fix this, but it does suggest that no significant IT/IS project should ever be undertaken without continuous access to a resource with really good project management skills. Whether that's a part time person out of the PMO or that's a person from IT/IS with some good cross training has to be determined and will vary from organization to organization and in some cases from project to project.

I want to make a callout to @Guidepoint Security for a great monthly series of webinars on various topics. There's no way anyone in cybersecurity can be an expert in everything, or even most things, but we all benefit from having enough knowledge to understand what someone else is telling us.

Technical debt horror show

 Once upon a time, a university decided it wanted a computer, so it acquired an IBM 704. One of the first things to be programmed was the payroll system. I don’t know what it was written in but COBOL wasn’t available yet. It may well have been 704 assembly language.

Eventually that computer was outgrown, and the university upgraded to an IBM 709. The 709 had a different architecture from the 704, so the payroll system wouldn’t just transfer over. However, an emulator was available for the 709 that made it act like a 704, so the payroll system could be executed by the emulator.

Sometime later, the 709 was replaced by an IBM 7094. Despite being bigger, faster, and far more reliable, the 7094 shared the 709 architecture, so the university just rolled right along running the emulator that now made the 7094 look like a 704. People kept getting paid.

But change was in the wind. The next upgrade was to an IBM System 360/65. S 360 had different word length, different addressing architecture, different instruction set, different pretty much everything. What was to be done for the poor old payroll system?

Computer people are smart, so someone created an emulator for the S 360 that made it act like a - 704? Oh, hell no. Why would there be any reason to try to run code from a computer that was now 3 generations out of date? However, the emulator would make the S 360 act kind of like a 7094. So now the payroll process was to run the 7094 emulator inside of which a 7094 operating system could run the emulator that made a 709 act like a 704, so that it would accept the ancient 704 based payroll program.

Not all was rainbows and unicorns. This process was now so fragile that 2 computer science PhD students were drafted into spending a night every other week trying to sleep on the computer center floor, so somebody would be there to try to get the process back on track if/when it stumbled off into the weeds. Clearly it was time for a complete overhaul.

One would think that it was a “simple” matter of running the original code through a S 360 compiler and working out the kinks, but. There was certainly no program that ran on the S 360 which knew how to interpret 704 assembly language. Besides, by this time the original source code had been misplaced, and the entire kludge had depended for years on executing a 704 object module, which had survived on punch cards, inside the emulator stack.

The university put together a project team and reverse engineered the original program, then rewrote it, now in COBOL, and successfully got the new payroll system running in an *almost* current environment. You see, by this time the university was already looking into upgrading its 360/65 to a System 370, which introduced virtual memory. We will never know whether the original 704 code could have been coaxed to run when faced with page swaps.

The moral of this story is “Never do today what you can put off for 20 years,” because you *will* be able to make it work then. No matter how long it takes and how much it costs.

Wolves, sheep, and cybersecurity

 Cybercriminals are wolves. The rest of us are sheep.

The ubiquity of the internet has made it much easier for wolves to eat sheep at very low risk. This is causing an explosion in the wolf population.

Under pressure from predation, prey animal populations will gradually adapt or die.

Each individual sheep (person or organization) has two things it can put effort into. One is trying to protect itself from the wolves. This looks like organizational cybersecurity plans that actually reduce risk. 

The other is working with the rest of the flock to evolve new behaviors that reduce the risk overall. Compliance efforts show all the other sheep that an individual is doing its part to be a good member of the flock. This eventually helps protect the flock, but does nothing to reduce the risk to the individual sheep.

Will the flock adapt into new behaviors that reduce risk before most of the sheep get eaten and the rest turn into wolves?

Just remember that whether it's by the wolves or the shepherds, the sheep always get fleeced.

I'll take door number 4, please.

Cynics laws of thermodynamics cybersecurity:
0th: You must play the game.
1st: You can't win.
2nd: You can't even break even except under special circumstances.
3rd: The special circumstances don't exist.

Anyone who spends sufficient time reading commentary on cybersecurity will notice that many posts  fall into three major themes around the topic of "how to fix it:"

1) Do the basics and fix 90-99 percent of the problem. 

2) Attacks are continuously getting more sophisticated and we need to be as technically advanced as the bad guys.

3) We are facing a no-win situation and we have to do the best we can but not let it grind us down.

I enjoyed reading and happen to agree with all three articles, but regardless of how true they ring, they cannot all be simultaneously right. So what's really going on? Is our cynicism an accurate reflection of reality?

Certainly any single cybersecurity professional, or any single organization, cannot survive the wild west we currently inhabit. But regardless of how far away from broad concensus on solutions we may be, I think that everyone on the side of the white hats will agree that the current situation cannot go on. To continue borrowing metaphors from other disciplines, economist Herbert Stein observed that "if something cannot go on forever, it will stop." While we are never likely to attain a complete mitigation of security threats - after all, despite decades of effort, in the United States we accept around 35,000 traffic deaths annually as "normal" - history repeatedly shows that in the face of collective threats, populations will eventually achieve, through some combination of market forces and central control, a state we can put up with. The current situation cannot go on forever, and so we will make it stop.

Therefore, I think that all our common formulations are correct but incomplete. We will not solve our problems with a single approach, nor are we doomed to go on with the good fight in spite of knowing we will fail. Although our effort will go on for years and decades, the belief that must sustain us is that, in the fullness of time, the sum of the security efforts of all who prize order over chaos will enable us to take door number 4, then look back and say "I survived the bad old days."

JuxtapoTrainwreck

Well, that didn't take long. It is clear that attempting to come up with daily wisdom from combining wisdom sources did not survive contact with reality. Nevertheless, there are a number of findings which I can take out of the exercise.

 A Common Meditation for All Souls features posts cherry-picked from a large variety of sources. We only get the good stuff (at least in the judgment of Galen) with none of the froth. The common liturgy is structured to provide the entire contents of the 4 gospels over a 3 year cycle, and the bible is full of both wisdom and story. It's not always so easy to see what we're supposed to take away.

Sunday gospels (of which I have covered none) are dramatically longer than those for the rest of the week, because there is a base assumption that most people will only ever hear the ones that are read on Sunday. The most important parts, from a Christian perspective, are therefore placed there. This is a mixed bag; in some cases the most important parts are the parts that UU's would have the most trouble with, so I'm missing an opportunity to see just how thoroughly the traditions can be reconciled. On the other hand, it may be saving effort that would be wasted on trying to get wisdom out of what is actually doctrine, or even travelogue.

The gospels of Easter week are probably not the best place to start, because the problems listed last paragraph are just magnified during the most important liturgical week of the entire year.

Unless one is willing to uncritically accept whatever is in the bible as given, it's impossible to look at the gospels without also thinking about historical context. It also does some of the passages a disservice to show them dissociated from the surrounding content. I'm trying to glean wisdom and I don't want to do biblical criticism or defense. That almost inevitably means the passages from the Liturgy will be, at least part of the time, more rich with content than I'm willing to spend the effort to investigate. This probably isn't an effort that's worth doing part-way.

Extensive thought and analysis is incredibly time consuming so a number of the posts seemed pretty banal. Katy warned me.

I still think there's some value in doing something, but I haven't figured out yet how to try the next approach to it. But Juxtaposition is dead, dead, dead.

God, grant me the serenity to accept the things I cannot change,
The courage to change the things I can,
And wisdom to know the difference.(Reinhold Neibuhr)

Theism for Unitarian Universalists

Sermon given at the Unitarian Fellowship of Houston

Forrest Church, former senior minister at All Souls UU in NYC, who died of cancer a few years ago, frequently noted that when he talked to parishioners (or others) who said they didn’t believe in God, he’d ask them to describe what they didn’t believe in. Almost universally, he was able to say “I don’t believe in that kind of God either.”

He has not, so far as I know, put in writing just what the characteristics described were. I bet that we could pretty easily imagine the typical conversation, tho.

We could describe a god who was dictatorial in telling us what to do, limiting in telling us what not to do, and interventionist because he would punish us if we didn’t do as we ought. But more than that, for we can say those things about natural forces such as gravity, we would also describe someone arbitrary, in singling out the select, and capricious in behavior, so that we could never be quite sure where we stood. In fact, this is the god that William Ellery Channing called “a being, whom we cannot love if we would, and whom we ought not to love if we could.”

Fortunately, we are not stuck with only that god. Nor are we stuck with any other image which we have created or been given and have associated with the word “god.” Instead, what we have is the realm of what Forrest Church called “transrational.” This is the realm for anyone who cannot accept the “standard model” God, but who nevertheless remains convinced that there’s something out there which we don’t, and maybe can’t, ever understand, but merely experience.

Our question then becomes: what does this mean to me? And that’s where we need to decide what *sort* of something we believe in.

In its broadest meaning, "theist" simply means someone who believes that at least one god exists. This definition carries no overtones about the sort of god or gods implied. The currently common definition, which equates theist with "stereotypical Christian God" really didn't start to take shape until the eighteenth century, when Deists, who believed a supreme creator had wound up the universe then left it to run, distinguished themselves from those with more traditional views by calling everyone else a Theist.

If we look at the entire spectrum of gods across history, I think that, taking a very broad brush, we can divide them all into three categories. Objectified gods are those who are directly associated with something we know in the physical world. The one that is perhaps most familiar to modern Americans is Pele, the goddess of the Hawaiian volcano. Animal spirits, some of the Egyptian gods, and ancestor worship also fall in this category. These gods are generally "right here" in the sense that they coinhabit something we know from our physical environment.

Personified or anthropomorphic gods are those who look and act like us, only more so. Greek, roman, norse, finnish, hindu, and possibly Wiccan gods fall in this category. They generally have the characteristic of living "out there." From Mr. Olympus on, they've always had a place the rest of us couldn't get to.

The last group are the "diffuse" gods. These are the ones who are simultaneously both everywhere and nowhere. The great spirit of Emersonian transcendentalism, the universe is god or universe is part of god theories of pantheism and panentheism, the ultimate Gaea hypothesis, and the cosmic consciousness movement all fit in this class.

It is interesting to consider the Christian trinity, and note how the triumverate of father, son and spirit seem to correlate with the three classes. I find this interesting and suggestive but it may well be nothing more than coincidence.

Thus far we have talked about the physical characteristics. But what about their behavior? Any god, regardless of class, can be evaluated along two major axes. First, do they intervene in our daily lives, or they leave us alone, except, perhaps, for offering advice when we open ourselves to it? Secondly, are they stern and perhaps even cruel, or do they tend to the side of infinite love?

Now we have a toolkit with which we can describe any sort of transrational entity, whether it is one which mirrors one we have personally experienced a glimpse of, or one which is completely the product of our imagination. The concept of God is so broad that it can encompass any set of assumptions about the physical realm and still embrace something spiritual, welcoming, and amazing.

Instead of a stark choice between a god we cannot believe in and a non-existent one, each of us has a huge palette of ethereal colors to choose from as we paint our personal image. And that leads me to note that no matter how people have viewed the ultimate reality, they all seem to have shared some common beliefs about ethical behavior. As a universalist, I think that’s important, because it looks to me like no matter what we believe, we all have the power to live with wisdom. Wisdom comes from many sources who follow many different traditions, and we do ourselves a disservice if we ignore some bit of it because it also comes with ideas we find unappealing.

I say it doesn’t matter if you believe there’s a god, and it doesn’t matter what kind of god you believe in. It doesn’t matter if you use “god” as a shorthand word to refer to something fuzzy that you can’t really describe but need to have a name for. It doesn’t matter if you think the entire question of god is nothing but “nonsense on stilts.” What matters is that we each find our own spiritual center, and live our lives as a brilliant testimonial to what we find there. To let our light so shine out in the world, we must carry an image of the ultimate truth - of god - that is true to both what we know with our brain, and what we know with our heart. To borrow from another famous tradition: “Love your god with all your heart, soul and mind, and love your neighbor as yourself. (Mark 12:30-31)

Techbits

With all the news about the Heartbleed security hole, it's a good time for a review of how to create and manage passwords. The advice is particularly useful in light of certain reports that came out post-Snowden that the NSA really didn't work too hard to put backdoors into online systems because they could usually just guess the passwords people used with much less effort. Most common password? Still long time champion "password."

Nikon's latest Android based camera continues to blur the line between camera and cell phone. While it would be extremely painful for me to ever give up my digital slr and 40mm macro lens, I don't carry it around most of the time. Having a high quality camera that also just happened to make calls and let me update my fantasy football roster could be a real convenience. We will see what the market says.

Chromebooks have been the one bright spot in an otherwise horrible market for traditional pc's and laptops. The devices, running Google's Chrome OS, which is pretty much just a power infused version of the Chrome browser, are popular because they are light, (usually) cheap, free from worries about viruses, and extremely quick booting. Now it looks like there may be Chrome OS tablets as well. It will be interesting to see exactly how these compete with standard tablets running Android, Google's other operating system. Perhaps people predicting the eventual convergence of Chrome and Android are on to something.

If you have an old laptop around that's gathering dust, you may be able to trade it in for credit on a new one, perhaps even one of those Chromebooks. Just don't be the person who causes them to end the program. At least, not until I've had my chance to do it.