Shostack + Friends Blog Archive


When Planes Fell From the Sky

c-42 crash.jpgThe excellent ‘Notes from the Technology Underground’ has some personal recollections of “when planes fell from the sky:”

In the 1950s, planes crashed with alarming frequency into city neighborhoods near the Minneapolis-St. Paul airport. At least one devoured a house nearl where I now live, in Southwest Minneapolis. I heard from older neighbors about the time an airplane crashed in my neighborhood. It set me to thinking. Here’s my story on it…

While his story seems like one of incredible bad luck and improbability, it really isn’t so. In fact, my research shows that in the years 1950 through 1956, planes fell from the sky on south Minneapolis with astounding frequency — dramatic enough to make news, but not so unusual to be considered really exotic.

What Bill Gurstelle doesn’t talk about is how the airline industry stepped up and fixed the problems. It was an aggressive and purposeful embrace of transparency. Accidents got investigated, written up and talked about. Lessons were analyzed and taught. And air travel got safer. It reminds me of the bad old days of hiding vulnerability information and breach reports. We didn’t talk about buffer overflows, and from 1973 to 1996, there was no class fix for them. It was the same thing with breaches. Some people wanted to ‘save the organization from embarrassment.’ I’m so glad we in information security are past that, and are learning lessons from each other’s mistakes.

Photo from Washington State Historylink.

7 comments on "When Planes Fell From the Sky"

  • Adam, this is an excellent point. Strong, sustained attention to problems often produces a good solution to things that were just accepted as a “cost of business.” Other examples might include automobile safety (back when Nader was seen as a good guy) and early credit card liability issues.
    One interesting thing to consider is the type of solution to the techno-social problems. Is the solution purely technical? Is there a difference between the source of the solution and the implementation of that solution (i.e. a new liability standard might be set by a single decision, but then implemented by myriad players).
    The fun thing about these wide-spread lingering problems is that they span so many different levels of technology, economic incentives, organizational dynamics, etc. It would be a fun project to put together a set of them and build a typology to suggest where corrective change is easier or harder, and what policy options would be better in different situations.

  • David Molnar says:

    Some people wanted to ‘save the organization from embarrassment.’ I’m so glad we in information security are past that, and are learning lessons from each other’s mistakes.
    “Past that” might be too strong. Yes, we do now have breach laws in some states, most notably California’s SB 1386. Yes, this has changed the landscape. There are still people out there who want to ‘save the organization from embarassment,’ and the federal story has not yet been written. It might be worth keeping an eye on the new Congress to see what happens.

  • David Molnar says:

    Oh, I just noticed this. The Cyber Security Industry Alliance ran a survey in 2006 on public perception of computer security issues.
    Here’s the interesting part:

    “The key circumstance arises from the fact that strong interests are lining up on both sides of the issue – corporations afraid of burdensome disclosure requirements on one side and consumer activists on the other. The survey shows that the electorate is ready to take sides as well. Americans choose California-strength disclosure even when presented with the caveats that they will be bombarded with worthless notices and that prices will rise as companies pass along the cost of compliance. Seventy-one percent of respondents agree that Congress should pass a law like California’s compared to only 21 percent who think that California’s is too strict.
    While Democrats are the most likely to support stronger data security (78 percent), 68 percent of Republicans favor a law like California’s while only 25 percent think it’s too strict. Voters who support stronger data security are prepared to hold candidates accountable.
    Among those likely to vote in the 2006 elections, 46 percent say that a candidate’s opposition to a law like California’s would give them serious doubts.
    While this does not rise to the level of the silver bullet a challenger would use to take out an incumbent, it is nonetheless a number that suggests that the issue will get more than a passing mention on the campaign trail. If a Member of Congress votes against a strong data security bill this session, the survey suggests that the Member’s opponents will bring up the issue in the fall campaign.”

    Anyone know if a campaign in 2006 actually did have someone raise breach bills as an issue?

  • Chris says:

    As some of these outfits might have thought of it “The loss of your privacy is the cost of my doing business”. :^)
    On the typology –> control points idea, it seems somewhat clear even at this early stage that encryption of data at rest outside the perimeter, and more thoughtful consideration of what to store in the first place would put a decent-sized dent in the problem. That is probably too technical a solution, where you are thinking more from a regulatory standpoint. This is one where the techies, regulators, and politicians need to work together. All would benefit from better data. In particular, I am frustrated by the seeming inability (or at least, difficulty) to tie real ID theft likelihoods to breaches. What could be done to get the data needed for this, while maintaining confidentiality and privacy for those whose records are involved, I wonder?

  • Adam says:

    I was being sarcastic about our lack of progress. Thanks for the second article; that’s fascinating and I’d missed it.

  • David Molnar says:

    I thought you might have been, but wasn’t sure. I’m still curious as to know whether breach laws were in fact an issue in any November 2006 campaign. Google news isn’t much help as far as I can tell.

  • CSIA puts out some interesting stuff, but one should always take a few grains of salt with research that comes from an industry group with clear benefits from certain findings.
    Re: 2006. No hard data, but I would be surprised if none of the sponsors of any of the recent ID Theft bills (no matter how poorly thought out or ineffective) mentioned their efforts while campaigning. If you were looking for hard evidence, start with the Congressional Register and work backwards through campaign literature.

Comments are closed.