Securosis

Research

If You Have HDTV Check This Out

I watched Planet Earth on the HD version of the Discovery Channel last night. It’s friggen awesome- the best use of my HDTV since the World Cup. I mean, where else can you watch a 20 foot Great White shark launch itself out of the water in slow motion in high definition as it munches on a sea lion fur seal? Only thing better would be sharks with freaking lasers on their heads. There are a lot of security tie ins- ranging from situational awareness to… aww, who am I kidding, it’s just really cool. Like IMAX at home. I highly suspect animals were harmed during the filming of this particular production.* *not that I like to see things getting killed, been around too much death for that, but this is a seriously amazing documentary. Updated: it was a fur seal, not a sea lion. You’d think I’d know that. Thanks Alan… Share:

Share:
Read Post

BeanSec with the Hoff

Nope, not the lifeguard dude. Someone a bit more interesting. I bet that Night Rider dude never climbed Kilimanjaro despite some serious leg injuries. Chris Hoff wins the official award for “Best Host for Security Geeks in Boston”. I rolled in Tueday night and after an excellent dinner we won a secondary award for “Worst Dressed in the Hotel Bar at Midnight”. He followed this up by letting me tag along to BeanSec over in Cambridge, where I also got to catch up with Mike Murray. The life of a road warrior can get a bit lonely at times; it was great to spend two nights hanging with my peers in casual environments rather than catching up on Dancing with the Stars or Armed and Famous. BeanSec was pretty cool, and I’m thinking we need something similar in Phoenix. PHXSec? Thanks Chris- hopefully I’ll get the chance to return the favor someday… Share:

Share:
Read Post

Worthless Security Theater at the Empire State Building

Last week was one of those crazy travel ones. I headed to NYC for some client work, and since my wife had never done the tourist route there she came along and I took some time off to show her around. I’m not from NYC, but I’m from the part of Jersey that likes to think we are (technically, I lived closer to Manhattan than some of the other boroughs). After a few days in the city we headed down to Richmond, VA to catch up with my family. It was a ton of fun- we caught up with a bunch of friends and spent a couple nights staying with Chris Pepper and his wife Amy- who it turns out are pretty exceptional hosts, even when their daughter’s a little sick. It’s weird going back to post-9/11 New York. Aside from the skyline of my childhood being forever altered, there’s a different vibe in parts of the city. (And why the f* don’t we have any real progress on a new WTC?!? Are politics so bad in this country we can’t get anything done anymore?). One of those vibes is security- I hadn’t been in the Empire State Building for about 10 years, but the day was clear so we decided to give it a shot. Aside from the dramatically inflated prices and lines (carefully hidden so you can’t see them where you buy your ticket) there was the ever-present x-rays and magnetometers. Magnetometers de-tuned to such a level that I walked through with my jacket, belt, and watch on- and cellphone and camera in my pocket. Maybe that thing would have stopped a rifle, but I had more than enough metal for all sorts of badness on me. Then again, I suppose if it’s all just for show, there’s no reason to actually inconvenience people. No wonder ticket prices are up. Stupid. Stupid. Stupid. Share:

Share:
Read Post

Heading to the Boston Area

Not the city, but just outside. Drop me a line if you are in the area- I’m out there for 2 days so actually have a free evening. Share:

Share:
Read Post

If You Want to Kill All Humans, This is a Good Start

From /. No, not some discussion on something controversial like global warming. Just the FDA approving use of a potent antibiotic in cattle against warnings by the AMA and other medical and scientific studies. You know, one of those drugs that the nasty bugs are becoming resistant to. There are enough articles out there on antibiotic resistant bacterial infections that you don’t need me to rant on it. It’s bad. I know 2 people that have died because of these things personally (both contracted in a hospital). Share:

Share:
Read Post

Black Belt Brain + White Belt Body = Pain

I’m really hurting today. And it’s not a hangover. As I think I’ve mentioned before I’m back into martial arts after a 2 year gap (the result of moving across state lines and getting married). It’s pretty amazing how much you can forget when you take a 2 year break from anything. What’s worse is that your body forgets more than your brain. All those synaptic connections go dormant, if they haven’t withered and died. The weird thing is it’s a strange mix of what’s left at the end. Timing, focus, and distancing are gone. Some physical techniques are still there, or maybe half there. Yet my brain still thinks I’m a black belt. It still charges in expecting to emerge victorious. Yeah, right. If anything, I’m more dangerous. I still have some skills, but that bit of rust and amorphic muscular response makes me feel like that bug dude in Men in Black. I’m more scared about accidentally hurting someone than anything else. I figure it will take me at least a year or more of training to feel normal again. I’m sure there’s some general lesson on life hidden in here, but I’m in too much pain to really think about it. *Farnum- never take a break. Trust me. Share:

Share:
Read Post

Alarm Ads That Lie- Is a False Sense of Security Dangerous?

I was catching up on some old TiVo and saw an ADT commercial that really tweaked me. You know the one, it has a woman alone in the kitchen when the bad guy smashes the window to pop the door and do all sorts of nastiness. Her alarm starts blaring, scares off the bad guy, and it’s ADT to the rescue. There are two things that bother me about this: The average default alarm installation doesn’t include glass break detection. Those free-with-service ADT (or anyone) systems just include contact sensors for someone opening doors or windows, and usually one motion detector. Glass breaks can cost over $100 more each, only cover about a 30’ radius, and are prone to false alarms. Sure, maybe the alarm would go off when the bad guy opened the door, but only if… How many of you set your alarm when you’re home during the day? Nope, maybe only those of you in a real nasty part of town. Definitely not in the nice suburbs like our luckless victim. I really don’t like deceptive advertising- especially when it imparts a false sense of security. I wonder how many people think those sensors on their windows will go off if someone smashes them? How about all those people that lose bikes out of their garages every year because garage doors aren’t normally sensored? I realize I’m exaggerating a bit to make a point. Just having an alarm can really reduce your risk of any kind of break in, and if you’re in a higher risk area I recommend alarms (and have one myself in Phoenix). But if advertising is going to play on FUD, it’s irresponsible to create a false sense of security. Having dealt with multiple alarm installers over the years, very few of the sales guys (as opposed to the installers) educate customers on the gaps in the system, or additional high-cost options.* *which is a little surprising, although I suspect they worry about sticker shock to the average consumer. Share:

Share:
Read Post

I Want a Gazillion Dollars

Six months ago fellow blogger (and recent friend) Martin McKeay posted that he wanted to be a “Security Evangelist”. As of today, he is. If it worked for him, I figure what the heck, it can’t hurt. That’s not greedy, is it? Share:

Share:
Read Post

Unintentional Economics: How a Drunk Driver and Low-Bid Contractor Caused the Boulder Riots

Back in May 1997 I was running security for the annual “Kinetic Sculpture Challenge” in Boulder; a big costume party/concert/race/BBQ/festival/rite of spring sponsored by the local radio station. It’s about a 30,000 person event and I ran a staff of about 90 paid and volunteers. It was one of the more enjoyable events to work every year (the year I was working out East as a paramedic I even flew back just for that weekend). But that morning wasn’t nearly as much fun as usual. The police were all on edge, all looked like they had a bad night, and were far more aggressive than usual. When we opened the gates they were literally hand searching every single car coming into the parking lot for alcohol and other contraband. Traffic was backed up for miles, and the entire place had a very uneasy feeling. I asked one of my friends on Boulder PD what was going on and she just stared at me quizzically. “You mean you don’t know?” “Know what?” “Last night. You realize there was a riot?” Riot? Boulder? Outside of the 60s? I mean, we’re talking about a town that would build houses out of hemp if they could figure out the engineering. We’re talking home to the cosmic center of the universe (behind the old Pasta Jay’s, if you’re wondering). The night before as I was going to bed early to make my 6 am crew call, the students of Boulder banded together to fight for social justice. That’s correct, a full on riot with bricks, tear gas, burning couches, and flipped cars all in the fine tradition inherited from the social consciousness of protesting Vietnam and racial inequality. Okay, it was about beer, but times change. That entire academic year Boulder was brewing with hostility. A town known for its relaxed, hippie attitude was really a nine month slow burning fuse of conflict that finally detonated during finals in a series of evening riots with some serious violence. “What do we want!” “Beer!” “When do we want it?” “Friday after finals!” A lot of people know that the riots were the result of a severe police crackdown on underage drinking. Officers would literally stop students randomly in the streets and administer breathalyzer tests, handing out tickets on the spot. They’d bust parties by surrounding the house and grabbing everyone inside (or jumping out the windows), testing them all, and handing out tickets. Students started driving drunk more often just to avoid an MIP! (Minor In Possession ticket). But not a lot of people know what caused this crackdown, and why tensions rose in the course of a single academic year. Due to some random coincidences I was right in the middle of it. Two major events caused the tension, and at the heart of it is economics. First, in (I think) 1993 the CU athletic department changed their contract for security for football games. For years it was run by the CU Program Council- a semi-independent student group that put on all the concerts and other entertainment events. I was security director that year, and for insurance and cost reasons the athletic department bid out the contract instead of using a student group (despite our being recognized as one of the best security teams in the Big 8 ). We followed a principle known as “peer security”, where the “Event Staff” is composed of a demographic close to the attendees. It’s a great way to reduce tension and relate to the crowd. Despite there being two respectable event security firms in the area, one of which we had very close ties to (CSC), the athletic department awarded the contract to the lowest bidder- “Andy Frain Associates”. Andy Frain ran the local airport screening, and didn’t have a single local manager with any event experience. I ran the first few games as a subcontractor with my own people, but after they started bussing in high school students for minimum wage, we pulled out. With no effective crowd control the police, who used to just sit on the sides to back us up, had to start taking a more proactive role and go into the crowd. There’s no way that ends well- police have different training and responsibilities. When they break up a fight people get arrested. They have firearms at their waists, a nerve-wracking experience if you’re surrounded on all sides, that instantly escalates any situation. Once one officer started macing students charging the field after a big victory, the nature of the stadium during games, and between police and students, was never the same. All because someone wanted to save a dime and use cheap labor. The next cause was far more tragic. One night, a couple years earlier, a group of students in a Ford Explorer decided to get drunk and go car surfing down Flagstaff Mountain, a twisty turny mountain road. The car rolled, killing at least one young girl (I can’t remember the details, there may have been 2 deaths). Flagstaff was part of the district where I was a volunteer firemedic. While I wasn’t on the call, my coworkers told me about it. It wasn’t a pretty scene. The parents, understandably, were devastated. One totally legitimate response was to attack the culture of alcohol tolerance in Boulder. It led to the Boulder Police applying for, and winning, a grant to fight alcohol abuse among minors. The decision was made to ramp up enforcement to never-before seen levels. And it all came to a head in 1997. The relationship with police had been becoming more adversarial since 1993, culminating with that macing incident I mentioned that made the national news. At the same time, once the grant was processed and new enforcement started that relationship degraded to the point where it caused the riots. I’m not justifying the action of those riot participants- especially the ones that nearly killed some of my law enforcement friends and put one on disability. Bricks to heads are friggen insane.

Share:
Read Post

We Can’t Afford Doctrine

I almost used the title, “we can’t afford religion”, but figured that might hit Digg a little too fast and piss a lot of people off. But that’s kind of what I mean. After my global warming post I got a personal email from one of you that I respect a lot. He doesn’t buy into it, but he’s also not adamantly opposed. As he put it, people tend to have a religious response on the issue, depending on what side they’re on. Right now I tend to believe the consensus that there’s man is accelerating the natural warming of the earth. I haven’t always believed it, and if very clear evidence to the contrary appears my opinion could change. And hopefully you got the point of the original post- that I think even if it isn’t true (but I think it is) there is a huge potential economic upside if it is. But not everyone thinks like that reader and myself, on this and many other issues. A recent study performed functional MRI scans on people while discussing politics and religion. The result? The same emotional response. Yes folks, blind faith even in politics- an area that seems to demand more logic than emotion (nah, I’m not naive enough to think that’s how it really works). Religion relies on faith by nature, but science, politics, and even your daily decision to buy something or put on your seat-belt shouldn’t. There isn’t a single thing in this world that doesn’t change over time (Dick Clark and Keith Richards excepted), and any doctrinal beliefs are destined to eventually be wrong. To be honest, I think a lot of the problems we have in this world are due to rigid minds. Even every single major world religion undergoes constant interpretation and reinterpretation; that’s why the call it religious studies. Doctrine limits free thought and options. It taints analysis of information and situations. It often even biases what information you’re willing to expose yourself to. You can’t afford it. Analyze the data and make your own decisions. Don’t let some random doctrine or religious belief (not religion itself, you know what I mean) make your decisions for you. It doesn’t mean you don’t know right from wrong; it means you know how to think for yourself. Share:

Share:
Read Post

Totally Transparent Research is the embodiment of how we work at Securosis. It’s our core operating philosophy, our research policy, and a specific process. We initially developed it to help maintain objectivity while producing licensed research, but its benefits extend to all aspects of our business.

Going beyond Open Source Research, and a far cry from the traditional syndicated research model, we think it’s the best way to produce independent, objective, quality research.

Here’s how it works:

  • Content is developed ‘live’ on the blog. Primary research is generally released in pieces, as a series of posts, so we can digest and integrate feedback, making the end results much stronger than traditional “ivory tower” research.
  • Comments are enabled for posts. All comments are kept except for spam, personal insults of a clearly inflammatory nature, and completely off-topic content that distracts from the discussion. We welcome comments critical of the work, even if somewhat insulting to the authors. Really.
  • Anyone can comment, and no registration is required. Vendors or consultants with a relevant product or offering must properly identify themselves. While their comments won’t be deleted, the writer/moderator will “call out”, identify, and possibly ridicule vendors who fail to do so.
  • Vendors considering licensing the content are welcome to provide feedback, but it must be posted in the comments - just like everyone else. There is no back channel influence on the research findings or posts.
    Analysts must reply to comments and defend the research position, or agree to modify the content.
  • At the end of the post series, the analyst compiles the posts into a paper, presentation, or other delivery vehicle. Public comments/input factors into the research, where appropriate.
  • If the research is distributed as a paper, significant commenters/contributors are acknowledged in the opening of the report. If they did not post their real names, handles used for comments are listed. Commenters do not retain any rights to the report, but their contributions will be recognized.
  • All primary research will be released under a Creative Commons license. The current license is Non-Commercial, Attribution. The analyst, at their discretion, may add a Derivative Works or Share Alike condition.
  • Securosis primary research does not discuss specific vendors or specific products/offerings, unless used to provide context, contrast or to make a point (which is very very rare).
    Although quotes from published primary research (and published primary research only) may be used in press releases, said quotes may never mention a specific vendor, even if the vendor is mentioned in the source report. Securosis must approve any quote to appear in any vendor marketing collateral.
  • Final primary research will be posted on the blog with open comments.
  • Research will be updated periodically to reflect market realities, based on the discretion of the primary analyst. Updated research will be dated and given a version number.
    For research that cannot be developed using this model, such as complex principles or models that are unsuited for a series of blog posts, the content will be chunked up and posted at or before release of the paper to solicit public feedback, and provide an open venue for comments and criticisms.
  • In rare cases Securosis may write papers outside of the primary research agenda, but only if the end result can be non-biased and valuable to the user community to supplement industry-wide efforts or advances. A “Radically Transparent Research” process will be followed in developing these papers, where absolutely all materials are public at all stages of development, including communications (email, call notes).
    Only the free primary research released on our site can be licensed. We will not accept licensing fees on research we charge users to access.
  • All licensed research will be clearly labeled with the licensees. No licensed research will be released without indicating the sources of licensing fees. Again, there will be no back channel influence. We’re open and transparent about our revenue sources.

In essence, we develop all of our research out in the open, and not only seek public comments, but keep those comments indefinitely as a record of the research creation process. If you believe we are biased or not doing our homework, you can call us out on it and it will be there in the record. Our philosophy involves cracking open the research process, and using our readers to eliminate bias and enhance the quality of the work.

On the back end, here’s how we handle this approach with licensees:

  • Licensees may propose paper topics. The topic may be accepted if it is consistent with the Securosis research agenda and goals, but only if it can be covered without bias and will be valuable to the end user community.
  • Analysts produce research according to their own research agendas, and may offer licensing under the same objectivity requirements.
  • The potential licensee will be provided an outline of our research positions and the potential research product so they can determine if it is likely to meet their objectives.
  • Once the licensee agrees, development of the primary research content begins, following the Totally Transparent Research process as outlined above. At this point, there is no money exchanged.
  • Upon completion of the paper, the licensee will receive a release candidate to determine whether the final result still meets their needs.
  • If the content does not meet their needs, the licensee is not required to pay, and the research will be released without licensing or with alternate licensees.
  • Licensees may host and reuse the content for the length of the license (typically one year). This includes placing the content behind a registration process, posting on white paper networks, or translation into other languages. The research will always be hosted at Securosis for free without registration.

Here is the language we currently place in our research project agreements:

Content will be created independently of LICENSEE with no obligations for payment. Once content is complete, LICENSEE will have a 3 day review period to determine if the content meets corporate objectives. If the content is unsuitable, LICENSEE will not be obligated for any payment and Securosis is free to distribute the whitepaper without branding or with alternate licensees, and will not complete any associated webcasts for the declining LICENSEE. Content licensing, webcasts and payment are contingent on the content being acceptable to LICENSEE. This maintains objectivity while limiting the risk to LICENSEE. Securosis maintains all rights to the content and to include Securosis branding in addition to any licensee branding.

Even this process itself is open to criticism. If you have questions or comments, you can email us or comment on the blog.