So I was sitting in a critical infrastructure cyber security talk earlier this week and had a small revelation.  The talk itself wasn’t all that interesting – it was another attempt to collect and identify consensus best practices for critical infrastructure security from a governance point of view – but it still led me down a path that surprised me.

The authors of the paper being presented had done interviews and other research and derived a number of principles required for critical infrastructure cyber security governance based on what they commonly heard over and over. At the talk, we had break-out sessions where they were pinging us for our thoughts on their findings.  During the session, I realized that I’d heard it all before (obviously, right? It’s a consensus paper) and was wondering why we couldn’t get past the stale “wisdom” repeated ad nauseam without effect…when it hit me: the use of their paper might be directly opposite of what they might think it is, but it’s still useful!

The thought process is as follows:

1. Assumption: We all “agree” that cybersecurity for critical infrastructure is insufficient and we’re missing something.
2. Assumption: The paper represented the community opinion, to date, on what needs to happen for good cyber security
3. People are trying to improve security, but despite sporadic improvements, we haven’t made nearly as much progress as we think we should. Something is missing.

Conclusion: Whatever it is we need to do …..isn’t in that paper.  If we collect a series of best practices and community consensus on a topic where we generally consider ourselves to have failed, collecting that consensus should be used – instead of as a driver of activity – a hint at what won’t, by itself, get us where we need to be. The lists should be considered things to exclude as solutions to our unidentified sticking points, but the solutions themselves.

You can find it here: http://www.owasp.org/download/jmanico/owasp_podcast_42.mp3

The topic was “FISMA” in the context of OWASP and, while I don’t really do web app security, I’m still a “managed assurance” guy for risk, and I think that fit in well with everyone else’s perspective.  That said, I hate listening to myself talk, so tell me what you think of how it came out – I haven’t listened to it yet!

Also, it’s “National Cyber Security Awareness” month. What does that mean? Are we making everyone aware that we’re all 0wnz0red?  I like the idea – and socializing security was one of the recommendations that came out of the Estonia Ddos mess – but I have concerns about how the good intentions here aregoing to pave a specific road to a specific place.  The concern has to do with security productization.

You see, I have a suspicion that we’re not going to educate people about the nature of security. Or really that we’re going to get across how “security” is really this thing that everyone does all the name and we should stop treating it like this extra set of things we need to do -in addition- to actual requirements.

Instead, I think it’s going to come out as (from DHS’s website):

• Make sure that you have anti-virus software and firewalls installed, properly configured, and up-to-date. New threats are discovered every day, and keeping your software updated is one of the easier ways to protect yourself from an attack. Set your computer to automatically update for you.
• Update your operating system and critical program software. Software updates offer the latest protection against malicious activities. Turn on automatic updating if that feature is available.
• Back up key files. If you have important files stored on your computer, copy them onto a removable disc and store it in a safe place.

This is all admirable stuff, but it’s dogmatic. Dogma in security leads to blind trust in marketing and products.  Blind trust in marketing and products will never lead to secure systems or computers.

Yes, it’ll get us baby steps forward, but then we’ll be left with ye olde “I did what you asked me, isn’t that enough?” faith-based security and we’ll be in a pickle when we realize that, architecturally, we have some serious work to do to get where we want to be and no one is interested in doing more.

I just wanted to make sure everyone remembers to register for this great conference in DC this year.  From their website:

Press Release August 20th 2009 — Speaker Agenda Released and Registration Open!

We are pleased to announce that the OWASP DC chapter will host the OWASP AppSec 2009 conference in Washington, DC. The AppSec DC OWASP Conference will be a premier gathering of Information Security leaders. Executives from Fortune 500 firms along with technical thought leaders such as security architects and lead developers will be traveling to hear the cutting-edge ideas presented by Information Security’s top talent. OWASP events attract a worldwide audience interested in “what’s next”. The conference is expected to draw 600-700 technologists from Government, Financial Services, Media, Pharmaceuticals, Healthcare, Technology, and many other verticals.

AppSec DC 2009 will be held at the Walter E. Washington Convention Center (801 Mount Vernon Place NW Washington, DC 20001) on November 10th through 13th 2009.

Who Should Attend AppSec DC 2009:

• Application Developers
• Application Testers and Quality Assurance
• Application Project Management and Staff
• Chief Information Officers, Chief Information Security Officers, Chief Technology Officers, Deputies, Associates and Staff
• Chief Financial Officers, Auditors, and Staff Responsible for IT Security Oversight and Compliance
• Security Managers and Staff
• Executives, Managers, and Staff Responsible for IT Security Governance
• IT Professionals Interesting in Improving IT Security

Al McDougall from Evolutionary Security Management made the following point in response to my last post, and I thought it was useful to repeat it here:

“End result, the system view is lost because everybody works within their part of the behemoth but forgets about the mission.”

He’s right, of course. Furthermore: “Mission oriented” sounds “fuzzy” and people tend to blow it off, but it’s is not – it’s quite important.  In western culture, we seem to need to rush to go solve problems, without really ever trying to understand the nature of what we’re solving. This leads to all sorts of mayhem and things going wrong. We look back and can’t figure out why our solutions arent working or why they’re causing all these weird other problems.

What we need to do, instead, is spend our time groking the problems we’re wrestling with until we understand their deeper natures.  If we learn to ask sufficiently detailed questions, correct elegant answers will present themselves.  This, in many respects, is the essence of SABSA and Enterprise Architecture (although, especially in the case of the latter, an essence that is often missed).

In the case of cyber security, we absolutely blow past figuring out and AGREEING ON the nature of the problem and rush straight to the “solving” phase with perfectly predictable results.

My compatriots at TSA are asking me to, before I depart for INL,  transition my approach to the role of the SSA in the NIPP framework, but it really isn’t detailed or special. Fundamentally it is this: Figure out ahead of time what you’re asking and why. What is the mission being supported by cyber systems? What do you need to know to make sure those cyber systems continue to enable that mission? Start from the mission and work down. You’ll get there.

Hmm. Start somewhere and finish? That sounds like “Alice and Wonderland” – “start at the beginning and, when you get to the end, stop” – but it also sounds like a “process”. A “process” is what the NIPP lacks, yes? More to come…

Starting September 14th, I will no longer be contracting to TSA (via KCG, who have been wonderful). Instead, I will be working for Idaho National Labs (INL) onsite at DHS as a liaison between the smart people exploring the vulnerabilities of our nation’s critical infrastructure and the smart people at DHS CSSP doing the many things that they do.

Before I head out, though, I’d like to comment a little bit on an issue I’ve dealt with at TSA that I think also extrapolates to national cyber security efforts and is in no way unique to a single agency, or even the government. The issue is the label “cyber security”.  At TSA, as at DHS, as within the media, as within popular culture, there is confusion as to what “cyber security” means – even at a very high level. The term gets bandied about so loosely that it means everything and nothing. Still, people are making policy based on it without any definition.  The amorphous nature of the conversation is going to kick us in the pants sooner rather than later. Can we please nail it down more specifically when we discuss “cyber security”?

Below, find some areas of confusion that I’ve personally run into:

1. The internet, government networks, SCADA/ICS: This one is simple. When we talk about cyber security, we really need to preface our statements with which of these areas we’re discussing. They’re NOT THE SAME and the strategies, ownership, and etc to deal with them are NOT THE SAME either. Over and over again a lack of explicit distinction here burns us.

2. “IT Security” and Technology vs Strategy: Often, in my role, we were lumped in with what IT Security does: “Isn’t that the same thing, only with more computers?” was a popular sentiment.  There is the concept that these efforts are technical in nature and that they look a lot like FISMA shops: Assess, Remediate, Certify, etc.  against some standard or set of standards.  Nothing could be further from the truth.  “Cyber security” issues are of a strategic business and programmatic nature. We know how to fix computers, we don’t know how to define what security means to our businesses, how computers affect our operations, and we don’t know our risk appetites. In other words, “cyber security” in an executive (CEO, CFO, COO, CTO, CIO) issue, not one for technologists.

3. Computers vs Infrastructure vs Business Assets: We don’t care in most sectors if our computers work. Really, we don’t. What we care about is that our energy grid keeps pumping out power, our chemicals get mixed right, our cars are manufactured correctly, our financial transactions are accurate, our goods get delivered on time, etc.  These are the “assets” we are protecting. We are not protecting the internet, we are not protecting government computer systems. We are protecting the national operational interests of the United States.

4. Think globally, act locally: We’re so used to thinking about single companies and single systems within those companies that we forget that everything we do cooperates to larger goals. Our enterprise systems work together to achieve business goals which must be protected. Our business goals within critical infrastructure sectors, in aggregate, also work together to support national goals. For instance, the thousands of independent companies in “the transportation sectors” all combine to “move people and goods throughout the US and the world on time, to the correct destination, in acceptable condition”.   Many decision makers believe that it’s ok to ignore this larger context and focus on single system security or, at best, enterprise security. This is dangerous. Since these systems are interdependent whether we acknowledge it or not, they can be be used to exploit each other and damage our soft assets (goals) if we don’t regular take a look at and secure the larger picture.

For all of you who have asked for this, I’ve made my Artomatic Quartz Composer based webcam audio visualizer available as a free download.(Keep in mind, this is only for Mac OS X users – Quartz isn’t portable). 

 You can download it here: http://jackwhitsitt.com/Artomatic09-final-whitsitt.zip

(Im calling it “WAVIQ” for short…Webcam Audio Visualizer In Quartz”…since it needs some sort of a name and I dont feel that creative about it.)

A quick overview:

The composition has two inputs – the webcam and an audio source.  If you have a built in webcam, it will default to that. Likewise, if you have a built in mic (most laptops do), the composition will default to using  that as your audio source.  You can change these by going into the patch inspector for the Video and Audio patches and selecting “settings”. (In the case of the audi, double-click the macro patch “Audio Source” and then click on “Audio Input” to get there). 

The only other settings you’ll be interested in are the Increasing Scale and Decreasing Scale parameters found in the Audio Input patch. These affect how fast the values for movement, color, etc. get bigger and how fast they get smaller. This will affect how the composition responds to different music.  Also, keep in mind that in the audio settings of OS X itself, you can change the mic sensitivity. This will affect how the composition responds as well.

You can also find a basic tutorial to get you started on tweaking this in the links below.

Thats it. Drop me a line with any questions and have fun with it. If you do end up using it, I’d love to hear about it.

Thanks!

Jack

• Tutorial I wrote explaining the basics of how this works:
  • http://sintixerr.wordpress.com/2009/02/01/quartz-composer-webcam-audio-visualizer-art-tutorial-and-demo/
• Stop-Motion Video Example of how I’m using it at Artomatic:
  • http://vimeo.com/5045791
• Screen-shots of my Artomatic Art Installation:
  • http://jackwhitsitt.com/2009/05/the-kitchen-sink-at-artomaic-is-done-i-hope/

This is a repost of my recent comments on SCADASEC with regard to the most recent rush of frantic reports of cyber-espionage and the subsequent pitchfork-waving demands for legislation and/or further immediate regulation.

—-

Ok, so bad stuff is happening. Whether or not we agree on the extent, damage, or origins of attacks against our infrastructure, there’s no disagreement among people in the industry that there is a problem that must be dealt with.  So, now that we’re here, let’s all take a breath and look around and assess where we’re at.

First, these intrusions do not seem to represent a substantial change in our tactical situation; these types of intrusions have been occurring in one form or another for years. We may be -detecting- them more frequently before, but that’s it.  A nationally significant incident occurring by way of a cyber attack against our critical infrastructure by a serious actor is, by many accounts, just as likely to happen now as it was a few years ago.  This is interesting.  It has long been observed that “the internet can be taken down in 30 minutes and no one is sure why that hasn’t happened yet.”  I imagine that a similar thing can be said about our critical infrastructure.

While I am not suggesting that there is anything but a pressing, critical, national security level issue with the state of our cyber security and CIKR, I am suggesting that it is not so imminent that the value of taking our considered time in fixing the problem should be thrown out in favor of passing rushed, ill-advised legislation or regulation.

Let me elaborate:

The proposed cyber security / critical infrastructure regulation proposals I have seen would absolutely achieve a short term tactical gain in our level of security.

It would do so, though, by committing us to a permanent cyber security arms race at the cost of any hope of a long term strategic win. We would spend all of our money, effort, and cycles, repeatedly reacting to our adversaries’ change in tactics and would provide no method of ultimately getting ahead of them. Eventually, we would have 853 (heh) layers of defense, attackers would still be getting through them all, but we’d be out of any more money to throw at more layers.

This is both because of the nature of the problem as well as the proposed solution. What we have on our hands is a complete architectural failure of our cyber networks with regard to “security”.  It is not the lack of some subset of individual security controls. Mandating specific control sets at this point – or any existing in-place “security best practices” – would be akin to insisting that contractors keep building a house on top of a known bad foundation. Incremental improvements will never address that kind of a problem.

What we need (from our technology) but do not have are information-centric systems with end-to-end processing requirements designed into their bones.  We skip the hard work of identifying what information we need our systems to produce, what information they need to take in initially, what transformations must be made to the source information, and who can make those transformations in what contexts. We then fail to tightly couple our code, our designs, and our infrastructure to those requirements when we do have them.

We skip it because it seems hard and expensive and the perceived value of speed and the enticements of deferred costs seem to outweigh the risks to the organizations making these decisions.  The costs of adding layers and layers and layers of ineffective security afterwords, however, is rarely calculated and compared to just doing it right the first time.

Instead of doing the right thing up front, we end up with tack-on solution sets like NIST 800-53. I don’t know about you all, but I’m pretty sure that if you did everything 800-53 describes – but never did the legwork I just described – security would still fail and it would fail badly.  In fact, we see this time and time again in existing federal IT networks.  800-53, by itself, does not work for IT.  Why would we legislate it for control systems? I don’t mean to pick on NIST here – it’s one of the better control catalogues out there – but that still doesn’t mean it works.

Technically, we are actually -nowhere near- industry agreement on how to solve the cyber security problem (Did anyone listen to Bruce Potter’s opening Shmoocon remarks? He astutely compared our current cyber security efforts to building a Maginot Line “In-depth”).  If that’s true, then legislating something we know will never allow us to achieve a strategic win seems contrary to logic.  But, if we want to put our heads in the sand and go the “any incremental gain we can achieve now is worth it even if we’ll have to redesign it from scratch later” route, the idea of legislating security controls for our critical infrastructure is still fatally flawed.

Why? Because a lack of security controls in our national critical infrastructure is not the problem, it is a symptom. Not only is it a symptom, but it’s a symptom of exactly the same problems that led to Wall Street’s collapse and the atrocious mortgage mess. Let me say that again: “it’s a symptom of exactly the same problems that led to Wall Street’s collapse and the atrocious mortgage mess.”

Those with budget authority – in both private and public organizations – are collectively and consistently making poor operational risk management decisions.  They are opting for short term gains at the expense of long term strategic success.  From where I sit, I honestly cannot tell whether it’s intentional or simply a lack of visibility into what the actual risks are (which stems from poorly designed organizational architecture).  In either case, we have an issue of priorities by people making decisions – and that’s not a technical failure at all.

What happens if we mandate 800-53 or something similar? We create yet another technical compliance regime which, at best, only indirectly affects prioritization of cyber risk.  The priority for decisions makers becomes meeting the regulation, not securing their organizations. When this happens, the risk is pushed down to the dedicated people on this list who then have to do the best they can in an environment where their organizations limit their ability to ultimately succeed. When that happens, we also find that good money is repeatedly thrown after bad and security, instead of being a business enabler, becomes a bottomless pit.

We need to find a way, if we think legislation is needed, to directly legislate cyber security as a priority and accountability for failure. If user information is stolen, decision makers need to be held responsible. If control systems are compromised in ways that could result in public harm, decisions makers need to be held responsible.  If people suddenly became on the hook for -succeeding-, then one would hope the market and industry would be driven to finding ways to succeed.

It would be nice if education, not legislation, would suffice for this.  But what I’ve been hearing on this list and in professional forums seems to indicate that the time for that is almost behind us. So, if we’re going to end up with legislation or regulation, let’s do it slowly, so it goes smoothly, so it’ll work quickly.

(Needs Editing, but Im a bit stuck…so reviews and comments welcome.)

Years ago – in Mad Magazine – I saw an illustration of Alfred E. Newman sitting in a tire swing. At first glance everything seemed normal, but after a second if reflection I noticed that it was Alfred himself holding up the tire swing while sitting in it – a situation which obviously does not (heh) fly.

This is the image that came to mind when, after my last post on Data Visualization’s Lessons for Enterprise Security, I was asked questions like:

• What does Operational Risk Management have to do with IDS monitoring directly?
• What about better and more transparent auditing? Wouldn’t that help?
• I don’t see how SABSA really applies to MSSP’s or IDS monitoring

My short answer is that no matter how you make your security tire swing or what you do while you’re sitting in it, as a security practice you have to be bolted to something independent that holds it all up. That’s “The Business” in case it’s not clear.

I’d like to address the IDS example, in particular, because I think it is very illustrative of the connection between detailed technical and high level business realities.  Please keep in mind that this is only a snapshot of the direct implications to a very small section of a much larger, very holistic process.  There are many secondary dependencies and repercussions which I do not address here (like tactical technical responses, incorporating lessons learned, strategic business decision making, etc.)

So, first of all, at a process level, IDS monitoring is pretty simple:

Get data -> Evaluate nature of data -> Evaluate implications of activity represented by data ->Respond to and/or continue getting data

No matter what environment you’re in, if you’re looking at IDS data (or doing any other monitoring, really), you do these four things. If you look a little closer, though, you begin to see that they are (or should be) repeated iteratively. This is because there are really multiple levels – or layers – at which security data can be evaluated (which, incidentally, looks a lot like any other protocol stack). Let’s say, conceptually, that there are five of them:

1. Universal Technical Standards: This layer would consist of measuring activity against RFC’s, Protocol Standards, etc. Things that -should- work the same everywhere.
2. Environmental Configuration: Here, traffic is evaluated against local configurations that might change from network to network. This includes the configuration of OS’s, Web Servers, Infrastructure Devices, etc.
3. Data and Information Control: What happens to data riding on your network and IT obviously falls in the area of concern for IDS analysis.
4. Timing and Behavioral Thresholds: Are things happening more frequently than normal? Less frequently? Uptime? User logins? Memory Usage? etc.
5. Business Rules: Is the IT actually doing something that directly affects the business? Are manufacturing robots shutting down? Are internal company secrets being sent to competitors? Are you spamming the military?

So what is the intersection between these layers and enterprise business architecture or operational risk management? It looks, initially, like the only direct overlap is in layer 5, right? Not true.

First, each of these layers requires some level of the business context provided by business security architectures to even be effectively evaluated.

For example:

• To evaluate security data against potential technical standards, analysts need to know what technologies are in place and deployed and in what manner. Exceptions and outliers are especially important.
• From an environmental perspective, analysts would be well served by knowing the security policies that the configuarations and environment are supporting. E.g., what actions the configurations trying to prevent  or support (in terms of the other 5 layers)
• The need to know what data belongs to what data policies and what those policies say is also fundamental.  Data policies are tied to conceptual business architecture, which is tied to contextual business assets and requirements.
• System behavior is evaluated in part by knowing things like business schedules and processes. Is payroll being run every 4th Thursday? Are people going to be logging in from all over the world, or just certain locations? Should lab systems pull data from production systems?
• Knowing what business functions are important to keep running, to what thresholds, and how IT systems support those is crucial when trying to understand the big picture and put “events” in terms of “incidents”.  Additional, it should be kept in mind that things like “reputation” and “customer satisfaction” are also considered business assets to protect.  Organizations have a need to protect those as well.

Secondly, and maybe more importantly, if you actually look at the process flow (below) you find that the analysis process always rolls up to an evaluation at layer 5 (the business rules) of the analysis stack.

From a process flow perspective, there are absolutely no analysis scenarios that do not terminate before completing a layer 5 business analysis (At the bottom of image).

(Click Image for Full Size View)

How does this work?

Analysis begins at one of these five layers – which one is first doesn’t really matter (they are often, in fact, done in parallel). Data is received and is evaluated against the criteria at the layer in question. If there are no exceptions, the same raw data is evaluated against the next layer in the chain. If an exception is found at any one of these layers, the impacts of that exception are then evaluated at all layers. So, for instance, if an analyst notices that there are “funny packets” that aren’t normal TCP/IP traffic while evaluating against “Technical Standards”, he or she then looks to see what the potential technical, environmental, data, behavioral, and business implications are of that traffic. For each of those, the analyst follows the process as if he’d just received new raw data.

This continues to happen until the original data has been run up the entire stack and a final business impact has been determined. Sometimes the path there is short because the answers are known or obvious, or complete data is unavailable to make a determination, or the entire process is followed at a very detailed level. Regardless, the logical process holds true in all cases and there is either a potential business impact or there isn’t.

Read that again: There is either a potential business impact or there isn’t. Without context, IDS monitoring can never be a security function.

The value of IDS monitoring never gets realized if exception events are not tied to business operating requirements and risk appetite (which only business stakeholders can determine). If that linkage is not formally made or that appetite not assessed, IDS monitoring fails. None of the five analysis layers are inherently worth evaluating if a business context for them does not exist and most can’t even be evaluated at all without that context.

What provides this context? Business Security Architecture and Risk Management.

What’s interesting, though, is that these things don’t work when isolated to security, as the original blog post (and others) pointed out. If you limit the scope of your activities to “security”, you end up with the tire swing with no tree. You have to account for and model your entire business formally to achieve security, What this says is that business security architectures are, at a very real level, just business architectures. There is no material difference between the two.

But why would you need a full fledged business-wide process to get this information to you (or your analysts)? Because it’s really hard and expensive to do without the practice and culture in place enterprise-wide. You might brute force it and get your answers once without it, but trying to keep that information up to date would be completely futile.

In closing, I’d like to reiterate that I’ve only discussed business security architecture and operational risk management’s impacts technical security operations (looking up). Of at least as much importance is its role in aiding executive or management decision makers in correctly assessing and responding to risk. This is accomplished by providing a very clear line of sight from the trenches to business assets and risk appetite (looking down).

I have to preface this post with the fact that I know I’m speaking out of turn here. I don’t have first source info and my involvement tangential, at best.  Still, I’ve felt like saying this for awhile and the past couple of days have bubbled it up to the top again:

This whole “China has infowar capabilities and has been attacking the US goverment!” FUD should be toned down and the real situation assessed. This was forwarded to me this afternoon, for instance:

http://www.bloomberg.com/apps/news?pid=20601087&sid=aP7TPl_IQwFQ&refer=worldwide

Feb. 12 (Bloomberg) — Chinese government and freelance hackers are the primary culprits behind as many as several hundred daily attacks against U.S. government, electric-utility and financial computer networks, a senior congressman said…..Sophisticated hackers could really wreak havoc on our financial systems if they were successful,” House Homeland Security Committee Chairman Bennie Thompson said in an interview. The threat is “primarily from China.”

I don’t buy the Chinese nation-state attribution.

Interestingly and coincidentally, I was in Columbia MD last night with some people for Dojosec and had the opportunity to talk to Marcus Ranum and a few others about cyber war and China specifically afterwards and on the way home. It was an interesting series of discussions.

This is a bastardized amalgamation of my previous thoughts, group consensus, and points from Marcus’ presentation:

1. People who do this for a living probably wouldn’t attack directly from China. A simple example is North Korean hackers going to elementary schools in S. Korea (in person) to launch attacks. A state more evolved than Korea (like China) which isn’t as anti HUMINT as us would much rather embed people in our companies and operate from there. There are plenty of opportunities to do that that would effect much more serious damage. Why would you risk attribution and attack from your own IP’s when it’s so easy not to and you really don’t want anyone knowing you’re doing it? It just doesn’t make sense.

2. China will execute or do “bad things” to Chinese kids who vandalize or attack Chinese systems. They’d allow kids to attack US systems at will (if for no other reason than it’s fun to watch us scramble and hit ourselves on our heads). Do the kids get paid off? Possibly. Does that really mean anything in the big scheme of things? Not so much.

3. If -I- wanted to attack the US’ cyber assets for some reason and I -wasn’t- China, you know what? I’d compromise some Chinese systems and launch the attacks from there. To add to  the fact that there would be almost no technical way to attribute the attacks back to me, the current state of politics and international relations would almost guarantee that further possibilities wouldn’t be explored in detail once Chinese IP’s showed up.

4. Large scale misinformation and misdirection is really easy and really useful.  Intentionally evolving US defenses in directions beneficial to our adversaries by our adversaries is not trivial, but not out of the realm of possibility. It’s certainly possible to manipulate our politics.

All evidence I’ve seen is weak, in my opinion. A lot of holes are filled in by implicit assumptions ahead of time that China is responsible.

My opinion – subject to change based on actual empirical evidence – is that we’re in a lot of trouble if we can’t stop assuming things and attributing motivation, organization, and activity on a nation-state basis.

Again, I’m not saying the perception and reality aren’t correct, only that the information as presented so far is not remotely conclusive and the conclusions have been, in some respects, is improbable.

If you’ve read some of my recent posts here, you’ll have seen that Im back working on creating data visualization pieces as art.  In the process of making these,  I was reminded again of the relationship between art and security and its practical implications for enterprise security efforts that literally dictate success of failure. Bear with me as I walk through the art piece first and then arrive at the security observations :)

First, to work, art has to have a solid concept. You might accidentally create a piece that’s appealing on some level if you just throw paint at canvas, but you probably won’t repeat that success often and observers will understand this.

Taking that into the realm of data visualization, you can make all the pretty graphs you like, but unless you do some leg-work ahead of time and massage the data into shape, they’ll be of little use and only may accidentally be visually appealing in a way that let’s you intuitively grok it.   (I think this is philosophically similar to some of what Tufte teaches, but I don’t remember for sure.)

For example, if I wanted to (as I did) visually represent the stimulus bill in a meaningful way on screen at once, I could really just use a microscopic font…or turn the whole thing into a jpg and resize it to fit on screen. But what would that accomplish? It would just be mush.  We wouldn’t have identified or accounted for inherent structural properties that we needed to keep to preserve order. We also wouldn’t have separated the wheat from the chaff – useless information would hide useful information. And we wouldn’t have manually added linkages between data points that would help us draw meaningful conclusions visually to account for a loss of resolution in individual words.

What would work, instead, is to turn (as I did) the Stimulus Bill into columns of useful information. You could convert the free form english structure of the Bill into a tabular format and add meta data about the text that I wanted to see in the visuals.  You could add line numbers, position in sentences, group words by sections of the document and add word counts, etc. All this would show up visually and present a much more useful visualization that would also, because of the new more conscious conceptual structure, be more appealing to look at.

So what does this have to do with security? Everything.

Recently, much has been made of the new SANS CAG control list. Basically, this is a list of “best practice” security measures and controls that, if properly done, will make the most impact in securing organizations. Where’s the problem? The problem is that none of these are new (except WiFi). They’ve all been around longer than I’ve worked in the field (7ish years) and probably much longer than that. Everyone who works in security knows them.  Most CTO’s, CIO’s, and CISO’s will probably not be unfamiliar with them. But yet, they’re either not implemented or, more often, they just don’t work.

If these really are best practices (and they are), but yet they’re not working, where’s the disconnect? I think it’s lack of structure. Most organizations do not operate their businesses in a manner that can be secured. There are inherent structural flaws (as in, there isnt any) in the enterprises themselves that conflict with and outright prevent security from happening – just like in art and visualizations.  No matter how much effort or money you throw at the problem, cyber/IT/technical security controls will get you nowhere quickly (if anywhere ever) without a properly run and organized business. What failed cyber or IT security really is, ultimately, is a symptom of failed Operational Risk Management.

If you can’t track assests, if you haven’t identified your key data, if you don’t have clear and measurable business objectives for IT and cyber systems, if you don’t have a clear line of sight between the risk of technical failure to business impact, your security controls -will- fail.

Why? Because an organization run without these things will consistently make poor decisions based on incorrect, out of date, or conflicting information. In other words, you have to build break points into the business to be able to check, measure, and change the the organization at key junctures in order to make good risk-based decisions.  “Risk-Based decision making” get’s bantered about like “moving forward” and “synergies” – but it’s not an empty phrase and it has real, concrete impacts and prerequisites.

Let’s look at a best-case scenario where everyone wants to do the right thing, but there isn’t an enterprise or business architecture in place. Everyone goes through an evaluation of need and risk, pick the right controls, put them in place. Hunky dory, yeah? Well, what happens when a new line of business is added? Nothing to do with security, right? What if the new line is taking critical data that wasn’t exposed by the other systems and making it public inadvertently? Would you know that? If you need to patch critical systems quickly to prevent a flaw, would you know which ones kept your business running? Would you have documented in an easily accessible manner the fact that your manufacturing systems depended on a feature that the new patch – which works just fine on desktops – disables? Etc. Not to mention that your IDS’s depend on this info, your firewalls, your SEMs, everything.  There is relatively little happening on your network that is inherently bad outside of a business context. There are many more (and probably better) examples…but there are two take-home points:

1. Everyone with the authority to make changes to your business needs to be aware of the secondary dependencies of those decisions and how they intersect with security and inform others of changes they make
2. If you try and do this without managed processes and without maintaing and continuously updating the information about the business in an architecture, you’ll fail. It’s too hard, too expensive, and takes to long to keep doing it from scratch. It’ll never be accurate, timely, relevant, etc.

Business leadership at all levels and in many (most?) organizations simply are making bad decisions that affect security.  It’s not that we don’t know, as security professionals, the right things to do. It’s that we can’t express it in terms of business risk and the business leaders typically don’t seem to have the structure built in to affect positive change throughout the organization. Build some good, clean structure with visible break points at critical junctures in your business flow and then security will start to become cheaper, easier, and more effective.

Histogram of major words in the US Stimulus Bill. Big Grey blob in the second "mountain peak" from the left represents "Health" in the Bill. You can see it takes a disproportionate place in everything.

The Stimulus Mountains

Originally uploaded by sintixerr

This is a follow-up to a previous post and is philosophically related to this post.

On the subject of these “data visualizations as art”, I’ve been trying to better articulate why I think they’re art and how I’m trying to evolve my process.

What it comes down to is that there seems to be two pieces to developing the visualizations:

1. Choosing the right structure and things to measure about the text or data…what makes sense to compare to what. How do you reduce the noise and non-dependent variables? Each type of text you’re measuring and each circumstance has different relationships. There is a lot of science to this part, but it’s not completely predicatable. There is art.
2. How do you visually best enhance and needle out the important details, contrast between points, etc so that they can be “seen” in the noise that doesnt matter? This is all art. Understanding how color, shape, contrast, etc all work together and how to use all of those to present a dense amount of information without being overwhelming is tricky and depends on the skill of the one creating it…

It’s my belief that playing to what we understand as people’s abilities to process and comprehend aesthetics in art involves exactly the same techniques and takes advantage of the same aspects of peoples brains/senses as good visual data analysis. So, if you’re doing data analysis, you start out figuring out #1, and then move to #2 based on #1.

What I was trying to do with these stimulus images – and the last of my security visualizations – was start out with concepts of what I’d like for #2 (how they would “feel”) and then figure out what I needed to do in #1 (massage the data) to get there…while still remaining true to the underlying information.

Next up (and once I learn more Objective C), I’m going to try and read in the stimulus bill to Quartz Composer and combine my recent interactive/music visualizations with the Bill. We’ll see if that goes anywhere interesting. :)

Also, Artomatic returns to DC this year. I very well may be displaying this stuff there when it comes around. This or the music/webcam visualizations.

Today, after the 8 hour “Industrial Control Systems Security for IT Professionals class”, I wanted to make something pretty. And code. And work on a protocol problem.  I’ve needed to look a little at the new Stimulus bill for work lately, so I thought I’d try and at least say I’d written  Python today, dissect the text of the bill into parsable chunks, then throw it into some visualizations.  I can’t easily capture the interesting avenues of analysis I was pursuing visually (and I dont feel like writing it up), but I did manage to make some kind of pretty pictures. Hopefully someone feels inspired from them and goes down a similar path. (I already have some ideas at further stats I want to parse from the bill to be able to look at it more meaningfully. Perhaps Ill do it this weekend – this was just the first cut at setting it up.)

First, I grabbed the full text of the bill from HERE. Then, I wrote some (stupidly) simple python (again, I’m never sure if it’s -good- python) to parse the bill and turn it into a new file with five columns: Word Number, Word Length, Line Number, Work Position in Line, and the actual Word itself. This essentially turned the bill into a a text file with every word in the bill on its own line (in the order it showed up), but with  machine readable meta-data I could use to visually represent it.

stimulus = open(‘/Users/sintixerr/Documents/stimulus.txt’, ‘r’)
finalfile = open(‘/Users/sintixerr/Documents/sdump.txt’, ‘w’)
linenum=0
wordnum=0
lineposition=0
gstruct=[]
for line in stimulus:

lineposition=0
linenum+=1
word=line.split(‘ ‘)
word=word[:len(word)-1]
for w in word:

lineposition+=1
wordnum+=1
gstruct=str(wordnum)+’\t’+str(linenum)+’\t’+str(lineposition)+’\t’+w.upper()+’\t’+str(len(w))+’\n’
finalfile.write(gstruct)

stimulus.close()
finalfile.close()

Then, I opened up the new tab delimited bill in my visualizer of choice and ran it through a few different ways of representing the bill.

First, the raw text – without any real manipulation – looked cool in and of itself and I noticed some interesting, if obvious in hindsight, features. (I did clean out some obviously bad data first with a little  sed action, but that mostly just involved removing punctuation that caused the same words to show up as different ones. )

Stimulus Bill Visualized in its Entirety. In this image, the Y axis represents every word (ASCII characters with spaces or carriage returns on either side) in the bill and the X axis represents the Line Numbers those words appeared on.

First, if you look about a fourth of the way from the left, and then again closer to halfway, you see a vertical “break” in the scatterplot where it looks like the density is much lower.  That is probably a major section break in the original document (I honestly haven’t actually read it in english yet).  That possibility is supported by the second observation which is: Even in human written documents, you can still discern protocol visually. (Again, obvious, but it’s neat.).  If you look at the bottom third of the image, it looks nothing like the top 2/3.  Much more curving paths, fewer horizontal lines, less density, etc.  If you look at those “words”, they’re all document structure words (like section numbers, headings, etc.). …and monetary figures.  If you look closely, there appear at first glance to be two or more incompatible or unrelated document content structures there.  Above that section is where the more obvious “free form” english exists in the set.

Moving on from there, I wanted to see if I could get anything intellectually or aesthetically interesting by using a scatterplot to draw out the shape of the bill.  To do that, I plotted “Line Number” on the X axis and “Position of Word in the Line” on the Y axis.  (Actually, originally those two were swapped, but the resulting image “looked better” when I swapped the X and Y).   I colored everything by Word on a categorical scale so things wouldn’t blend together too much and then ratcheted up the size scale to reduce empty space. I was looking for a visual representation of the literal structure of the document, not an analysis tool or I wouldn’t have done that last bit.

The resulting image looks like this:

Shape of the Stimulus Bill on its side. If you were to compress the actual text of the whole bill into one page and rotate it 90 degrees counter-clockwise, it would probably have the same shape as this, only with text.

Finally, I was curious if I could do a little manual clustering work. I tried to narrow down the words into the data set to those that might have some intrinsic meaning in the context of the stimulus bill. This means I got rid of prepositions, repeated filler words, etc.  I did this by knocking out every word under 4 letters and all of those over 17 chars (over 17 were all artifacts of turning the bill into something parsable, not actual real words).  Then I created a bar chart of words and sorted it by how often words appeared in the document and removed about the bottom 70% of words. I made an assumption (which is almost definitely so broad that the data will have to be sliced again a different way for meaningful analysis) that any words that weren’t repeated that often just werent a real “theme” to the people writing the document. Interestingly, things like “security” and “health” and some others were left in the set, but “cyber” was removed. Hmm. :)  After that, I went manually through the remaining set of words and removed those that seemed to not have any cluster value (both through intuition as well as by visually watching the scatterplot of the whole set while I highlighted individual words t see what lit up.) Finally, and lastly, since I originally wanted to make visually interesting things more than do real analysis, I used some blurring, resharpening, and layering to give a more cloudy, vibrant feeling to it.  Interestingly, that created “clouds” around many of the clusters and made them easier to make out for analysis.  That supports my whole theory that what the eyes and mind like to look at is what the mind and eyes are better able to make intelligent use of.

The final result is here:

Words of substance that might be indicative of topics or subjects within the bill. X axis, like the first picture, is line number and Y axis is Word.

Posted in 2009, art, artist, barack obama, cyberspace, digital, new media, Process, programming, Projects, python, Technique Tagged: administration, American Recovery and Reinvestment Act of 2009, analysis, artistic, data analysis, democrats, dissection, graph, obama, stimulus, stimulus bill, stimulus package, visual, visualization ]]> http://sintixerr.wordpress.com/2009/02/27/stimulus-bill-visualization-a-precursor-to-analysis-as-art/feed/ 3 Jack Whitsitt Stimulus Bill Visualization stimulusbill1 Stimulus Bill Subject Groupings http://sintixerr.wordpress.com/2009/02/20/cart-before-the-horse-re-another-set-of-suggestions-to-re-architect-the-whole-internet-or-vast-parts-of-it-for-better-security/ http://sintixerr.wordpress.com/2009/02/20/cart-before-the-horse-re-another-set-of-suggestions-to-re-architect-the-whole-internet-or-vast-parts-of-it-for-better-security/#comments Fri, 20 Feb 2009 16:40:18 +0000 Jack Whitsitt http://sintixerr.wordpress.com/?p=373 ]]>

Yesterday, I threw down my soap box into another discussion of ways to rearchitect the internet – specifically the pieces supporting critical infrastructure.  It was, as usual, about technical solutions to large scale, enterprise security problems.  It was a bit of a stretch for me to bring this up in that particular thread, but I think it’s important to beat the drums on this subject wherever possible:

The “security” problems we’re having nationally and globally aren’t technical.  They’re not even security problems, really; they’re failures of management. In fact, they’re very similar failures to those leading up to and causing the current economic mess.  Any technical discussion is really putting the cart before the horse.

For example,  I was recently on a con-call recently where a bunch of people at a large enterprise were trying to track down (to keep it generic) “Secure Devices” they’d purchased. Absolutely no one knew where they all were, who owned them, how many there were, whether they worked or not, how they were configured, etc. Some groups knew theirs, others didn’t. In some cases, there was duplication of effort. In others, worse still, there was conflict of effort. How can this environment possibly result in “security”?

This kind of management mess is the primary contributor to the failure of cyber security – CIKR or otherwise, not technical problems.

Why do I believe this? I started out doing network security analysis. I was really good at it, but couldn’t do it nearly well enough because the tools seemed to suck.  So, I started designing better tools to do things in ways that had never been done before. But then I found that even with better tools, I still couldn’t provide a good basis for analysis because I didn’t know anything about the organization I was “securing”. Once I figured that out I went to try and get the business leaders to provide that information to their security team and I found that the information had never been collected and no one seemed to see the value in doing so.  That’s how I ended up (in short) with the perspective I have today.  It’s based in a sequence of layered steps that I know are solid – I only wish I could do a better job of communicating the dependencies here.

The conceptual failure seems to be the belief that technical risk remediation is a sane strategic end-goal.  It’s not. There will always be technical vulnerabilities and failures of design – that’s a given. You can fix these individually, but that’s a tactic not a strategy.  There is no end game or any way to get ahead of the curve.

Instead, we lack and should pursue national business, social, and government consensus on solid plans to:

• Assess current environments and keep those assessments up to date,
• Do interdependency analysis,
• Plot those against business risk (individual organizations, nationally, etc.)
• Measure performance and success in terms of business needs supported

Not to mention consensus on “communication” (which is probably even more important) like: who should be at the table for these things, how communication happens and with who, etc. You get the idea.

These are all deficits that are completely independent of the technical architecture of our infrastructure.  Filling them would get us a long way down the road to solving our security problems in our current environments

We have a habit, in the cyber world, of consistently making changes without sober scientific evaluations of cause+effect and it bites back every time.  And, until we start getting better at the above named activities, we can’t do that evaluation in any way that will guarantee successful solutions. (I recognize that there are many, many good initiatives going on in these areas…but so far, they still seem disjointed and lacking enough universal consensus to solve the problem.)

Maybe some of these technical suggestions for rearchitecting the internet will work. Who knows? We don’t even have consensus on where, why, or how our current technology fails or where it succeeds.  How can we claim to know what will fix it? Technical solutions to security problems without business context will only ever, at best, be hail mary’s and misguided hope.

Now to get a little more ranty (smile):

I really fear what is happening…which is calls for large scale, quick change without even the most fundamental management practices in place.  (eg, business architecture).

What is going to happen is we’re going to invest a lot of time, money, and effort in investing in technical re-engineering and we’re STILL going to get trampled on by malicious actors…except we’ll be billions of dollars more in the hole. I think that merits being called out as often as possible.  What do you think?

The government and large enterprises get compromised constantly and -at will-.  The whole mess from top to bottom, public and private, is absolutely fubar’d. This is public knowledge – it ends up in CNN regularly. Yet,  our management processes are SO bad, that even ending up on mainstream news does not force real change. Failing FISMA does not force real change.  There is NO visibility from cyber technology to management to business leaders to business risk. There are exceptions, but this is the rule. So you dont have the visibility to make the needed changes.  Not only that, but without the data gathered by these management processes, security controls cannot ever be effectively placed, configured, or run.  We will lose, no matter what technology we put in place without these management practices. There is no question.

Technical solutions may work,  but that’s like putting a finger in the dam. Unless there is a framework to consistently identify and correlate environment, requirements, risk, technology, operational processes, controls will eventually fail because the enterprise (national, private, whatever) cannot respond to evolving threats. Spend the money up front to put in strong security practices, though, and the rest will follow.

Even then, we can’t possibly identify all the inter-dependencies and requirements needed to make large changes move without going through exactly the kind of process and management methodology I’m referring to anyway.  Just to put the cart before the horse requires the horse be in the front. (Does that even make sense? heh.)

This is an excerpt from an email I sent to a number of colleagues as we hash out what our various and competing mandates to “secure cyberspace” (in our own domains) actually involve and what we have to do about them.  My position is that, first and foremost, we need a business security architecture to answer those questions, and that’s where this following conversation is leading.  Various recent discussions I’ve been a part of outside of the job – just in the industry – also were on my mind when I wrote this.  There seems to be this belief that “cyber security” is somehow a technical problem, and I couldnt disagree more. (Note: Im speaking generally below and am leaving out detail for the sake of brevity – I dont have time to write a dissertation. :) Note2: The fact that I dont discuss our complete and utter failure to universally define “identity” doesn’t mean I dont believe it significantly impacts our ability to secure “stuff”.)

—

Security really comes down to the identity of systems and people: Who needs to interact with who, what transactions they can perform between them (and in what direction), how long those transactions may last, how often they may occur, which side of the transaction “owns” the security of the transaction.  Everything you do to secure your domain of control flows from this information.  It allows us to (literally):  place and configure the technical and process security controls which you have described as being a sector need.

If you wanted to describe a “secure” cyber system without this information, your answer necessarily would have to be: “the computer will be in an electromagnetic shielded room with hardware memory that cant be written to, no disk drives, no connection  outside the room, and anyone who uses it must be x-rayed and without clothing to hide plastic or wooden tools.”  That’s obviously silly, but we just said secure – we didnt define exceptions to “secure”.  So how is the middle ground defined?  What does “secure” mean to you? I’d suggest that it means that whatever controls are in place enable you to continue to operate in a way that supports your mission.  In other words, since security is first defined as: “The system should not do anything more or less than I want it to”, you must define what you want it to do. Then, you go through a prioritization effort of what you want it to do so that your budget can support it.

One of the reasons that developing this business context of “what should my systems do” is important to the budget piece is because that information allows us to begin to create attack trees. Attrack trees help us understand the weak points in the system are *that we care about* (not just every and all possible attack). Few of those weak points are immediately apparent or obvious after an informal inspection, so a process is needed.   From attack trees and control placement, we can then prioritize our efforts based on a combination of technical vulnerability, business risk, and available money and work out a budget.  Otherwise you’re just making up numbers and -hoping- your investment pays off.

And, as far as using universal standards in this area, your requirements MAY look like someone else’s, but the exceptions to that become maliciously exploitable, so you still need to validate and manage your environment and business requirements.

Without this information defined, your security controls will have significant gaps in placement, they will be not be effectively auditable for malicious activity, their configurations will not accurately reflect the real security needs of the system, and you will most likely run out of a security budget before you’ve mitigated a significant amount of risk. On the macro level, these really are the areas which hackers and malicious actors exploit with consistently rich returns.

Technical vulnerabilities will always exist, and we do need to maintain awareness of them and processes to try and keep up with them, but these are largely well understood and we still fail (and we fail dramatically) to actually prevent intrusions, data exfilitration, denial of service, etc. – even when we have controls in place.  It’s not for lack of technology, really. We have controls out the wazoo – firewalls, antivirus, IDS, etc.  We’re just not using them rationally.

This business context (or at least the education and tools to develop it) – if you were to look at every company and stakeholder in the sector as being part of the same business (the business of ____) –  is what I hope we in the working can begin to help provide. I really believe what might seem like fuzzy talk without a lot of action will ultimately result in a concrete way forward to reduce or mitigate the risk we all face.

Repost from the SCADASEC thread I initiated about supply-chain security risks stemming from long-range RFID reading/closing/editing. I didnt do a good job starting off the thread,  but I think there’s much more to this subject than this dicussion captured. More to come in the future (although it might be awhile).

Jack Whitsitt to scadasec

show details Feb 9 (2 days ago)

Reply

So, who all saw Chris Paget’s RFID/EPC Gen 2 talk at Shmoocon this past weekend?

Has anyone wondered how it might relate to cargo (freight rail, shipping, etc) inventory interference? Or how it might relate to the “chemical mistake” Jake posted earlier?

For those who aren’t aware of it, you can find the slides here: http://www.rfidhackers.com/viewtopic.php?f=5&t=6

Basically, his talk focused on the ability to read, clone, and write arbitrary data to Electronic Drivers Licenses (which use these RFID tags) from 200+ feet away (with a theoretical max distance of about a mile away).

My concern, though, being involved in cyber-CIP-stuff, is less the EDL stuff than the fact that this is the defacto technology in tracking and moving goods into and around the US – chemicals, drugs, parts, etc. Not only in the private sector, but by the USAF and the DoD as well.

If I understand correctly, the type of issue that occurred with the chemical mistake Jake forwarded could be initiated en mass at ports or other points where these goods are aggregated….by someone anonymously from almost a mile away….in minutes. While this isn’t -literally- SCADA, the behavior is SCADA-like and potential supply chain issues certainly affect, from a CIP standpoint, SCADA.

So, questions: If the tags are rewritten but still “valid” and goods get shipped around the US incorrectly, it seems like it would take a long time to recover and at great cost. Is this probably accurate?

Is this a real concern? Are there mitigating technical controls (inadvertent or intentional)?

What kind of manual backup procedures are in place to handle a total onsite RFID data integrity failure at these locations? How long would it take to realize there is a problem and rectify it?

What is the data on these RFID tags and if they were to get altered, what systems are actually impacted?

Etc.

Thoughts appreciated.

Thx
Jack Whitsitt/SintixErr

—–

ab3a@comcast.net to scadasec

show details Feb 10 (2 days ago)

Reply

To answer Jack’s concerns, BY LAW, we are required to maintain certain signage on paper for the side of the drum.  So any attack of an RFID device would have to happen at the plant where the chemical was made.

In the case I cited, the chemical was clearly marked, but everyone assumed it was whatever was ordered, and they just hooked it up.

The water plant superintendent took responsibility along with the chemical company.

Screwing with RFID on a barrel of whatever could lead to situations like this.  However, I don’t see how this would always lead to an accident, unless one were also willing to forge several documents (not impossible, but tedious).

Jake Brodsky

—-

Jack Whitsitt to scadasec

show details Feb 10 (2 days ago)

Ok, so the secondary effect of end-users (the plant) actually making that mistake again are low/unlikely.

What about the possibility (and subsequent effects) of rewriting the tags simply to cause rerouting of the cargo to the wrong destination? As in, enough of it from a given port that no one has confidence in where any of the goods ended up? How does that affect our just in time inventory systems?

(At an extreme scenario, if someone was able to brick critical SCADA components via cyber attack, could they at the same time prevent replacement part routing in this manner?)

—

Brodsky, Jake to scadasec

show details Feb 10 (1 day ago)

Reply

from Brodsky, Jake <jBrodsk@wsscwater.com> reply-to scadasec@news.infracritical.com to scadasec@news.infracritical.com date Tue, Feb 10, 2009 at 2:46 PM subject Re: [SCADASEC] Chemical Mix-up, EPC Gen 2, Supply Chains, Distance Attacks, Chris Paget mailing list <scadasec.news.infracritical.com> Filter messages from this mailing list mailed-by news.infracritical.com

hide details Feb 10 (1 day ago)

Reply

Actually, the way they discovered this problem was because the lab
results from periodic water testing showed fluoride levels were
dropping.  I suppose one could attack both the lab and the plant control
system, though.  The thing is, you’d need to know quite a bit about how
they do their samples, and where they test.

For example, we have a consolidated lab off-site from the plant.  The
plant does some periodic testing of their own when they need the results
right away, but the lab does the more detailed and expensive testing…

Jake Brodsky

—

Jack Whitsitt to scadasec

show details Feb 10 (1 day ago)

Reply

I guess I was trying to abstract it up a level from the plant and wondered what the system and economic impacts were nationally if we couldn’t get goods from cargo ships arriving to critical SCADA infrastructure requiring those goods. This would include manufacturing, energy, chemical, water, etc.

Said another way, could RFID alteration at cargo/freight hubs cause a supply-chain hiccup(s) of national consequence (whether through direct physical problems or economic consequence).

The reason Im harping on this a little is because, if the above statement resolves to “Yes”, then the known bar to doing so is a lot lower now than it was last week.

—

Brodsky, Jake to scadasec

show details 7:22 AM (16 hours ago)

Reply

And that’s a good question.  I can’t say I know what the supply-chain
looks like inside a chemical plant.  However, I can pretty much assure
you that between the chemical plant and the water filtration plant,
there usually isn’t a warehouse.

At the scale where we operate, we deal with tanker trucks and
tractor-trailer loads of product, and it usually comes straight from the
chemical producer.  Aside of obvious business efficiencies, it reduces
the liability for someone to warehouse this stuff.

Jake Brodsky

—

(Second Update: As of 9/14/2009, I’m working for Idaho National Laboratory (INL) liaisoning to DHS in DC supporting their ICS-CERT effort. This is reflected in the online resume, but not yet the pdf.)

Just a pinging post since I’ve just (finally) updated my resume on this site and elsewhere to reflect what Im currently doing at TSA.  Apparently, IDS analysts in this area are in hot demand, but that’s not really what I do any more.  Unfortunately, what I -do- do isn’t as easy to tokenize/categorize as something like that. I do love it, though :) I like…making stuff work better than it did before and do new things.  People, in particular.

Here’s a link to the PDF:

http://jackwhitsitt.com/whitsittresume02092009b.pdf

And online:

http://sintixerr.wordpress.com/jack-whitsitts-technical-and-security-resume/

Update: You can now download a Webcam Audio Visualizer based on the one references in this tutorial by clicking HERE

INTRO

So I’ve been making some new art lately that  I think pretty is cool. Back at Artomatic last year, I wrote code that generated a mosaic of one image out of another and make a 6′x6′ photo and wondered if the code was art, since the only thing it did was generate that one mosaic?

At that point, though, it was still static and the question was (to me) relatively easy to answer.

This time, I wanted something more dynamic and interactive. I wanted to further explore the question of whether  or not something that changes every time you see it and which depends on its environment is still “art”.  What I ended up doing is using Apple’s Quartz Composer – a visual media programming language – to create an  “audio visualizer” (sort of like you see in iTunes, Winamp, etc.).  What’s different about this piece, though is that combines live webcam input with live audio input into a pulsating, moving interpretation of the world around the piece.

In some ways, the work can be considered just a “tool”. But, on the other hand – and more importantly, I think – the fact that the ranges of color, proportion, size, placement, and dimension have all been pre-designed by the artist to work cohesively no matter what the environmental input moves it into the realm of “art”.

In this post, I hope use the piece in a way that will give you an example of what it would look like as part of a real live installation and to help explain the ins and outs of my process.

THE BASICS

An easy example of where this would do really well is at a music concert. The artist would point the camera at the band or the audience, and, as it plays, the piece would morph and transform the camera input in time to the music and a projector would display the resulting visuals onto a screen next to the band (or even onto the band itself).  This is just one suggestion, though.  Interesting static displays could also be recorded based on live input to be replayed later. It’s this latter idea that you’ll see represented below (though you might notice my macbook chugging a little bit on the visuals…slightly offbeat. Thats a slow hardware issue :) ):

In that clip, I pointed the webcam at myself and a variety of props (masks, dolls, cats, the laptop, etc) as music plays from the laptop speakers. There was a projector connected to the laptop displaying the resulting transformations onto a screen in real time. A video camera was set up to record the projection as it happened.  My setup isn’t much, but it can be confusing, so take a look below. My laptop with the piece on it, webcam connected to the laptop, projector projecting the piece as it happens, and video camera recording the projection:

TUTORIAL/EXPLANATION

As I said earlier, I used Quartz Composer – a free programming language from Apple upon which a lot of Mac OSX depends. Some non-technical artists might be a little bit leery of the term “programming language”, but Quartz is almost designed for artists. It’s drag and drop. Imagine if you could arrange lego’s to make your computer do stuff. Red lego’s did one type of thing, blue did another, green did a third. That’s basically Quartz. There are preset “patches” that do various things: Get input, transform media, output media somehow, etc. You pick your block and it appears on screen. If you want to put webcam input on a sphere, you would: Put a sphere block on the screen, put a video block on the screen, and drag a line from the video to the sphere. It’s as easy as that.  First, I’d suggest you take a look at this short introduction by Apple here:

http://developer.apple.com/graphicsimaging/quartz/quartzcomposer.html

Then take a look at the following clip and I’ll walk you through how it works at a hight level:

The code for this is fairly straightforward:

In the box labeled “1″ on the left, I’ve inserted a “patch” that collects data from a webcam and makes it available to the rest of the “Composition” (as Quartz Programs are called).  On the right side of that patch, you can see a circle labeled “Image”. That means that the patch will send whatever video it gets from the webcam to any other patch that can receive images. (Circles on the right side indicate things that the patch can SEND to others. Circles on the left indicate information that the patch can RECEIVE from others.)

The patch labeled “3″, next to the video patch, is designed to resize any images it receives. I have a slow macbook, but my webcam is high definition so I need to make the resolution of the webcam lower (the pictures smaller) so my laptop can better handle it. It receives the video input from the video patch, resizes it, and then makes the newly resized video available to any patch that needs it.  (You can set the resize values through other patches by connecting them to the “Resize Pixels Wide” and “Resize Pixels High” circles, but in this case they are static – 640×480. To set static values, just double-click the circle you want to set and type in the value you want it to have.)

In the patch labeled “4″, we do something similar, but this time I have it change the contrast of the video feed. I didn’t really need to, but I wanted to see how it looked. The Color Control patch then makes the newly contrasted image available to any other patch that needs it.

On the far right, the webcam output is finally displayed via patch “8″. Here I used a patch that draws a sphere on the screen and textured the sphere (covered the sphere with an image) with the webcam feed after it has been resized and contrast added.

So now we have a sphere with the webcam video on it, but it’s not doing anything “in time” with the music being played.

What I decided to do was to change the diameter of the sphere based on the music as well as the color tint of the sphere.

If you look at patch “2″ on the left, you’ll notice 14 circles on the right side of it. These represent different (frequency) bands of the music coming in from the microphone. This would be the same type of thing if you were to be using an equalizer on your stereo (It’s actually split into 16 bands in Quartz, I just only use 14).  Each of those circles has a constantly changing value (from 0.0000 – 1.0000) based on the microphone input. Music with lots of bass, for example, would have a lot of high numbers in the first few bands and low numbers in the last few bands).  We use these bands to change the sphere diameter and color.

I chose to use a midrange frequency band to control the size of the sphere because that’s constantly changing, no matter whether the music is bass heavy or tinny.  You can see a line going from the 6th circle down in patch “2″ drawn to the “Initial Value” circle of patch “5″.  Patch “5″ is a math patch to perform simple arithmetic operations on values it gets and output the results. All I’m going here is making sure my sphere doesn’t get smaller than a certain size.  Since the audio splitter is sending me values from 0.000 – 1.000, I could conceivably have a diameter of 0. So, I use the math patch to add enough to that value that my sphere will always take up about a 25th of the screen, at its smallest.  Patch “5″ then sends that value to the diameter input of the sphere patch (#8) we discussed earlier.

It’s these kinds of small decisions that, when compounded on one another, add up to visualizations with specific aesthetic feelings and contribute to the ultimate success or failure of the piece.

Another aspect of controlling the feel of your piece is color.  In patch 6, you see three values from the audio splitter go in, but only one come out.  The three values I used as the initial seeds for “Red”, “Green”, and “Blue” values.  Patch “6″ takes those values and converts them into an RGB color value.  However, notice that patch “6″ has three “Color” circles on the right, but only one gets used? That’s because I designed that patch to take in one set of Red, Green, and Blue values based on the music, but mix those values into three -different- colors. So as the music changes, those three colors all change in sync and at the same time and by roughly the same amount, but they’re still different colors. That lets me ad

d variety to the piece and allows me, as the artist, to kind of create a dynamic “palette” to chose from that will always be different, but still keep constant color relationships. This contributes to a cohesive and consistent feel to the piece.  A detailed explanation of how I do that is out of the scope of this post, but you can see the code below and take some guesses if you like:

And that’s pretty much that. We have a sphere that displays webcam input and which changes size and color according to the music playing nearby. But that’s really not all that interesting is it? What if we added a few more spheres? What if we used all three of the colors from patch “6″? What if those spheres all moved in time to DIFFERENT bands of the music?

The code might look something like this:

And the resulting output looks something like this:

Yeah I know the visuals are sortof silly and the song cheesy, but the music’s beat is easy to see and there just isnt that much in my apartment to put on webcam that I havent already.

Also, take a look at 55 seconds through about 1:05. The visualization goes a bit crazy. See the white box on top? You cant see in the video but that box lets me enter input parameters on the fly to affect how the visualization responds. This is the VJ aspect.  For these visualizations, Ive only enabled 2: How fast/big the visual components get and how fast/slow they get small.  In that 10 second segment, Im jacking them up a lot.

What about the original video? What does that code look like? See below.  It’s a litle bit more complicated, but essentially the same thing.  Instead of 16 spheres, I use a rotating 3D cube and a particle fountain (squares spurt out of a specific location like out of a fountain).  In addition to just color and size, the music playing nearby also affects location, rotation, minimum size, speed of the particles, and a number of other visual elements:

At some point (as soon as I figure out the Cocoa), Ill upload the visualizer here as a Mac OSX application for download.

SUMMARY

So, what do you think? Is this art? If not, what is it? Just something that looks cool? In my mind, artistic vision and aesthetics are a huge component of making “multimedia” “new technology” art, no matter how big a component the technology is.  Without some sort of understanding of what you are visually trying to communicate, it’s only by chance that you’ll end up with something that looks good.  But, even beyond that, I found that I had to think pretty far ahead and understand my medium in order to create something that would look consistent AND visually pleasing no matter what environment it was in and no matter what it was reacting to. It was like writing the rules to create an infinite number of abstract paintings that would always look like they were yours.

Also, figuring out what to put in the webcam view when and at what distance is an important part. When Im paying attention (as in the first video), it adds a whole new dimension. When I dont care and point it at anything (as in the demo videos), the whole thing becomes a bit more throwaway.

Here’s basically how our day went down (hopefully Ill edit this later more, it’s a mess…i was REALLY exhausted when I wrote it):

Left the apartment an hour late, but managed to find a cab which took us fairly close to the mall (17th and E or so), so we didnt have to walk and got there on time.  It wasnt as cold as I thought it was going to be, so I left a  layer of clothes at home, which I later regretted.  We got in the 17th and Consistution line, which was the closest but ultimately not the best. The were more people than I’d hoped there would be, but less than I expected. We’ll need to come much earlier inauguration day.  Unfortunately, two things were wrong with the entry we chose, although we couldnt have known this ahead of time.  First, the are on the constitution side of the reflecting pool got -nowhere- near as close to the lincoln memorial as independence ave side did (although realistically, because of things in the way, those guys probably still didnt have a -great- view). So, even if we had been first in, we were still a football field away.  The second issue was that further lines got in just enough earlier that a ton of people went past before we could get in.

So, the early morning plan of attack ended up being a miss. We were packed in about 30-50 people deep trying to get that extra foot closer, but behind us it didnt seem to start to fill up for ages.

Paivi and I decided we’d rather not wait from 9am-2pm for a crappy view, so we wandered out to have coffee on 17th at that Caribou.

On the way out, though, we DID get to see Snipers setting up:

This proved fortuitous, because we ended up seeing Mr Obama twice within 25 yards of us (one of those times he waved at us).  It was on the way back from coffee/lunch near the old executive building. He drove past in that awesome caddy he has and we could see him inside looking at us, smiling, and waving.

Barack Obama's Caravan before the We Are One concert

The second time was when he left an hour or so later for the concert. I thought I saw his figure outlined in one of the windows, but he was definittely in one of the cars. I have a video of  Obama driving by here:

While we were waiting for him to come out a second time, a youngish asian lady had a megaphone and kept chanting that she knew how to make world peace happen if only obama would show us his birth certificate. Every time someone would bitch at her to STFU, she’s megaphone that she was being harassed to the police. As if. Im sure at that point in the day, they wouldve been more than happy to do a little harassing themselves.

We wandered back to the concert after that and ran into Doug and Nofcna (Nguyet) near the “Homo-Sex is a National Security Issue” fuckers.  We tried to get back in to the main area, but at this point the checkpoints seemed to be closing.  We opted to go check out the concert from the Jumbo-tron nearest to Independence Ave by the WWII memorial.  At first, the sound was really bad. Doug and Nguyet eventually took off, discouraged that they could neither see nor hear. Fairly soon, though, the sound started to come through louder and we really enjoyed the show, even from so far back.

Some notes about the show:

a) Im pretty sure I could actually hear Biden’s actual voice echoing back to us. That guy was loud!
b) Im not a country music fan, but Garth Brooks is wildly successful for a reason
c) The “young adults” – all 10 of them – climbing on the tree nearby were about to tip it over. Their parents did a really crappy job raising them.
d) My wife is in love with Bono
e) Watching snipers scramble up onto towers is scary and unnerving, as are police in face-covering black masks with sunglesses
f) The rudest people are 50 year old successful white men
g) Tom Hanks presentation wouldve gone MUCH better if he’s been playing Forrest Gump up there
h) The Boss seemed to be trying to hard
i) Crowds singing along to songs rock
j) Barrack seems to have given the same speech in Baltimore?
k) Tiger Woods is not a good public speaker
l) Shakira, Usher, and Stevie Wonder worked well together
m) No one knew much about Josh Groban, but everyone seemed to have something to say about him
n) The scripts felt like a really slick advertisement.
o) Obama better know what he’s getting into and better be able to pull it off, because it is a long, fast, sad road down from this kind of a pedestal.

Afterwards, the roads out were clogged for pedestrians by pedestrians. It moved as a snails pace.

Paivi and I skipped that road (the one behind the washington monument) and fought our way across the mall directly. This ended up being much faster…much much faster.  We followed the mob up towards dupont circle and it wasnt really until past K street that the entire road wasnt packed with pedestrians. It felt like we were marching for something, but we were really just going home.

Yes We Can!

Made it Dupont area, had dinner, metro’d home.

Really a nice day, ultimately, if exhausting.

As an aside – today we were at the Georgetown Barnes and Noble and ran into the same girl who was standing next to us the day of the concert. Crazy small town!

We’ve been back in the U.S. for a couple of weeks now, but I’ve been a bit blown out and wasn’t up to posting anything till now.

You may (or may not) have noticed that I posted all of 0 entries during the trip. That had a lot to do with two things: Time and Infrastructure.  First, we were really too busy to spend a lot of time posting and, when we did have time, I was just too beat to post and opted to sleep. Second, there weren’t all that many places to post -from- (wrt net access) and those that we did have access too were usually incredibly slow ).

What I found out, though, is that twitter is incredibly useful in situtations like this.  I was able to get quick bits out somewhat on the fly to keep everyone updated without having to spend the time on a full blog post or deal with hefty websites that took forever to load.

So, in that light, I thought I’d post the 45 or so twitter updates from the trip here as one blog post:

• In Chicago! 12:02 PM Nov 20th from tx
• is sitting in Hong Kong airport waiting to see Doug and Nguyet. Flight for Saigon in 2.5 hrs or so. Didnt expect to be here again ever 6:05 AM Nov 21st from web
• In Saigon. Long day. About to hit bar “apocalypse now”. Know it’s cheesy. Nguyet has fallen victim to sleep! 11:08 AM Nov 22nd from twitterrific
• ok, so Apocalypse now was a thumpity thump club. total bust. Tried the garden bar on top of rex. ripoff! ended at pizza place. $1.50 beers 11:59 PM Nov 22nd from web
• Off to cambodia today! 6:31 PM Nov 23rd from twitterrific
• in Phnom Phen, Cambodia. Ate ourselves silly. Best part of trip! Took 2 tuktuk rides around town. Insane. Torture museum sombre,worthwhile. 8:51 AM Nov 24th from web
• Phnom Penh, not Phen. Going to stay two days here…hadnt planned on coming at all. Killing Fields demain. Fast boat to Siem Reap, next am 8:53 AM Nov 24th from web
• is having some mixed feelings about his ‘holiday in cambodia’ 11:53 AM Nov 27th from mobile web
• Still in Siem Reap. Love Cambodia. Will be back here next year!. Sorry out of touch, tho – really bad internet connections. Pics to come 11:31 AM Nov 28th from web
• Saw Cambodiia photo show today. Met famous photographer Paivi wanted to meet!! Leave Cambodia tomorrow. Heading to meet Quan in Hanoi. 11:32 AM Nov 28th from web
• sitting in the Cambodian equivalent of Starbucks catching up on the internets. Doug is checking news – we havent seen any for a week 2:45 AM Nov 29th from web
• is waiting with Paivi for the “Religious Wealth” from Angkor Wat to come pouring in 3:47 AM Nov 29th from web
• Last 24 hrs insane. Drunk hotel employee. Party with hotel employee at Karaoke. Employee vomits while negotiating $700 tour package. (more) 10:39 AM Nov 30th from web
• Multiple ATM withdraws 4 tour lock cards. Cab scam attempt when arrive in country. Paivi hit by motorcycle today (shes fine, bruised) 10:41 AM Nov 30th from web
• met quan from artdc.org tonight in Hanoi. Saw his studio. Paivi and I bought a piece of his. Nguyet and Doug did too. Awesome work! 7:35 AM Dec 1st from web
• There are very few things in life as cool as jumping off a 3 story boat into Ha Long Bay in the midst of a perfect sunset. 1:43 AM Dec 3rd from web
• cant seem to upload pics to flickr from these connections. sad. At Halong Bay on Cat Ba Island. Long hike to mountain top earlier. 5:33 AM Dec 3rd from web
• @translucent_eye getting pics of the hike was harder than one might imagine,but we did get some. Ha Long Bay boat pics = heat achingly petty 5:07 AM Dec 4th from web in reply to translucent_eye
• @tracyleephoto that was the idea :) (DK’s). I would’ve said more but by that time, I was pretty gone. Only hangover of trip was the next am! 5:08 AM Dec 4th from web in reply to tracyleephoto
• back in Hanoi. Binh fckd up train tix and didnt tell us. Leaving for Hue 3 hrs earlier. Trying to meet Quan to do handoff of the paintings 5:18 AM Dec 4th from web
• is in a hotel in Hue that, at $20/night, is as big as his apartment. Rainy day, everyone feeling a bit run down. Overnight train was cool 4:29 AM Dec 5th from web
• is drinking a tiger beer, waiting for the others’ motivation to kick back in…that or their stomachs to be empty. ;) 6:04 AM Dec 5th from web
• today was win. 5 shirts being tailor made, best shot of rum ive had – only cost $0.30, banana pancakes, lemon pancakes, pho, mystery meat! 8:19 AM Dec 6th from web
• Time to do laundry in the bathroom sink. Having 3.5 sets of clothes for 3 weeks entails a lot of this 10:39 AM Dec 6th from web
• Picked up shirts and formal dresses from 2 tailors. Off to the third and to eat more fantastic street sweets in Hue! 6:22 AM Dec 7th from web
• we’ve had something like 17 or 18 pieces of clothing made between the 4 of us in 24 hours. heh. Off to beaches of Phu Quoc tomorrow! 10:37 AM Dec 7th from web
• 2nd day on Phu Quoc island. First was spent in shared bungalo at isolated beach to the north. Ocean is perfect. 8:29 AM Dec 9th from web
• One more day at the beach, then back to Saigon for an afternoon, then home. Still need to buy some snake whiskey for self and friends/fam 8:52 AM Dec 9th from web
• Headed back to Saigon today. Back home tomorrow. Yesterday, I got a full body massage and helped doug play a coral reef for a tropical fish! 9:58 PM Dec 10th from web
• Im not sure what winter melon tea in a can actually is….but it’s good! 11:26 PM Dec 10th from web
• is back at Madam Cuc’s in Saigon. Almost feels like home! 2:05 AM Dec 11th from web
• Hot as hell. Foot killing me again tonight. Affecting my mood. Time for home, I think. Did buy 4 bottles of whiskey with cobras in them! 8:58 AM Dec 11th from web
• @turbo3k absolutely! These are roughly 2-shot bottles – 1 snake apiece. Should see all the reptiles they fit into the huge huge bottles ;) 9:06 AM Dec 11th from web in reply to turbo3k
• Lady in front of me in plane got up on her chair n her knees facing it, and tried to ram it back because my knees were blocking it. tall sux 9:35 PM Dec 11th from web
• Im still in the future!!! Flight for Chicago leaves in an hour-ish 9:40 PM Dec 11th from web
• in Chicago at O’Hare. Foot was so swollen from flight it wouldnt fit back in shoe. OHare security is awful. Want a hamburger! 2:24 PM Dec 12th from web
• checked bag made safe from dc-chicago-HK-saigon, phnom penh-hanoi, hue-saigon, saigon-phu cuoc, back, saigon-HK, HK-Chicago. Not Chi-DC tho 5:41 PM Dec 12th from web
• bag is supposedly scanned on the next flight into DC from chicago. If it’s not, I very well may lose my shit. Ive had -enough- 5:42 PM Dec 12th from web
• @elegantmachines im convinced “civilization” isnt the right word for it at all. 5:45 PM Dec 12th from web in reply to elegantmachines
• is home, w bag. Guess TSA wanted to mollest my bag a bit xtra, put on next flight. United lady was way rude. after 24hrs travel, not in mood 6:41 PM Dec 12th from web

We leave Thursday. That’s 4 and a half days from now. Doug and Nguyet are already in San Francisco and the next time we’ll see them is at the Hong Kong airport right before the last leg of our trip to Vietnam. We’ll be there for three weeks and, while that’s not a lot of time for tried-and-true-backpacking-scenesters, it’s a lot for us on a complete whim (and on unpaid leave).  Still, we’re looking at it as a test-run for a longer trip through the area.

Now that it’s so close to departure time, I’ve been taking a close look at what I’ve bought or selected for the trip and what I actually want to carry. It’s kind of interesting how much “technology” there is for something as old and simple as backpacking. I’d like to think I travel minimally (and I usually only take a single school-sized backpack on ANY trip), but the geek in me (and the corporate consumer) couldn’t resist getting “feature packed” gear.  From a $299 ASUS Eee linux laptop to a kindle to “medicating runners socks” to zip off pants etc, there was some actual bit or technological feature in almost everything I decided to bring that made me decide to bring it. Could I have just brought t-shirts? Sure. But I needed lightweight fast drying wicking shirts :P

Click the pic below to go to Flickr. Each item in the pic is labeled with what it is, if youre interested:

I’ll post more trip details tomorrow – like where exactly we’re going for sure and what we’d like to try and see.

Paivi and I have a number of pictures up at DC9 from November 15 – November 22 as part of PixTour, which is part of Fotoweek. I wasn’t sure what or how many pictures to put up, but when I was talking to the Bill (the owner/manager?) I noticed that the 7 big mirrors provided the only really clear space, so I put 2-3 up per mirror. There are 3 “sets” of mine up – “Picture of a Picture” (suggested by Heather), “Doll Angst” (a set of suicidal blondes), and “Misc” (just a few that seemed to fit together) in the back.

These were my final selections:

http://www.flickr.com/photos/sintixerr/sets/72157608876695189/

Paivi put up some of her BritishInk pics from Artomatic (hers was more last minute than mine since her original venue, Bar Pilar, fell through. Too bad!)

ABOUT:
—
PixTour: a project of FotoWeek DC 2008
Travel the city to check out PIX TOUR.

PixTour, a project of FotoWeek DC 2008, is showing the work of
area photographers at 40 bars, clubs, restaurants, theaters, and
shops around DC. Artist and Place meet and invite you.

PixTour brings art to the people who are out and about.
Take a walk, have a drink and a meal, and see the art of photography in Dupont, Adams Morgan, Columbia Heights, 14th Street, Anacostia and More. PixTour is an informal showing of photography on local walls and windows.

Curators: Molly Ruppert, Heather Goss, Beth Baldwin

PixTour was created as a project for Fotoweek DC 2008 by Molly Ruppert molly@warehousetheater.com and Warehouse.

VENUES:
—

DC9                                            1940 9th St NW
Nellie’s Sports Bar                  900 U St NW
Vegetate                                    1414 9th St NW
Velvet Lounge                           915 U St NW
Dos Gringos                            3116 Mt Pleasant St NW
Gala Theatre                            3333 14th St NW
Red Rocks Pizza                     1036 Park Rd NW
Room 11                                   3234 11th St NW
Sticky Fingers Bakery             1370 Park Rd NW
Wonderland                             1101 Kenyon St NW
Asylum                                       2471 18th St NW
Bedrock Billiards                     1841 Columbia Rd NW
Bossa Bistro Lounge              2463 18th St NW
Chief Ike’s Mambo Room      1725 Columbia Rd NW
Idle Times Book Store            2467 18th St NW
Tryst                                           2459 18th St NW
Caramel                                    1603 U St NW
Lee’s Flowers and Cards      1026 U St NW
Mocha Hut                                 1301 U St NW
Polly’s Cafe                               1342 U St NW
Solly’s u street tavern              1942 11th St NW
Vinoteca                                    1940 11th St NW
Cafe Tropé                                2100 P St NW
DC Café                                     2035 P St NW
Soho Tea and Coffee              2150 P St NW
Stars Bistro                               2120 P St NW
Tangysweet Yougurt  Bar      2029 P St NW
Garden District                         1801 14th St NW
Playbill Café                             1409 14th St NW
Timothy Paul Bedding            1529A 14th St NW
Universal Gear                        1529B  14th St NW
ARCH Training Center            1231 & 1227 Good Hope Rd SE
Baked and Wired                     1052 Thomas Jefferson St NW
Big Bear Café                           1700 First St NW
Mocha Ground                          4706 14th St NW
Warehouse                               1021 7th Street NW

ARTISTS
—

Giamoco Abrusci
Ken Ashton
James Calder
Daniel Cima
Jason Colston
Brett Davis
Thomas Drymon
Elsie Dwyer
Josh Gibson
Steve Goldenberg
Jason Gottlieb
Kyle Gustafson
Justin Harris
Linda Hesh
Justin Hoffmann
Seth  Kaplan
Angela Kayklers
Angela Kleis
Brian Knights
Marie Kwak
Bridget Sue Lambert
Pamela Leahigh
Jeffrey Lear
Martin Locraft
Dale Lowery
Cesar Lujan
Pat Padua
Linda Plaisted
Mark Planisek
Michael Platt
Drew Porterfield
Katy Ray
Bruce Robey
Lisa Rosenstein
Julie Seiwell
Kerri Sheehan
Myrna Smernoff
Matthew Smith
Parikha Solanki Mehta
Paivi Solonan
Michael Starghill
Linda Strating
Sanjay Suchak
Ira Tattelman
Raul Valda
John Thurman
Jack Whitsitt
Pete Van Vleet
Amber Wiley
Ken Wyner

(…kind of random ramble here…maybe I think it sounds silly in a few weeks…)

I never really “got” Neal Stephenson’s concept of federated and FRANCHISED governments in Snow Crash. I mean, I understood he was trying to feel all cyberpunk and future-y, but I didn’t immediately see practical drivers which would necessitate the transformation. Beyond Stephenson’s plot need for a  fictional generic doom and gloom everything falls apart into a gritty underworld backdrop, what would be the systems benefit of evolving into a real life situation where government is significantly geographically non-contiguous and people have to buy in to their state of choice? No answer.

Fast forward a few years. The other day I attended the kick-off for the “National Cyber Security Awareness Month” this year at the national press club.  Suits from the non-profit org, Symantec, and DHS were on the panel. They talked about their plans to raise awareness (it seems to involve schools, but not much else?) and current threats (ye olde “insider threat” spiel. What a cop-out. Who are your insiders? Your users? Your business partners? Your supply chain? The wife and kids at home who are on the same network as your laptop? The starbucks-going-public? Wake up. You don’t have an inside. But, I digress).

Apparently this is the fifth year there has been an awareness month. Wow. I’ve certainly never noticed it before. Why is that? At first it seemed like the government just couldn’t get its shiot together. But then you have to wonder two – why is this a government issue at all (why arent people self-organizing?) and is this limited to security awareness? Are we having these issues coming to social consensus elsewhere?

(Bear with me here, I havent completely thought this post out yet)

It really seems that the answer to the second question is a resounding yes.  We cannot seem to come to agreement on anything in the US lately…and when we do, it’s a conclusion based on only the most oversimplified non-complex versions of “facts”.  The reason the government is involved is because people throw up their hands and go “this is too much! help!”

Why is it too much?

A combination of too much data and a lack of common interests and needs on a geographical basis.  A geographically federated state system assumes that people nearest each other have the most in commun wrt value systems, needs, desires, beliefs, culture, etc.  Do we have that now? Somewhat…but not nearly, IMO, as much as we used to and maybe not as much as we need to.

Look at it this way:  If 30% of people in one area agree on something, but so many other people disagree that the 30% is a majority, it’s the 30% that gets represented ultimately. That’s expected and fine when it happens on some issues. But what happens if interests and values have become so diversified within geographic voting/opinion districts that this kind of discord is the norm?  We may be vastly over-normalizing our opinions to the point where they’re not meaningfully reflective of reality and no one will ever happy with the results.  We’re essentially making decisions based on noise.

Related to voting, and more pertinent, is that we’re not having nearly as many -conversations- or -dialogue- between people based on geo-centric shared interests. Rather, we’re talking over the internet and national TV. People with shared interests are collaborating around the world. Virtual communities of interest have become as normal in many areas as real ones.

This is where Neal Stephenson’s franchised governments start to come into play.  States are usually formed around a group of people in one “place” with shared values and interests. If we virtualize and abstract out “place”, what do we end up with?

Can we or should we reorganize voting/opinion districts around these opt-in shared communities? You choose which group to join and be a part of.  Everyone in said virtual community votes and that virtual community subsequently votes in large polls/electrions the way its community voted.

Would that work? Would it help? Is that where we’re headed?

This post obviously needs to be fleshed out in a lot more detail, but I really dont have the time. Just thinking out loud :)

I’ve spammed this particular link everwhere else I can think of, but still neglected to post it here on my blog.

Basically, I was approached a few months ago by a senior editor of Symantec’s online magazine “Norton Today” because they were interested in doing a piece on Art and Security. I was approached because of my old work in security data visualization and the fact that’d I’d started to rework and hang the pieces in art shows like Artomatic and My Space on 7th.

Anyway, the interview went really well (in addition to being a lot of fun) and it’s now online at:

http://nortontoday.symantec.com/features/articles/art_of_security.php

(Edit: This link now appears down after a few months. Symantec has republished the article here: http://www.thegeekweekly.com/feature/turning_computer_vis_into_art/index.html )

They used a few older images in their Flash slideshow (My fault – I didnt get them newer images in time).  These were the originals we used at NetSec to do analysis and which have been in a number of presentations (and were in the batch I sent to ArcSight as examples when they were still developing Interactive Discovery, iirc).

You can find the “art” versions that I’ve hung up in galleries at the following link:

http://sintixerr.wordpress.com/art-versions-of-data-visualizations/

I’m still interested in working more of these, but have been moving from graphing – which was a necessity of the business at the time – into a broader field of ontological information/concept representation in art.

(This is in addition to my media experimentation with / interest in projection. I think Id like to merge these two tracks together in the future, but havent gotten there yet.)

So I recently bought a ton of film strip gear off of Craigslist. Do you all remember this stuff from elementary school? Or if you’re older, high school? They’re basically like slide presentations, except the images arent ever cut from the strip. You insert the strip in a projector or personal viewer and play either a tape or a record for a sound track. When you hear a BEEP on the sound track, you flip to the next image on the strip. 

I always thought they were dumb in school, but I did want to make my own at the time and they’ve been on my mind a lot lately for whatever reason. So, I was pretty thrilled when someone on artdc pointed out a craigslist ad the librarian at Queen Anne school in Upper Marlboro had put out: 4 projectors, 3 personal viewers, and 60 strip presentations for $100. Holy Cow!

Anyway, I got all this gear delivered to work (it takes up…an entire…cuber….) last week and have slowly been hauling it home and playing with it. I’ve found I want to explore three potential uses for it: 

1. Cutting up and reusing the material from the film strips in other art as light-driven collage material

2. Making an actual film strip in the old style they have with the simple lettering and exagerated imagery and doing a projection show of some sort

3. Using the projectors and gear as part of photo still lifes.

One of these three is obviously easier than the others, so I’ve started out taking pictures of the projectors and strips (Paivi also has been photoing some of the images projected).  I put up a few of the recent shots on flicker and one of them made the DCist’s photo of the day:

Some of the other shots are here:

So lately I’ve been monitoring (for various reasons) the SCADASEC mailing list run by Bob Radvanovsky.  In the course of a mostly unrelated discussion, Gadi Evron linked to the Estonian National Cyber Security Strategy and I decided to look it over.

It was of particular interest because it was written in the wake of the massive DoS attacks against Estonia and it marks probably the first government strategy written by a state that has had to deal with both being attacked as well as the international coordination/input involved in responding to them. We certainly have our own unique issues to deal with, but it’s definitely gives some intriguing insight.

There were a couple of things that stuck out because of their heavy emphasis:

• Making their legal framework more consistent and interoperable in a way that would allow them to more effectively respond and handle threats. They found it to be „decentralised and, in fact, partly contradictory.” This is going to be a huge problem for the US down the line…even more so than it is today.

• The role of general society (vs government) in responding to threats as well as the importance to the state of the free flow of information to/from society: „Our task rests on a prescient awareness of the need to balance, on the one hand, the risks associated with the use of information systems and, on the other hand, the indispensability of extensive and free use of information technology to the functioning of open and modern societies — and the understanding that this is a challenge confronting not only Estonia but also the rest of the world. The growing threats to cyber security should not hinder the crucial role of information and communications technology in impulsing the future growth of economies and societies.”….” In our modern, globalising world, economic success and a high quality of life can be achieved only through recognising the great importance of the efficient handling of knowledge and information to the proper functioning of our societies. The very term ‘information society’ denotes a setting in which human values of all kinds are created, maintained, manipulated and transmitted in a standardised digital form; it is a further feature of an ‘information society’ that all members have access to such information through a complex data exchange network.” The US tends to address the material and business impacts of the internet and their cyber infrastructure, but we rarely talk about the critical role it plays in defining society itself now.  If we continue to divorce business and government from society, we are going to continue to wonder why everything seems to be sliding away.

Other points I noted:

• They have a national SOA-like (data exchange layer) backbone with DNSSEC: http://www.ria.ee/?id=27309& and http://events.oasis-open.org/home/sites/events.oasis-open.org.home/files/Ansper.ppt „“At the beginning, it was developed as an environment that would facilitate making queries to different databases. By now, a number of standard tools have been developed for the creation of eServices capable of simultaneously using the data of different databases. These services enable to read and write data, develop business logic based on data etc. The X-Road must enable to do any common data processing operation. Proceeding from this principle, several extensions have been developed for the X-Road: writing operations to databases, transmission of huge data sets between information systems, successive search operations of data in different data sheets, possibility to provide services via web portals, etc. The main component of the Estonian public information system architecture is the secure data exchange layer, X-Road, which is based on the public Internet. Although X-Road uses the Internet, it meets all three objectives of information system security – availability, confidentiality and integrity. The number of X-Road’s central components has been minimised and data exchanges between two information systems using X-Road are able to continue in case of its disruption. X-Road’s infrastructure includes countermeasures against both temporary disruptions and attacks aimed at hindering the provision of services. But because new forms of attack and threats in cyberspace are constantly emerging, it is necessary to develop further X-Road’s security measures” Our businesses can’t even seem to get this together, how can they? For god’s sake…we NEED a data interface layer like this in our infrastructure or we’re going to drown in our own unused inefficient data stores without ever being able to synthesize the kind of knowledge we need to in order to function as a society.

• Their perspective on the nature of current threats: “The current and well known security objectives – confidentiality, availability and integrity of information – are no longer sufficient to ensuring cyber security. To secure the critical infrastructure, it is necessary also to address the severity of disturbances in its functioning, non-repudiation and authenticity of information sources.” I guess all I can say to this is “duh. Why dont we talk more about this publicly on a government level?”

Hey all!

I’m going to be showing some data visualizations at the My Space on 7th art show in Washington, DC starting Friday, July 11 at the Touchstone Gallery! Everyone should come out. I took a look at the space and there’s some interesting work hanging already. (And I have to thank Paige, here, who unintentionally helped me decide what to show…but more on that in a later post.)

Oh. And there will be wine tasting opening night. :)

There will be three old, but reworked images and one new one created just for this show.  Only one has ever been printed before and they all look pretty fantastic.

The new one consists of two superimposed graphs (a paraplot and a scatterplot) of illegitimate traffic going to/from “jackwhitsitt.com” (that would be, uh, most of it).

The three older ones are:

Destination Port Traffic Volume (global sample)

(Test Data from custom developed SEM correlation  modules)

(Pcap data from 10,000 spam emails)

Last week, I had the perfect storm of random happenings.  I was outside having coffee with Stacey by the Pentagon City Mall.  I got a twitter from Rebecca – some mumbling about a guy with a machete getting off the same bus as her. Quite surprised (and amused), I shared the message with Stacey.  Just as I do that, who walks up to us but Rebecca herself!  You have to keep in mind – Im not sure Ive ever run into her outside of Artomatic before in my life. The timing here is too weird. So weird, in fact, that the only thing I can think of to say to her is:

“Machete?!?!”

Turns out, some guy in a suit got off the local bus near where we were…manicured and everything….but with a machete on his back.  Hrm.  I cant say I havent felt the same way myself before, but most of us dont DO that :)

Anyway, Rebecca wanders off to knit (in Starbucks I think?? or some secret hole to Neverwhere) and Stace and I finish up. 

Heading into the metro, the next Yellow line to DC is 8 minutes away, but a blue line will be right there. I figure Ill catch that and jump across above ground from Farragut West to Farragut North and catch the red line home.

And…that brings us to the point of this post. 

Once I get up the stairs, Im surprised to hear….love shack….by the B-52’s. I check my ipod. No, no it’s not coming from there.  I look around and realize there is an actual live band  in Farragut Square doing love shack.  Not that that’s my favorite song mind you – by any means – but the fact that the typically dreary shuffle of end-of-workday commutes that normally happens here has been completely supplanted by random live 80’s music in the middle of the square. How freaking cool.

Apparently they were playing for the last day of OnTap’s “Sounds in the Square”.  I wish I had seen the others. I need to read my OnTap notices more carefully!

Luckily, I actually brought my video camera with me to work that day (???? I never do that ????). I grabbed it from my bag and immediately started filming.

As the song went on, I realized that these guys were pretty good (By pretty good I mean dont mean I’d fly to Hong Kong to see them, but they were FAR and away better than what you normally find laying around there in the afternoon)  AND had a great sense of humour.  All the guys were wearing moon pants, the guitarist had a Karate Kid bandana on, the basist had big white sunglasses with slits in them, the female singer was Madonna’d out, and the male singer had Rick-Springfield sunglasses. 

I ended up filming six songs in High Definition and I think they all came out really well – especially as it was spur of the moment and I couldnt move around much.  I’ve included two of my favorites in this post – Walk Like an Egyptian (top) and Jessie’s Girl (bottom). I particularly like the footage of Walk Like an Egyptian…the singer walked out and was dancing with a couple of kids egyptian-style. It was adorable.

Anyway, the band’s name was “The Reflex”.  They’re based in DC and if you want a bit of entertaining eighties in your life, check them out!

http://reflexlive.com/

It’s still sinking in.  Could the Supreme Court really have come out in clear support of the constitution?  Did the majority really reaffirm that yes, we live in a country where the locus of control resides with the people – every individual – and not with the government?  Will we begin to see again finally a creeping awareness culturally that the we -are- the government?

In informatl conversation, the problem of the Second Amendment is often cast in three contextual lights - each of which, I think, misses the real point.  The first sets the debate in terms of whether we can safely allow guns in our society. The second says “guns are inherently bad and evil and its a different world than it used to be and the police should protect us”.  The third debates the value of guns in protecting us from the government.

All three of those arguments all center around…guns.  Why?  The value, role, and entire point of the Bill of Right has only ever been to support and cement the relationship of American citizens to their government. 

The Bill of Rights, if it was just a list of “things people should be able to do”, would have been much, much longer. That is, if it had been created at all. 

The fact of the matter is that the Bill of Rights is the document that GUARANTEES that the government shall derive its power soley from the individual and not vice versa.  What is it that the rights of free speech, speedy and public trials, the right to not be arbitrarily searched, etc. are protecting us from? Not each other. Not foreign states. No, they’re written as hedges against the enroachment of government-derived power taken from the individual.  They protect us from those in the government and without who would opt for the easy route – the one people in many less free, successful states follow willingly.  The Bill of Rights exists because for a free nation to exist and to thrive, the people MUST retain the locus of control. 

This goes beyond “free elections” and democracy.  Freedom is only a word if people expect their government to take care of them. If they expect the group – the police, the legislature, the executive branch – to solve their every problem and to make decisions for them. 

The reason our constitution is so amazing is that the framers understood that only from the flexibility and insight of free people is real strength derived.  The government should only ever be framework through which disputes are resolved and a mechanism for people to, where necassary, take civic advantage of economies of scale.  This is where centralized economies and other socialist constructs FAIL every time. It’s an information theory problem.  There is too much information needed to make good decisions for a central, top heavy government to process that it just cant.  Similarly, everyone always acts in their own self interest so giving everyone the power to act in their own self interest is much more likely to yield solid, beneficial results than allowing a select few to force  many to act in the interests of the few.  There HAS to be math behind this somewhere.

At any rate, back to the point:  The Second Amendment is one of the lynchpin components of the Bill of Rights, our government, and the foundational principles that make it all work.  The Second Amendment says, in effect, that for a free state to exist, the -population- shall retain the RIGHT to USE FORCE in its own SELF-INTEREST and that right shall NOT be adbicated to the empty machinery of government which will unfailingly abuse it.  The power of the Second Amendment – which was reassirmed today – is in that specific line it draws. 

There are more threats to “the security of a free state” than foreign countries and abdicating our individual power to the empty, crushing machine of government is at the top of the list.

(Edit: This is an aside from the regularly unscheduled programming here and only represents my not-nearly-educated-enough opinion on the subject…)

…Straight from the Madison Square Garden show.  This video is, in my opinion, far better than the one I got of Underneath the Stars.  The sound is great, the shots are great, and Robert is really animated – at some point he even almost laughs.

I need some practice with the video editing suite I use, so I took the liberty of adding a couple of effects here and there. I hope you enjoy the final product :)

Have I mentioned how much I love the old music without keyboards???

Again, if you want a better quality version, open the You Tube link and click “watch in high quality” below the video.

http://www.youtube.com/watch?v=tmGdT0yZQao

First of all, I wanted to share the HD video of the opening Cure song at Madison Square Garden – Underneath the Stars.

If you want the high quality version, click this link and then the “Watch in High Quality” link below that:  http://www.youtube.com/watch?v=dJQ7aHAmVYc

Otherwise, here yah go:

(You can also find “A Night Like This” from the same show in this post: http://sintixerr.wordpress.com/2008/06/23/video-a-night-like-this-the-cure/ )

Secondly: We got back in yesterday afternoon from our two day stay in New York for back to back Cure shows (at Madison Square Garden and Radio City Music Hall).  As previously mentioned, the first was an amazing, high powered show which was one of the best I’ve seen. Radio City Music Hall was equally well-played, but while the venue had an air of intimacy lacking at the Garden, our seats weren’t nearly as good and I didn’t feel quite as “connected” to the show as before (despite Robert walking all up and down the side stairs of the venue). I didnt get any pictures – just video – but spiggy has a ton.

They can be found here: http://flickr.com/photos/spiggycat/sets/72157605754343280/

I’ll do a mini-review later (probably…I obviously dont always follow through on the “later”’s here), but I wanted to thank all of the Chain of Flowers people we hung out with at Heartland and later…Laurie, Randy, Beckenbach, Danny, Karen, Veronica, others whos names Im blanking on for the moment :)  One of the things I enjoy about travelling to see the Cure is all the people we get to meet, and this group was particularly fun.  Hope to see you all around :)