Posted via web from danielmiessler.com | posterous

I love content like this that opens one’s mind to the flawed ways in which we’re processing input. This is a site to watch. ::

Links

[ Understanding Uncertainty | understandinguncertainty.org ]

We’ve been debating agnosticism and atheism here for the last couple of weeks. One of the sub-arguments that has pronounced itself has come from my general proposition that religion is harmful.

My friend CarlM has repeatedly argued against this. His argument seems to be that religion is not the actual cause of any danger, but rather one of several means or instruments that can be used to commit evil–just like guns. He has challenged me to substitute the word “guns” in any argument I make about the danger of religion, as he thinks they are both simply means, and thus interchangeable.

So I will try here and now to concisely argue why religion is in fact more dangerous than handguns.

–

When we talk of harm being caused by humans to other humans, and we seek to understand why it happens in order to stop it, it is important to identify the variables involved. It’s also important to differentiate between active and passive participants.

So if I, for example, I am angry at my neighbor’s car exhaust kit, and I pick up a stone in the yard and hurl it at my neighbor’s head–causing a wound–it is fairly difficult for me to blame the stone. In this case, as most will agree, the stone was completely passive, and the real problem here was that I threw it at someone’s head.

One could make the argument, however, that there were simply too many stones in the yard, and that this made it too easy for me to throw one at someone. This is a silly argument because stones are plentiful in nature and are not much more dangerous than many other things found in the natural world. So I won’t be setting this up as a strawman argument on behalf of Carl.

So, to blame the stone in that case is completely illogical, and if that were Carl’s argument then I would have already won. But it isn’t. The strength of Carl’s argument comes with the creation of efficient killing machines–e.g. handguns.

Let us imagine that there are certain variables to the causation of harm between humans, and the total is a product of these variables. Let’s try to list them:

1. The belief it’s either ok, OR the inability to control anger that would be unacceptable to the human in less emotional circumstances. We’ll call this WILLINGNESS.

2. Ease of access to a weapon that will satisfy the feeling of aggression. We’ll call this ACCESS.

3. The lethality of the weapon. LETHALITY

These combine via multiplication to produce a product, so if any of the three are zero we have no harm caused. Let’s say all have a range of 1-10, so we have a maximum of a 1000 harm score.

WILLINGNESS x ACCESS x LETHALITY = HARM

Let’s test this with model with my rock. The willingness–in this case coming from anger and not an actual justification that I would have were I not mad– was high, and the access was high, but the lethality was very low. So let’s say:

7 x 7 x 2 = 98

Yes, the numbers are arbitrary, but I promise to try to be fair.

To Carl’s argument, let’s decrease the access level some and increase the lethality:

7 x 5 x 5 = 175

So, almost double. I agree with this being bad, so on that point I do not object.

But with religion I think we need to add an entirely new variable–namely CONTAGIOUSNESS. This variable will indicate how likely others are to increase their own WILLINGNESS to cause harm–in this case from a belief in justification rather than an inability to control temporary anger.

Let’s modify the formula to include it.

WILLINGNESS x CONTAGIOUSNESS X ACCESS X LETHALITY = HARM (total now 10,000)

And let’s recalculate my score with the stone:

7 x 2 x 7 x 2 = 196 out of 10,000 (pretty low)

And now with a handgun:

7 x 2 x 5 x 5 = 350/10,000 (still pretty low, but much higher)

So this is where my argument about religion comes in. Religion can raise the WILLINGNESS and CONTAGIOUSNESS values, whereas weapons cannot. Weapons can only raise the ACCESS and LETHALITY values, which I am arguing are far less significant.

For example: I believe a large percentage of the American public, if told by President Bush, that the best method for dealing with the Iraq or Iran or Afghanistan, which are mostly Muslim (and therefore against God), was to level the place and start over–would go along with it.

They’d basically say:

Well, this is unfortunate, and I don’t like it, but you have to do what you have to. They hate Jesus and want to hurt us. They want to make my little angel into a Muslim and marry her off at 9!

And so when it comes time to man the Crusade, they’ll happily send Billy off to kill bad guys abroad. Let’s do the calculation for this:

8 x 8 x 7 x 7 = 3136

The key here is that there is another actor that has entered the mix. It’s not the Christian who wants to hurt the Muslim, and it’s not the Muslim. It’s God. God becomes an EXTREMELY powerful force for raising the WILLINGNESS and CONTAGIOUSNESS in our harm equation.

In short, God telling someone that person x is against them is a CAUSE of WILLINGNESS. The CONTAGIOUSNESS is contained within the Bible and all the Churches across the country fostering the belief that this WILLINGNESS to harm others is justified. And this is religion doing this, not the M16 or the cluster bombs that will be used to actually do the harm (LETHALITY).

Conclusion

WILLINGNESS x CONTAGIOUSNESS x access x lethality = Harm

So here’s the knight’s move:

1. WILLINGNESS is the variable we should seek to control the most, as in the years to come it will continue to get easier to gain ACCESS and LETHALITY, and the only long-term solution is to limit our WILLINGNESS to cause harm to others.
2. Therefore, anything that raises WILLINGNESS is the cause of the most harm, and this includes most notably doctrines or religions that, through Biblical texts and/or churches, teach that the creator of the entire universe is being offended by x, y, or z.
3. This why religion is much more dangerous than handguns: it serves both as a justification for inflicting said harm, and as means of spreading this willingness to others.

::

This is a Craigslist posting out of Savannah, Georgia:

To the Guy Who Mugged Me Downtown (Downtown, Savannah)

I was the white guy with the black Burberry jacket that you demanded I hand over shortly after you pulled the knife on me and my girlfriend. You also asked for my girlfriend’s purse and earrings. I hope you somehow come across this message. I’d like to apologize.

I didn’t expect you to crap your pants when I drew my pistol after you took my jacket. Truth is, I was wearing the jacket for a reason that evening, and it wasn’t that cold outside. You see, my girlfriend had just bought me that Kimber 1911 .45 ACP pistol for Christmas, and we had just picked up a shoulder holster for it that evening. Beautiful pistol, eh? It’s a very intimidating weapon when pointed at your head, isn’t it?

I know it probably wasn’t a great deal of fun walking back to wherever you’d come from with that brown sludge flopping about in your pants. I’m sure it was even worse since you also ended up leaving your shoes, cell phone, and wallet with me. I couldn’t have you calling up any of your buddies to come help you try to mug us again. I took the liberty of calling your mother, or “Momma” as you had her listed in your cell, and explaining to her your situation. I also bought myself some gas on your card. I gave your shoes to one of the homeless guys over by Vinnie Van Go Go’s, along with all of the cash in your wallet, then I threw the wallet itself in a dumpster.

I called a bunch of phone sex numbers from your cell. They’ll be on your bill in case you’d like to know which ones. Alltel recently shut down the line, and I’ve only had the phone for a little over a day now, so I don’t know what’s going on with that. I hope they haven’t permanently cut off your service. I was about to make some threatening phone calls to the DA’s office with it. Oh well.

So, about your pants. I know that I was a little rough on you when you did this whole attempted mugging thing, so I’d like to make it up to you. I’m sure you’ve already washed your pants, so I’d like to help you out. I’d like to reimburse you for the detergent you used on the pants. What brand did you use, and was it liquid or powder? I’d also like to apologize for not killing you and instead making you walk back home humiliated. I’m hoping that you’ll reconsider your choice of path in life. Next time you might not be so lucky. If you read this message, e-mail me and we’ll do lunch and laundry.

Peace! – Alex

So we’ve heard all the arguments about Republicans being strong on defense, and Democrats being weak in this area. This isn’t one of those arguments. It is true, however, that we will likely be attacked again, in the United States, as a result of Obama being President.

The reason for this is that terrorists don’t want a healer in power. Terrorists want to be hunted an oppressed; their ability to recruit and amass power feeds on feelings of unjust prosecution by the evil. So when Obama steps up and says, “It’s a new day; let’s talk.” he reduces the power of the terrorist leadership. He takes away, to a significant degree, the ability to claim that killing innocent people is the only option.

Terrorists loved Bush, and they wish McCain had won. Bush grew their ranks more than anyone before him. Sure, he did some damage to them as well, but they love to be injured by those their followers hate; it just makes them stronger.

In short, Obama’s openness and ability to reduce global hatred for the United States is a direct threat to the livelihood of terrorist leadership. As he begins making progress on his agenda there will be significantly less support for operations that harm the U.S., as we will once again be seen as a positive force rather than a negative one.

But there’s a solution for them–attack us again on our own soil. This will result in a very predictable series of events:

1. It will (falsely) vindicate Bush by showing that his actions were for a reason. In short, the sentiment will be, “Well, whatever Bush did…at least he kept us safe.”
2. This will lead to a forced, massively non-progressive swing by Obama. He’ll have no choice but to implement an approach very similar to Bush’s, which the world will hate and will lead to more power for the attackers.
3. But this won’t be enough. At the end of Obama’s term, he’ll be replaced by a “strong conservative” who can “keep us safe”. And we won’t be attacked again during his term because his backward policies (like Bush’s) will once again grow their power.

It’s simple. We’re about to be played. Terrorists need someone like Bush in charge of the United States in order to further their own goals, and attacking us during Obama’s administration is the best way to bring that about.

So keep your eyes open. Not for a potential terrorist attack (you have a better chance of dying from a lighting strike). No, keep your eyes open for the reaction to it, if it happens. Our ability, as a nation, to see through such a tactic will be absolutely crucial. ::

Image from wired.com

Holy shit. I mean, yeah, I knew this would eventually happen–maybe 5 or 10 years from now, but damn.

These scientists in Japan can show people a word and then pull it back out of their brain–without even touching them (fMRI). I add that last part because it’d still be cool if they needed to be jacked into their skull to do it. But no, they don’t.

Wicked brutal stuff. Here’s a funny quote from this article about it:

The researchers suggest a future version of this technology could be applied in the fields of art and design…

Yeah, that’s the first thing I thought of, too. You can read people’s minds from a distance, and now we’ll be able to do better art. Someone needs to get out more.

Image from infosecblog.org

I have a wicked crazy idea.

What if we in the information security community were to organize a campaign to get level-headed, rational thinkers into positions of influence (as advisors) to Obama’s administration. I’m thinking of people like Lawrence Lessig (who I understand is a friend of Obama already), and Bruce Schneier.

I actually pitched the idea to Bruce Schneier in person at the Security Bloggers Meetup at RSA this year. He was on his way out, so we didn’t like go into it, but he told me he’d be interested. So then I called Rich Mogull and asked him what he thought. He had some good input on the topic, and he then clued me in on the Lessig angle.

The Pitch

The United States needs to fundamentally revisit how it approaches security. We need to incorporate more of Schneier’s approach, i.e. addressing risks based on their true weight rather than the weight our irrational human minds assign to them. And Obama is the type of person who can 1) understand this concept, and 2) might actually take action.

Imagine no more wasted millions on security measures that have virtually no effectiveness. And think of what we could do if we invested that money in measures that could actually make a difference.

Obama can do this. He’s our best shot at a leader who will listen to logic. And we, in this small but talented and vocal community, could perhaps organize a meeting between some true experts and Obama’s people.

Think about it. Lessig, Ranum, Scheier, Bejtlich…overseeing (or at least advising) a logical overhaul (with others in his staff of course) of our existing and antiquated approaches to security.

What do you guys think?

I’ve recently been turned on to Stratfor (thanks John Heasman), which is a private intelligence organization that serves as an extremely interesting source of information.

Anyway, they have an interesting video on their site about how people tend to miss things they aren’t looking for. Check it out.

There is much debate in the information security world regarding the proper definition of security. I have seen dozens of definitions over the years, but I feel the following option most completely and succinctly captures it.

The process of maintaining an acceptable level of perceived risk.

There are a few things I like about this definition.

1. Process. i.e. it doesn’t end.
2. Acceptable. This alludes to the fact that the organization’s upper management decides—based on the entity’s goals as a whole—how much risk to take on. The crucial piece here is that this isn’t for security professionals to decide.
3. Perceived. In short, “you don’t know what you don’t know”. And this is where security professionals come in. Their entire job is to ensure that management is making informed decisions.

Risk

As we all know, it’s not a good idea to use words with disputed definitions as part of another definition. And since risk is one such word, I’ll clarify briefly how I define risk.

In general, I prefer NIST‘s description from NIST Publication SP 800-30:

Risk is a function of the likelihood of a given threat-source’s exercising a particular potential vulnerability, and the resulting impact of that adverse event on the organization. To determine the likelihood of a future adverse event, threats to an IT system must be analyzed in conjunction with the potential vulnerabilities and the controls in place for the IT system.

This reveals a few primary components: likelihood, threat-source, vulnerability, and impact. The word “function” used in the definition is pivotal; it reveals that if any of the values increase or decrease, the total risk does as well. I also prefer to add asset value to the equation, and this is a popular choice.

Ultimately, however, the definition of risk can be reduced to a much more usable, less academic form, and this is the way you are going to be most successful communicating it with those who are not security professionals.

A risk is a chance of something bad happening.

Too simple? Not really. It’s instantly understandable to virtually everyone, but at the same time it does not contradict the more complex definitions.

So when should you use one definition vs. the other? In general, use the simple version. Getting entangled in the infinite number of ways risk can be calculated is something to avoid. It drains time and rarely accomplishes anything when broken down much farther than is described above.

Summary

So, written out (i.e. without the word “risk”) we arrive at:

Security is the process of maintaining, based on what we know, an acceptable level of likelihood that something bad will happen to the organization.

…and once again, in it’s more succinct and elegant form:

Security is the process of maintaining an acceptable level of perceived risk.

Links

[ Security | wikipedia.org ]
[ NIST Publication 800-30 | nist.org ]
[ Risk, Threat and Vulnerability | taosecurity.blogspot.com ]

But he’s a financial guru with a solid track record. Some dismiss him because he’s known as “Dr. Doom”, but that was probably going on in 1929 as well.

The scariest part about all this to me is the unrest. I firmly believe that’s coming. We’re about to fall as a superpower. We’ll soon be a third-world country with various pockets of wealth speckled about. I give it 5-10 years, but I wouldn’t surprised if we saw the first major breakdowns of society in the coming months.

Go pack your “oh shit” bags.

[ Worse Than the Depression ]