Thursday, March 19, 2015

BSides Austin 2015

In the old days of rock 'n' roll 45 rpm records, the "A" side was the hit release and the "B" side was just something else by the group.  The Beatles broke the decade-long precedent by topping the charts with both A-side and B-side songs.  At DefCon 17 (July 2009), the speaker proposals were over-subscribed, so some of them held their own "on the b-side."  B-Sides Austin goes back six years to 2009.  (BSides Wiki here.)  This year continued the trend for informative speakers, entertaining extras, great vendor support, and engaged participation within the computer security community of Austin.
Volunteer Staging in Preparation for the Opening 

About 300 Austin Computer Security Professionals Attended
Issuing ID, lanyards, t-shirts, and tote bags,
orienting the attendees,
and basically bringing normalized database order
to a Markov Chain. 
Our social media coordinator
tweeted his thumbs off
It all hinges on the sponsors.
Without them,
the conference would cost four times as much.
Coffee from the Denim Group
The Opening Session
IBM was gracious and supportive. I got a "Think" ballcap.
Rapid 7, ISSA, Kaspersky Lab, Praetorian, IOActive, 

Digital Defense, Synack, OpenDNS,
LastPass, Splunk, 

and the Independence Brewing Company
also underwrote the conference.

(Full list at
Two job boards
begged for analysts, engineers, and architects.
(The Premera breach was not yet admitted.)
Lock picking is part of hacker culture
as explained …
…in Hackers: Heroes of the Computer Revolution
by Steven Levy (1984).
Worth one thousand words.
Friday Keynote Speaker
Reuben Paul (link among others) interviewed.
Conference coordinator
Richard Stephens meets the media.
Austin Fire Marshall Larry Jantzen
spoke at lunch on the 2nd day,
explaining the multifaceted work of his department.
BSides Austin has a love-hate relationship with the Fire Marshall
because he closed our evening session the first year
for violating the attendance limits.
Security is security, physical or cyber.
Breakout session speaker Aamir Lakhami
worked as an advisor on
Big Bang Theory and The Avengers.
I volunteered to serve as master of ceremonies for Track 2. I introduced speakers. Basically, I looked them up on LinkedIn; and then I met them at the conference to get the kind of interesting and positive  things that most people would not know. I timed the talks, kept them on schedule, and counted the audience before and after.

I met Earl Carter from Cisco Systems. Josh Pyorre from OpenDNS, Kate Brew of the Alien Vault and her colleague Charisse Castagnoli (adjunct professor of law at the John Marshall Law School, among other affiliations), Aamir Lakhmi from Fortinet, Praetorian's Julian Dunning, and IoActive's Damon Small. (Damon was at the Happy Hour the night before.)  My sessions closed with Roxy D of Firehost and Mike Sconzo of Bit 9 + Carbon Black.

Also on NecessaryFacts
BSides Austin 2013 
Your Cell Phone is not Safe
Securing Your Viper Against Cylons

Saturday, March 14, 2015

Happy Pi Day of the Century

Every March 14, we celebrate Pi Day.  3.14 is a pretty good approximation, better than 1 part in 1000. This year, being 2015, we acknowledge 3.1415 in significant digits.  You can carry it out further at 9:26:53 AM and PM: 3.141592653. 

Also this year, you can celebrate for another second to 9:26:54 because 3.1415926535… continues to 8979… So, 3.1415926536 is an acceptable estimate. 

You can have a pretty good celebration next year, as 3.14159 rounds to 3.1416 , which is a better approximation than 3.1415.

The first 50 decimal digits of pi are 3.14159265358979323846264338327950288419716939937510 (Wikipedia here).  

Pi Day dot org  gives many suggestions for circular festivities – and the first million digits of pi here.  And they sell a clock, with a circumference measured out in radians or fractions of pi.  

The formula for the circumference of a circle is pi times the measure of the diameter: pi times d.  We usually learn C = 2 pi r first because twice the radius (2r) is the diameter, and we usually draw a circle with a compass by measuring the radius. 
So, half way around a circle (180 degrees) measures pi. All the way around (360 degrees) is 2 pi.  90 degrees is pi/2 …  45 degrees is pi/4… 30 degrees is pi/6 or one-twelfth of a circle or 1 o’clock.  

We use the lowercase Greek letter pi because it begins the Greek words “perimeter” (“measure around” perimetron) and “periphery” (“carry around” perifero). It is something of a modernization because Euclid, Archimedes, and the other ancients only had what we now call capital letters.  The lowercase letters were invented in the Middle Ages. 

(The Middle Ages followed the Dark Ages, which is where software applications management and marketing teams live permanently.  Blogspot has no Symbol font; neither does WordPress.  We live in an age of ignorance. Seeking a personal Renaissance, I have a year to figure out the CSS and code my own or find a plug-in, sort of like when the West learned Arabic numerals.) 

Also on Necessary Facts

Friday, March 6, 2015

Alternatives to Prison (Part 1 of 3)

Introduction:  For almost 200 years, the treatment and punishment of convicted criminals was defined by blending the Pennsylvania System and the New York System.  And, of course, it did nothing to remediate either the offender or the harms.  People came out of prison worse than when then went in.  They re-offended.  And their victims often were the same people they hurt before.  It is a cliché in corrections that prisoners are returned to within 100 yards of where they were arrested.  However, we have made progress.  Community corrections, moral reconation therapy, and reintegrative shaming are among the new modes that provide successful outcomes.

Failure Modes

Historically, transgressors were exiled.  The modern prison solves that problem with topology: we lock them in, not out.  However, the modern prison system does not have deep roots in history.  Until America in the 18th century, prisons were only for holding people until they were brought forward for punishment.  Some people might never leave prison, but incarceration was not the intended punishment for the crime. 

The modern prison began in 1788 with the Penitentiary House of the Walnut Street Jail in Philadelphia.  The purpose was specifically to reform the penitent.  The intention to remake and rehabilitate the offender led to the construction of the Eastern State Penitentiary in 1829.  Separating convicts into solitary cells was a radical idea, consistent with the social theories of the Enlightenment.  Cesare Beccaria’s On Crimes and Punishments (Dei delitti e delle pene, 1764) launched the modern study of penology within criminology.  Beccaria argued against capital punishment and torture. His ideas were incidentally consistent with Quaker theory on salvation.  For them, solitary confinement was supposed to allow the penitent to come to terms with God.

However, an alternate model also informed penology:  convicted offenders should live and work communally under close supervision coupled with physical punishment for non-compliance.  That was the Auburn System created in New York following the appointment of Elam Lynds as warden of the prison in 1821. When flogging finally was prohibited in 1847, different punishments were invented. The striped uniform was another innovation in the Auburn System.

From chain gangs and work farms to separate facilities for low, medium, and high-risk offenders, prisons in America achieved little except to keep some people out of the sight of others.  Generally, prisoners themselves controlled their daily routines, usually with the most violent preying on anyone less aggressive.  Illegal drugs passed into prisons through corrupt guards.

Radicals and Reformers

Following the intellectual ferment of the 1960s, new methods for remediating harms slowly advanced within criminology; and they have found some success.  The basic assumptions of their sociology often are informed by some school of socialism, whether Marxist, neo-Marxist, or postmodern.  For them, crime is a response to oppression. For the classic Marxist, economic exploitation reduces the proletariat to criminal activity.  In point of fact, we have found that when the economy improves, crime goes up.  The current long recession (from 2001 to the present) has seen crime go down. 

However, their point is well-made because the outcomes of criminal action are different for different classes. And class correlates with race, though correlation is not cause.  See Our Kind of People: Inside America's Black Upper Class by Lawrence O. Graham (HarperCollins, 1999).  When suburban kids are caught shoplifting, or shooting out streetlights with a pellet gun, or using drugs, their outcomes are different from that of their inner city cohorts. Suburban offenders receive many of the treatments and remediations outlined here.  The poor get prison. 

Moreover, we all offend.  Newt Gingrich once said that for most Americans, the posted speed limit is a benchmark of opportunity.  The only relevant questions are: Whom did you hurt? And what are you going to do about it?


Alternatives to Prison (Part 2 of 3)

Reintegrative Shaming was developed by John Braithwaite based on his experience as an administrative regulator of pharmaceutical firms in Australia.  It was quite simple.  If you go in with a warrant, you only meet the lawyers.  If you sit down for tea with the plant manager, you gain voluntary compliance.  “Sitting down for tea” meant getting the manager to acknowledge out loud that he knew about the violation, and knew that it was wrong. Then, he would promise to fix it, and usually did. 

Braithwaite followed those encounters with research into the anthropology of offense.  He found many examples from history and modern first peoples where the offender was brought back into the community after admitting the transgression and apologizing to the victim, making restoration where possible. 

Sometimes, it is not possible.  An Eskimo man killed his wife; and when her brother complained about that, he killed her brother.  So, his friends invited him to go hunting.  Four went out; three came back.  (Hoebel, E. Adamson. 1967. The Law of Primitive Man: A Study in Comparative Legal Dynamics. Cambridge, Massachusetts: Harvard University Press.).  Usually, the outcomes are better for everyone because most harms are smaller than murder. 

Even though less than homicide, assault is a violent crime.  Victims suffer multiple traumas, deeper than the physical wounds and scars.  Howard Zehr is a photographer.  He created Transcending: Reflections of Crime Victims (Good Books, 2001).   Zehr presented the portraits and the stories of 39 courageous victims of violent crime.  Not all of the encounters brought closure.  In two, the attackers continued to mock their victims.  In one, the subject was a man whose son was killed in prison.  For three dozen other cases, both the victim and the offender found that they could overcome their suffering.

Community Corrections

The Midtown Manhattan Community Court opened in 1993. The Red Hook Community Justice Center in Brooklyn opened in the summer of 1998.  Red Hook’s success has served as a model for many other efforts.  Greg Berman invested two years of daily work, laying the social foundation for the center before it opened.  He met with groups.  He met with individuals. His salary came from a grant by the New York City Housing Authority to the Center for Court Innovation and the King County District Attorney’s Office.

The Red Hook court brings offenders and victims together.  The usual harms are domestic violence and shoplifting.  They also get public indecency cases when men are caught urinating in an alleyway.  Their theory on that is that there is no such thing as a victimless crime.   Every transgression harms the community.

In cases of personal crime, perpetrators confront their victims, apologize, and make whatever restitution is possible.  For offenses against the public order, the guilty apologize to an appropriate authority, acknowledge the harm they caused, and perform community service work. 

In many community corrections programs house arrest with electronic tethering is a common judicial sentence, especially for otherwise non-violent offenders such as the habitual drunk driver.  Community programs find work for them.  Their whereabouts are monitored.  It costs less for us, and keeps them integrated to the community.


That assailants are also victims is a fact of crime.  In the first place, a police investigation often reveals that the victim was only the last person to get hurt the most.  Whether a fight in a bar or a feud between neighbors, they had a personal interaction that played out over time.  Either one could have withdrawn completely, but neither did. 

Domestic assault is different than that.  There, a lifelong violent offender finds a lifelong victim of violence.  Typically, both grew up in abusive homes, as did their parents.  That is how they learned their roles.  To them, it seems perfectly normal. 

Moral Reconation Therapy is one of the most successful treatment programs for domestic and drug abuse cases.  Not surprisingly, they go together, especially with the drug of choice is alcohol; and MRT is also employed for treating drunk drivers.  MRT is the work of Gregory L. Little and Kenneth D. Robinson.  Launched in 1988, it was based on five years of research in the Tennessee prison system.  Research continues across problem areas and the many multi-year follow-up studies on recidivism place it high on the list of evidence-based therapies. 

The process is simple.  Following a tested and proven workbook, counselors direct clients in small groups to explore their own attitudes, beliefs, and emotions.  For them self-awareness is a new experience.  Ayn Rand most cogently pointed out that the root of all evil is the failure to choose to think.  Thinking is not automatic.  It is volitional.  People blank-out, evade, and repress unpleasant thoughts, especially about themselves.  For a child, it does not take many years for them to become fogged into a reactive life of the immediate present.  Non-violent people become dysfunctional neurotics.  The violent ones become aggressive criminals.  Self-awareness cures that in about half the cases.

For over thirty years, MRT and other evidence-based practices typically have had success rates in the mid-fifties percent.  The National Registry of Evidence-Based Programs and Practices ( is part of the federal Substance Abuse and Mental Health Administration (


Alternatives to Prison (Part 3 of 3)

Laissez-faire Criminology is my assertion (on this blog) that you do not need to react to every wrong or harm, either against yourself or someone else.  Defining “human” as “rational animal” and given that violent offenders lack self-awareness, they cannot be considered human.  Self-righteous punishment of a criminal is no more meaningful than scolding a coyote or attempting to corral a tornado.  (Indeed, prisons are nothing if not corrals full of tornados.)  Sometimes the best thing you can do is to cut your losses and mind your own business.

Private treaties are one way that corporations deal with white collar crime.  Of all the harms that individuals visit on each other, white collar crime perfectly matches the theory of the rational actor.  White collar criminals are planfully competent.  They are privileged, educated, economically comfortable.  Therefore, the remediations are individualized and based on profit.
 “In responding to and resolving the criminal behavior of employees, organizations routinely choose options other than criminal prosecution, for example, suspension without pay, transfer, job reassignment, job redesign (eliminating some job duties), civil restitution, and dismissal...
“While on the surface, it appears that organizations opt for less severe sanctions than would be imposed by the criminal justice system, in reality, the organizational sanctions may have greater impact...  In addition, the private systems of criminal justice are not always subject to principles of exclusionary evidence, fairness, and defendant rights which characterize the public criminal justice systems. The level of position, the amount of power, and socio-economic standing of the employee in the company may greatly influence the formality and type of company sanctions.  In general, private justice systems are characterized by informal negotiations and outcomes, and nonuniform standards and procedures among organizations and crime types.”
(Hallcrest Report cited in Introduction to Private Security, Hess and Wrobleski, West Publishing, St.Paul, 1982, 1988. The Hallcrest Report I and II, by William C. Cunningham and Todd H. Taylor, et al., Butterworth-Heinemann, Boston, 1985 and 1990.)
When Nothing Works

Robert Martinson is famous for “What works? Questions and answers about prison reform” (The Public Interest 35.2; 1974: 22-54).  His research was immediately recast as “nothing works.”  Martinson found that every attempt at rehabilitation in prison had failures, often in greater proportion to their successes.  Successful treatments tended to work only for various minorities, often poorly identified or defined. 

Eventually, the claim that “nothing works” generated another response.  Among very many articles, consider:
·       “Beyond ‘What Works?’ A 25-year Jubilee Retrospective of Robert Martinsons Famous Article,” by Rick Sarre, in Australian & New Zealand Journal of Criminology 34: 38-46.
·       “Does Correctional Treatment Work? A Clinically Relevant and Psychologically Informed Meta-Analysis” by D.A. Andrews, Ivan Zinger, et al., Criminology, Volume 28, Issue 3, Pages 369–404, August 1990. 

Reduce your problem population as much as you want, eventually you will find individuals for whom nothing we know of will solve their problems.  What do you do with the unregenerate?

Perhaps we should just kill them.  We would save ourselves the trouble and expense.  Consider that we know that a child who is cruel to animals grows up to be a violent offender.  Would it be right to kill a child for abusing a family pet?  Ideally, the offender would be remediated and re-integrated with one of the other responses.

The therapies and remedies discussed above may not work in all cases.  Ultimately, we are left with an intractable problem. We build very many small spaces for internal exile.  In Russia, they have all of Siberia for internal exile.  That may remain the best solution for the worst cases.