Another Set of Teeth

Sociables

2009-10-06T18:52:00.000-07:00

When I read this commentary on privacy from Andrea Dimaio from Gartner, I was mildly surprised that people still thought like this, that privacy is tied to secrecy.

Bob Blakley responds at the Burton Group. I agree with his analysis, so it must be brilliant. The back and forth in the comments is worth reading.

Fingertips

2009-10-02T18:31:00.000-07:00

From today's Austin American Statesman, this article discusses the fraud deterrent effect of fingerprinting applicants for food stamps, and if it is worth the delay it may be causing in processing (Department of Agriculture says it isn't).
There are lessons to be learned at Texas HHSC.
Starting here:

The electronic fingerprinting program costs $3 million a year: $1.6 million for a contract with Cogent Systems for the imaging and $1.4 million for state workers' time. The state and federal governments split the cost.

Last year, the fingerprint program led to the state investigating just four applicants for fraud.

But state officials say it's impossible to know how many people are deterred from applying multiple times because of the fingerprinting.

But later in the article:

The state estimates that the deterrent effect of fingerprinting saves $6 million to $11 million a year.

I imagine the latter figure could have been pulled from cost justification of the project, or from the vendor's response to the RFP, or even the LBB when the law was passed. (Does the cost include the initial implementation of the system?) But measuring the actual decrease in applicant fraud is a solvable problem. To say that there is "no way of knowing" the deterrent effect is not defensible. If they never measured a baseline of applicant fraud to begin with, how would they have known how much to spend on an anti-fraud measure? If they don't try to measure the change post implementation, how do they know it's working?

On the other, more cynical, hand, why should they care? They are in compliance with the state law, and the system was implemented. The only people who suffer are the citizens who need help to buy food. Folks who may not be able to take off from their minimum wage job, or don't have the transportation, to go be fingerprinted. Measuring the dignity of your customers is harder than measuring your fraud deterrence cost.

You tell 'em Stevie.

Intent

2009-09-14T18:36:00.000-07:00

There’s a whole bunch of the IDC/RSA white paper on insider risk management that puzzles me on one level or another.

“Whether the threats are accidental or deliberate, the costs are still the same.”

I didn’t see much data in the report regarding costs. I'm not sure if they are talking about dollars. Regardless, the controls to prevent either accidental or deliberate data loss probably overlap in most scenarios, so that cost may be similar. It’s the cost of response and recovery could be wildly different. I would rather pay to have a document restored from backup than pay for the costs of a data falling into the hands of someone who would steal it. Intent is material in incident response cost. ( I'm not married to this idea yet, but I've taken it out to dinner a couple times.)

“Malware and spyware attacks are another example of the risk of good employees doing bad things.”

I don’t think good employees are doing the bad things in malware and spyware attacks. I think it's bad people doing bad things. I’d categorize the real threat as the operator of the malware or spyware. The employee's behavior is a control, but given the sophistication of much of the malware around, it is not surprising that this control occasionally fails (Is visiting NYTimes.com a “bad thing”?) If the security of data is breached due to malware on a desktop, it has gone to bad people. I think this sort of incident belongs in a different category from an error, omission or mistake. There is an intelligent actor intending harm behind the action. Not so with a lost laptop.

Under “Key Findings”

"14.4 incidents of unintentional data loss through employee negligence in the past 12 months'

So, what does this mean “unintentional data loss”? Dropping the wrong table? Hitting “Save” rather than “Save As” ? Losing a laptop? That number is not as exciting to me as the 11 incidents of internal fraud a year cited a couple rows down. Response to "unintentional data loss” could be as simple as pulling a back-up, but fraud incidents are going to burn more organizational cycles and have a demonstrated loss.

Policy and Ethics

2009-09-10T18:40:00.000-07:00

The excellent Grits for Breakfast posted several stories of alleged misbehavior at the Bexar County probation office, including a link to the following story from the San Antonio Current. The following passage caught my attention:

According to former Bexar County probation IT Director Natalie Bynum, [Director of Operations] Cline kept a list of known and suspected union members she wanted out of the department. To weed them out and quash the union, she had Bynum meet her repeatedly during and after work to comb through employee email accounts.

“She wanted their computers monitored in order to find out if they were doing any union activities while on the job, also to see what was going on with the union,” said Bynum, who now lives in Arizona and spoke with the Current by phone. “We’d go to the bar and then we’d go back to work afterwards. It would be just us in the office, often-time.”

Bynum, a close confidant of Cline’s during her tenure, says she was motivated by curiosity since she was “not allowed” to speak with known members of the Central Texas Association of Public Employees, a division of the United Steelworkers. Cline and Bynum’s alleged searches weren’t limited to the “five to 10” employees targeted by Cline, either. Bynum told the Current this week that Cline also regularly tapped into her boss’s account to see if Fitzgerald was talking about her.

In most workplaces, this sort of activity may not be illegal, and is probably not even against policy. Still, I sense some ethical boundary is crossed when you start reading your boss' e-mail. Am I alone? On what grounds could the e-mail administrator deny an "authorized" request for reading e-mail, other than his/her own sense of ethical obligation?

Data Rustler

2009-04-17T18:23:00.000-07:00

The best thing to come out of the Texas Lege since....ever.
A bill passed through the state senate increasing the penalty on hacking at the critical infrastructures we got down here Texas-way. (State jail penalty, no less.)

But I'm not talking about the law, but the language of the lawmaker. From the Austin American Statesman -

"[Sen. Kel S]eliger, R-Amarillo, who on Thursday passed through the Senate a bill that would increase penalties for cattle rustling, laughed at the suggestion that today’s bill was of the same genre.

“Yes, it’s going after data rustlers,” he said."

DATA RUSTLERS! YES! I now abandon "hacker," "cracker," "identity thief," and all other similarly situated nouns in favor of the term coined by the gentleman from Amarillo.

Cyber

2009-04-15T17:03:00.000-07:00

After a once over, I'm curious as to the value of the Verizon Business "Data Britches Report."
http://securityblog.verizonbusiness.com/2009/04/15/2009-dbir/

A couple questions/comments I had on the first read:
1. The document really needs a glossary. It's hard to parse the special meaning assigned to certain words and phrases as they recur throughout the document. For example: "data breach" "record" "incident" and "errors and omissions," the last of which didn't mean what I thought it would mean ("negligence and "non-compliance" seem to convey more of what was intended. When I think E&O, I think "malpractice.")
2. Is the skew toward "outsider" threats due to the type of service that VB offers? Actually, is the skew of all the data because of the type and quality of service that VB offers? Hell, VB admits to whacked out skew. So give me some damages! Or, at least give me a standard deviation, if you are going to skew that way.
3. Where are my scatter plots? Some get these guys some visualization skills.
4. Lumping intellectual property breaches with credit card and NPI in cumulative stats seems wrong to me. I reminds me of an article I read about computer crime that included statistics on hacking, toll fraud and the hijacking of trucks that carried computer chips. That was maybe 12 years ago, or more. This sort of loose affiliation of crimes, torts and misbehavior shovelled under a skirt called "cyber" makes less sense everytime I read a "cyber" this or that. How about words like fraud, impersonation, crime, non-compliance?
5. About half way through, I got the feeling that I was reading a DEA document about the War on Crime. A focus on the incident, without a look at what caused the incident. Who got the money? Why are they stealing data? Is this "cyber" or just fraud? Is it a war we can win? Have we just turned the corner?

Gimme something substantive for a conversation, not just re-hashed status reports that may be misleading.

(Just noticed that Brooke at New School wrote similar comments. I am not alone.

Tea Risk

2009-03-23T18:03:00.001-07:00

At the Tea Risk conference today. Heard a woman keynote all over me, until my brain sploded. Her talk was divided into two part:
1. A retrospective of headlines indicate that there has been no progress in information security in the past twenty years. This trip down corrupted memory lane came with wistful recollections of the punch-card, suspender snapping variety. Vax is what we should nostagicate on now. And despite her involvement in security, and yelling the same thing over and over again, No Progress Has Been Made. I was waiting for her confession that she was part of the problem, doing the same thing over and over, expecting different results. Didn't come. A slight whiff of the "stoopid luzers" but the topic was dropped without conclusion.
2. A detailed trip through her personal hell of IDENTITY THEFT! Here's what happens: on some records somewhere, her Social Security number is associated with SOMEONE ELSE! Of course, no fraudulent loans were made, no bogus entries on her credit bureaus reports, and the person used a different name, different gender, different address, different date of birth, etc. And yet, she was upset that the police were somewhat reluctant to send out an APD and marshal all available resources to investigate her claim. She hinted that she used less than legal means to get the other individual's address and driver's license, and carried around a stack of papers with all her info into a Kafkaesque morass of bureaucracy. I've seen this sort of thing before in my previous life as an investigator. It's not IDENTITY THEFT, it's a typo. I've been brewing a rant in my head about the words "identity theft," but it probably needs a while longer to attain the desired proof.
This woman's bio lists her as a "risk consultant." Maybe that's why security sux.

Morning at Tea Plantation, by Docbudie via Flickr.

Non Fiction: Risk

2008-11-14T08:00:00.000-08:00

From Alex Roy's The Driver:

"Our second hour of 150 mph or more inspired a highly unscientific analysis of the actual danger we faced. I concocted what I called The Danger Coefficient (DC). I guessed the average NASCAR driver, in a thirty-six race season including practice, probably drove 15,000 miles -- with a safety cage and onboard active fire suppression -- on highly prepared tracks, with hospitals less than 14 minutes away by choppers on standby. Assuming this represented a DC of ten, Gumball's 3,000 miles meant our DC was two.... until factoring our relative safety deficiencies. High speeds over potholes had to triple our DC to six. Civilian traffic doubled it again, to twelve. Time and distance to medical help? Double again, to twenty-four. Lack of roll cages, harnesses and HANS devices? My guesses ended when I realized Gumball -- at least the way I did it -- was at least five times more dangerous than NASCAR."

From Wright and Decker's Burglars on the Job:

They referred to this process as "burning bread on yourself."

"Thieves got a thang they say [about getting caught,] "If you think about thangs like that, you burnin' bread on yourself" So you don't think about it... Just go for it. [No. 011]

Several of the subjects found it difficult to speak about the risk of apprehension, fearing that such talk would jinx their future illegal activities.
...
Some of the offenders also tried not to think about getting caught because such thought generated an uncomfortably high level of mental anguish. They believed that the best way to prevent this from happening was to forget about the risk and leave matters to fate.

Fiction

2008-11-12T19:57:00.000-08:00

From Ed Park's Personal Days:

"Every employee would soon be required to create a new log-on password consisting of a mix of nonsequential capital letters and a three-digit prime number and a punctuation mark, and then change it once a month by sending an Excel form to a secure website in Oakland. This was just standard operating procedure.

Each demand felt like the securing of a strap on a straitjacket."

4th Quadrant

2008-09-17T19:49:00.000-07:00

My favorite ex-quant, N. N. Taleb, outlines the 4th Quadrant.
Thoroughly enjoyable, but I'm a fan.

This table made sense to me:

In information risk management, what sort of events are fat tailed with complex payoff? Or which are not?
I've suspected that there is a parallel between software and markets, as both proxy human behavior, yet are percieved as acting autonomously.

The Wisdom of Mobs

2008-08-26T18:34:00.000-07:00

Alex mentions stock prices as a potential input into information risk assessment. I'm skeptical of the value of market driven metrics, and the collective wisdom of the market's crowd in assessing value of an asset. The forces driving stock prices in the short term are not afraid to work with rumor, fact, unrelated fact, remotely disjointed misreported fact and insinduendo.* Corporate stock value can be maintained by close Internet monitoring of cowboy executives, especially if you are in the vicinity of 6th and Lamar in Austin, Texas (a couple of e-mail datapoints: GSD&M and Whole Foods ) Must be something in the bottled water. I've said it before (probably), bad stuff will happen long term if you are a third party managing privacy related data, and you blow it. Because your customers will likely have better information, and have the power to put a long term hurt on your bottom line. If you come clean.

And, of course, out asswards talking I am.

And why haven't I written more in the last few months? I'll let my son answer that:

*not a word, but I like it anyway.

Visualize World Data Breach

2008-06-16T22:11:00.000-07:00

38.2% of the known universe has blogged about the Verizon data breach report and how it has changed their life, and opened their eyes, busted icons and confirmed suspicions. But I looked right at the facts there, but I might as well have been completely blind.

My thoughts are simply:

What? No scatterplots? Bar charts and pie charts combined with narrative paragraphs that don't describe either are sort of lame. Give us an idea if there are two or three mammoth breaches that are skewing your stats. A little creativity would have helped. Don't just think the data breach. Be the data breach.
It would have helped to have "data breach" defined. Sometimes, the stats are describing a leak of GLB-style NPI, other times credit card info, other times website defacements. What do you want to bet that the threats and controls for a theft of trade secrets is different than for a credit card data from a Bennigan's POS terminal? Is it enlightening to lump this data together? I recall reading many years ago an essay in a scholarly computer science jounal on Computer Crime. They including the classic network hacking and phone phreaking in their analysis, as well as people hijacking trucks carrying motherboards. So, if I hit someone over the head with a laptop that stores unencrypted SSNs, is that a data breach?
I will give the Verizon guys extra bonus points for not using the report as a sales lead generation tool. I'll rant more on that later.

Photo of Gene Clark courtesy of Find-A-Grave. Think Gene Clark, not Eagles.

Cruel But Fair: The IT Auditor's Ball

2008-04-28T20:13:00.000-07:00

There is no need to remind me how I dislike Las Vegas. As the woman walking away from the conference this afternoon said, "casinos are full of weird people." And she wasn't talking about her fellow information systems governance professionals.

Well, I'm almost live blogging the event (no wireless connectivity? 20 lbs of printed procedings? CACS is old school, baby!) from the IT Audit bloggers meetup (the attendees so far: me & a bottle of cheap scotch).
So what did I learn on my first day at the North American Computer Audit Control and Security Conference?

1. Dumb user jokes still get a laugh. The dumb user jokes need to end now. Really. It adds nothing, and only confirms everyone's opinion that security and audit people are arrogant and condescending. More on this later.

2. The "I am not a lawyer" defense to compliance. If something is too unpleasant, or unsavory, yet explicitly outlined in law and regulation, there is a tendency to punt the enforcement to legal. Cause, you don't want to practice law without a license. You know, cops aren't lawyers, either. Nonetheless they enforce the laws. This is an issue that can be solved, and likely has been, between auditors, security practitioners and lawyers.

3. The ice machine on the 13th floor of the Rio is broken. This is the thoughest lesson I've learned. But experience is a bitter and effective teacher.

4. Can gaussian distributions be helpful in analysis of breach disclosure? My butt was in the wrong seat to attend this talk, but the slides were curious (mostly because the color-coding in the pie charts didn't work in the B&W procedings). I would have been interested in hearing how that would work. I don't have the depth in stats to have flung anything at the presenter, but I may have had the guts to shout "HERETIC."

Soundtrack for today: "Raving & Drooling"

Metrics Gone Wrong: Horsepower at 100% Throttle

2008-04-16T19:12:00.000-07:00

In the April issue of Bike magazine, Simon Hargreaves examines the myth of the dyno. The rise of the the Dynojet Dynamometer provided a cheap, standard way to measure motorcycle horsepower, allowing a common manner to rate the impact of your performance tweak. Roll your bike up to the rollers, and wind it up to full throttle. Moments later, the dyno spits out a pretty graph with torque and horsepower. (I recall a sweaty, restless July night at Texas World Speedway, the motorsport jewel of the Bryan/College Station where my buddy and I parked the VW camper van next to the dyno. Yosh pipes howling through 100% throttle get old after about the 15th carb rejetting, but the dyno truck's jam box pumping out interstitial "Give It Away" got old after the 5th round. )

None the less, Hargreaves cites the problem with a standard measure:

First, higher horsepower figures than the manufacturer next door sells more bikes than him, though - second - higher horsepower figures bring anti-biking legislation closer and closer, despite the fact that - third - accident figures aren't related to increased power, even though - fourth - the performance of your three 160hp models comfortably exceeds the ability of your customer to get anywhere near using it all without crashing.

The answer is measuring 40% and 20% throttle as well. The nebulous corner exit power that was measured only in sphincter tension or nebulous terms like "grunt" and "oomphus" is now a value that can be colored red, blue or green and plotted on a pretty graph. And a telling graph it is, as the GSX-R1000 appears to have dropped power at 20% throttle (to reduce highsideability) while maintaining the pornographic 160hp at top.

So, the top number, the easy number, the number of honorable tradition, means less and less once it is maxed. The tweaks underneath where there, and important. But you are stuck with your gut feeling until you plot it with a pretty blue line.

Metrics Gone Wrong: Body Count

2008-04-14T16:34:00.000-07:00

From the Washington Post, and which also I heard on the radio this morning, the Colombian army finds a twisted method to meet their performance metrics:

But under intense pressure from Colombian military commanders to register combat kills, the army has in recent years also increasingly been killing poor farmers and passing them off as rebels slain in combat, government officials and human rights groups say. The tactic has touched off a fierce debate in the Defense Ministry between tradition-bound generals who favor an aggressive campaign that centers on body counts and reformers who say the army needs to develop other yardsticks to measure battlefield success.

This is the most extreme example of how a metric intended to track progress toward a goal becomes a measure of performance for the implementers. Focussed on the finger pointing at the moon, rather than the moon itself, the implementers manage the metric but undermine the goal. I don't believe this behavior is uncommon. I saw this sort of behavior in a past life as a fraud examiner. An individual forged a stack of documents, because he understood more documents were good for the company, their legitimacy only an inconvenience.

Releative Position and Privacy

2008-03-17T08:05:00.000-07:00

Ed Felton recently wrote two posts on the failure of the marketability of privacy, and how corporations and consumers should respond. According to Felton:

There’s an obvious market failure here. If we postulate that at least some customers want to use web services that come with strong privacy commitments (and are willing to pay the appropriate premium for them), it’s hard to see how the market can provide what they want.

In the follow-up, Felton describes a standard contract and a sort of privacy escrow protocol to protect individuals against the desperate actions of a cratering start-up.

The more I read and think about privacy, the theory that an individual's privacy has a value that can be exchanged on the market becomes less and less compelling. Frank Pasquale wrote at Concurring Opinions that in the market model, you trade your privacy for efficiency and convenience, using Gmail as an example:

[C]onsider the type of suspicions that might result if you were applying to a new job and said "By the way, in addition to requiring 2 weeks of vacation a year, I need to keep my email confidential." The bargaining model is utterly inapt there. . . . just as it would have been for women to "bargain" for nondiscrimination policies, or mineworkers to bargain, one by one, for safety equipment.

He concludes that people who trade their privacy will outcompete those who do not, and that
"[a] collective commitment to privacy may be far more valuable than a private, transactional approach that all but guarantees a 'race to the bottom.' " The paper he cites on cost benefit analysis and relative position was interesting (to me at least) when read in terms of privacy. From the abstract:

When a regulation requires all workers to purchase additional safety, each worker gives up the same amount of other goods, so no worker experiences a decline in relative living standards. The upshot is that an individual will value an across-the-board increase in safety much more highly than an increase in safety that he alone purchases.

"Privacy" can be substituted for "safety." Can "security" also be considered in this context? Is it already?

2008-03-03T18:14:00.000-08:00

From Rothman, an article at CSOnline discusses Moody's infosec risk rating service.

I personally dig this quote:

The idea for such an at-a-glance rating is appealing to risk executives such as Andre Gold, head of security and risk management for ING’s U.S. Financial Services business... Last year Gold oversaw reviews of 176 new technology vendors; his team visited sites as far away as South Africa to conduct security assessments. “It’s a service that we must do, but I think it’s a non-value-add service,” he says.

A non-value-add service? To quote Michael Scott, that's what she said.

photo from Dwight K. Schrute.

Now That's a Complaint.....

2008-02-27T17:07:00.000-08:00

From Concurring Opinions (and elsewhere), a paper by Chris Hoofnagle "Measuring Identity Theft at Top Banks." Hoofnagle is asking the question: How does a consumer or regulator measure the incidence of identity theft from a financial institution? In an attempt to answer, Hoofnagle took the number of identity theft complaints collected by the FTC and matched them up with institutions listed on the complaint, with the intent of coming up with a score that could be used by consumers to judge how well the institution protects identity.

Call me crazy if I'm wrong, but Mr. Hofnagle seems to be pushing the data way beyond its utility.
Is a complaint to the FTC via a web form a reliable indicator of fraud controls at an institution? In my past experience as an investigator, I handled many cases of identity theft. I'd estimate that at least half, if not two thirds of the allegations of "identity theft" were not, in fact, identity theft. A suspicious charge on a bill, a bad skiptrace, or even a breach disclosure notice could result in complaint of "identity theft." Crime statistics that involve prosecutions of actual criminals may provide an underreported, but more reliable measure.

Hoofnagle mentions that he believes the number of FTC complaints may be low, due to historic underreporting of identity theft to criminal authorities. Again, according to my experience, which may be non-representative, I'd say that people will fill out a web form that belongs to the FTC sooner than they'd call the police. The FTC is more analogous to the Better Business Bureau than law enforcement.

I was going to write something about my frustration with the publicity that the FTC complaint statistics were receiving. Complaints are easy to count and a handy metric. But I don't think that they mean much without some evaluation of the validity of the complaint. That is, what is interesting is hard to find out.

Right before I read Hoofnagle's paper, I read this post from the Microsoft Security Development Lifecycle blog. The author makes the following statement regarding using vulnerability counts as a measure of software security:

"Measuring security is a real challenge, and while we may debate the
merits of vulnerability counts, right now it's the only concrete metric
we have."

I guess I'm saying that the only concrete metric one may have may be misleading, inaccurate, or irrelevant. Concrete isn't synonymous with valid. I may have issues with "metrics" but I love Metric. Need less, use less, we're asking for too much I guess, cause all we get is...

Fillings

2008-02-06T17:03:00.000-08:00

Dental countdown:

4. Juicy stuff from re: The Auditors on SocGen.

Latest news out of France has Finance Minister Christine's Lagarde's report saying that in addition to controls being lax, (duh!), someone who understand the controls should have never been able to be a trader.
With all due respect to Ms. Lagarde, this is ridiculous. Just look at their annual report. They've got "controls" up the wazoo...This is a lame, puppy-dog, excuse.
It's the management, stupid!

Schweet.

3. On the local front, an unhappy IT laborer hacks into bosses e-mail, sends naughty messages.

The affidavit says that Das told Southerland he was holding the Web site hostage until he received his paycheck. Though Southerland said that checks weren’t being dispersed until the following week, Das hacked into Southerland’s e-mail account and sent e-mails to Southerland’s clients and family defaming the company, according to the affidavit.

One of the hostage servers was a database for a site called Rotten Neighbors, where you can be a neighborhood fussbudget without putting on your slippers and yelling at passing cars in your driveway. Such an operation may not provide a gruntle-rich environment that would provide the last paycheck patience that is in such short supply nowadays.

2. And if we learned anything from SocGen, we learned that misbehaving employees are not always motivated by greed, as local community radio KOOP learned recently as they were arsonized. Like French bankers, they were SHOCKED that a buzz kill playlist would lead to wanton destruction of assets.

1. From toohotfortnr, this article identifies scooters as weapons of insurgency. Have we learned nothing?

He begged me to follow but legions of sorrow defied me

2008-02-01T19:11:00.000-08:00

I may not be sure what my point is. Black Swans with trading accounts? The letter U and the numeral Two? Or that it actually does take two ringy-dingys. I only know that the following illustrates it in the most vivid fashion possible.

Data Privacy Day

2008-01-27T20:18:00.001-08:00

To appropriately observe Data Privacy Day, I will not ask you how it is hanging.
That is strictly a matter between you and whatever hangs off you.

Photo of sloth having its privacy violated from sfPhotocraft.

Segregation of Obscurity

2008-01-24T19:49:00.000-08:00

From Forbes account of the Societe Generale billion dollar fraud:

"It's Nick Leeson, the story is exactly the same," said Celent's Pierron. "We have a trader who trades futures, or derivatives, who hides his losses by using weaknesses in the risk-management system." He said that as long as traders had knowledge of back-office operations, the risks of
abuse would always be there.

A spokesperson for Societe Generale said that there would be thorough reviews of internal controls, but noted that this particular case of fraud was "very, very sophisticated."

So, segregate controls, but keep them obscure.

I got some groceries, some peanut butter

2008-01-24T19:14:00.000-08:00

From the maddingly brilliant book of the Naples System, Gomorrah, a description of security during the Secondigliano War between the Spanish and DiLauro clans:

I would ride my Vespa through this pall of tension. In Secondigliano I'd be frisked at least ten times a day. If I'd had so much as a Swiss Army knife on me, they would have made me swallow it. First the police would stop me, then the cararbinnieri, sometimes the financial police as well, and then the Di Lauro and Spanish sentinels. All with the same simple authority, the same mechanical gestures and identical phrases. The law enforcement officers would look at my driver's license, then search me, while the sentinels would search me first, then ask lots of questions, listening for the slightest accent, scanning for lies. During the heat of the conflict the sentinels searched everyone, poked their heads into every car, cataloging your face, checking if you were armed. To motorini would arrive first, piercing your very soul, then the motorcycles, and finally the cars on your tail.

I was struck by the difference in approaches to the basic "airport security problem" between those who were obliged to obey the rule of law, and those who knew an error in their judgment would likely mean their own death.

Foto of the arrest of Cosimo Di Lauro from La Repubblica.

White Knuckles

2008-01-14T17:33:00.000-08:00

This looks interesting, in the context of cultural cognition of risk. Entertaining legal wonking on the issue at Concurring Opinions and Volokh.

Amazing the lack of agreement as to when "Yee haw!" becomes "Holy Crap!" while behind the wheel.

Photo courtesy Marie Rose Ferron / Flickr

Die Doing Something You Love

2008-01-06T19:47:00.000-08:00

"To die doing something you love."
I encountered variations of this phrase three times Saturday.

1. In Chris Jonnum's biography of the Haydens, the on track death of flat-tracker Will Davis. Davis was a hero of Nick Hayden's. Mourning his death, Nick said that there is no tragedy if you die doing something you love. Nick did run his next road racing victory lap backwards in Davis' honor.

2. On the DVD of The Race to Dakar, Andy Caldicott died doing the thing he loved, as described by Charlie Boorman. No one will be permitted to die this way this year, since ASO has cancelled the Dakar race due to threats for terrorism. (You can die doing what you love, not what Al Qaeda loves.)

3. Andy Olmstead states in his posthumous blog post that he died doing the job he loved.

If you love your job, you can accept any level of risk.