Two related points from areas nominally outside infosec
1. Bruce Schneier on Rachel Maddow show talking about Underwear bomber, in response to the question "will any of these new TSA measures will prevent the next attack?"
Of course not, the attacks are designed to get through whatever we're doing. The liquid bombers used liquid so now we screen liquids. This is a powder bomber using powders. They will look at what we do and do something different. There's sort of a bit of magical thinking about the last hour, its not a more dangerous hour, its the hour this guy happened to choose. I am not sure why the next guy can't choose the first hour or a different material or maybe even not an airplane. Focusing on the tactic might make us feel a little better but its not going to make us any safer.
2. Next up we have John Kay writing on lessons learned from the financial crisis
I do not know what the epicentre of the next crisis will be, except that it is unlikely to involve structured debt products. I do know that unless human nature changes or there is fundamental change in the structure of the financial services industry - equally improbable - there will be another manifestation once again based on naive extrapolation and collective magical thinking. The recent crisis taxed to the full - the word tax is used deliberately - the resources of world governments and their citizens. Even if there is will to respond to the next crisis, the capacity to do so may not be thereChess has some lessons to teach us here. Chess has three main stages - the Opening(where vast analysis applied to the various opening strategies: the Sicilian, Ruy Lopez and so on), the Middle game (which is chaotic), and the End game (strategies to capture the opponent's King). Each stage in the game has a unique set of strategies that are related but separate from the other stage strategies.
A Chess match is not one side dictating rules and the other side simply moving, instead its a synthesis of each side trying various gambits that result in unique permutations from match to match. The nature and structure of these permutations are not possible to calculate effective beyond a certain point so pattern recognition must be used.
Coming full circle back to infosec, the best we can hope for is a good design that facilitates a good Opening game followed by a stream of events and logs that enable effective middle and end games. I think of AAA access control technologies as Opening Game strategies - many people think of Kerberos and other ticketing systems are security, but really they just establish the initial ruleset for operations, the real game begins once they're in place, in use, and under attack. The structure used at the opening does not dictate all or maybe even most of the events that occur in the middle and end game.
Tom Barnett describes the terrorism hamster wheel of pain
We've all seen infosec versions of the above, but instead of turning the same hamster wheel, the time has come to realize the limitations of a priori and start thinking about viable middle and end games like audit logging feedback loops, and policy decisions points that implement claims based access control to name two.
The way this works is like clockwork:
1) terrorist attack
2) official declarations that system worked--sort of, followed by announcements of new restrictions
3) experts decry lack of prevention, say system should anticipate all surprises
4) "links" discovered
5) official condemnations by out-of-power party
6) responsibility formally "claimed" by X (waiting to make sure we're suitably freaked first)
7) discovery that so-and-so was actually on one of THE LISTS!
8) President declares the government will take event VERY seriously
9) the dreaded pre-attack warning memo is located, from among a pile of several thousand memos warning of other attacks that never happened
10) Congress launches an official investigation.
And the merry-go-round cranks up its speed . . ..
The only fun part is timing the gaps between steps, but it's all so predictable.