Seegras Logbook

The thing about Conspiracy Theories is, that there are so many of them. You can choose whichever suits you best, one that confirms to your beliefs, and finally, one that puts those in charge of a whole super-conspiracy you really thought were in charge all along. Sadly, there’s the trouble: They all end up explaining something complicated in a very easy way, draw the world in black and white, and there’s Them, the conspirators, and Us, the victims.

It works like this: Take any event that happened, the more media covering it got the better, blatantly ignore some facts, and fill in the gaps with fabrication.

So, for instance, we’ll take the event of two planes crashing into two skyscrapers 15 minutes apart, with the skyscrapers subsequently crashing into themselves, plus some other buildings nearby also crashing into themselves.

• The first thing we’ll do is to define that this was a “Terrorist Attack”, which is a pretty sound assumption given the low chance of this kind of something like this happening as an accident.
• Next we’ll need to define who the terrorists were. Quickly produce a list of people which might have been on these flights and correlate them with a list of known terrorist suspects. If you’ve got hits, go with them.
• Now you’ll need a mastermind, because its inconceivable that these terrorists did it all by themselves. Find one hiding in some goats shed in a third world country, preferably one who will at least gloat over your misery on television.
• And, the mastermind has of course to have an organisation. Take a name from an earlier but irrelevant guerilla group. If questions turn up, why this organisation wasn’t known, state: “its existence was still a closely held secret.”

Yes, you noticed where this is going. The point is, the official story of what happened on 9/11 satisfies every criterion of the pejoratively used term “Conspiracy Theory”. It’s simple. It clearly identifies a villain drawing strings in the background. It has a mysterious secret organization in it.

Or what about this definition “Conspiracism is a particular narrative form of scapegoating that frames demonized enemies as part of a vast insidious plot against the common good, while it valorizes the scapegoater as a hero for sounding the alarm”? Yep, sounds about right. Now we know of those insidious terrorists.

This of course, is only a preliminary judgement in order to decide whether this theory qualifies to be called a “Conspiracy Theory”, and does not make any assertions about the veracity of its claims. It might be the truth, but this official version still qualifies to be called a “Conspiracy Theory”, unless those claims can be backed up by hard verifiable facts and no falsifiable claims appear.

So to go further we have to investigate the claim separately. Some common standards to assess this are:

• Occam’s Razor: Is this the simplest possible explanation, or is it a more complicated and thus less useful explanation of the evidence?
• Logic: Do the proofs offered follow the rules of logic or do they use fallacies of logic?
• Methodology: Are the proofs offered using sound methodology? Are there clear standards to determine what evidence would prove or disprove the theory?
• Whistleblowers: how many people – and what kind – have to be loyal conspirators?
• Falsifiability: Are there some parts “unfalsifiable” or could it be proven that they’re wrong?

A bit less common known is Henlon’s razor, which states that everything attributable to malice is probably the result of incompetence.

Indeed, some of the above claims do fail some of those tests miserably. Occam’s Razor would be in favour of a) planes crashing into buildings b) buildings crashed because of demolitions, not because of the plane-impact c) planes ignored by air-guards because somebody told the guards to look away d) planes piloted by said terrorists e) terrorists entered USA with consent of the customs f) mastermind not responsible for the attack (but very sympathetic towards it) g) secret organisation invented by the media. Other criterion of course contradict this (as do some of Occam’s Razor; but that’s because they offer the simplest explanations of every separate claim). The Whistleblower-criterion says b) it’s too difficult to wire the building, people would have noticed c) it’s not very likely the air-guard was ordered to look away and e) neither is the customs. Henlon’s razor of course refutes c) and e) outright: The air-guard and the customs were of course incompetent nincompoops. Also a) the planes hitting the towers by accident and b) the buildings crashed because they were built unstable f) there were no terrorists and Bin Laden had nothing to do with it and g) Al’Qaida is a invention of the media by chance.

The hardest evidence against the truthfulness of this Conspiracy Theory come from Methodology, and they concern b), f) and g). b) There is no coherent official explanation of how the plane crash could have brought down the buildings, and even less explanation why they crashed into themselves. And still less explanation for WTC7. f) the official 9/11 report explicitly says “we did NOT follow the money trail”, and only offers circumstantial evidence on how Osama Bin Laden should be linked to the attack. g) There is no evidence given for an organisation by the name of Al’Qaida before 2001.

Surely, some of the claims of the “official theory” of what happened on 9/11 really correspond to reality. But as a whole, the “official theory” qualifies just as much as “Conspiracy Theory” as some other theories on 9/11.

I’ve been sceptical about offerings of Security as Service. It’s sounds an awful lot like “Outsourcing Security”, and security is a process which involves every aspect of business or life.

However, I’m working now in a company which does just that, selling Security as Service. And I think it can work. As opposed to any other company which sells you a product, or some other services, if you’re selling security, you’ve got an interest in your customers security not being breached. Because you will loose that customer.

If you’re a Bank, you sell banking services. As long as the cost of one of your clients accounts being misused is not really your cost, the security of your clients is a total non-issue. The same goes for vendors of security-appliances. The client bought it, and already paid it, so if somebody hacks it, it’s not really your problem, unless you get bad publicity out of it.

And we’ve seen with the whole “full-disclosure”-debate, that bad publicity is a very weak instrument, and some companies can take hideous amounts of it before they improve security. Microsoft is the classical example; it took them aeons to do something about security, and the security of its products is still very weak.

On the other hand, if you get paid by subscription, you have a very real interest in keeping the customer. That means you have an interest of providing the services you are being paid for. If it’s not security the client pays for, this also means that security is probably not your concern (as seen with banks and credit card companies).

Of course, security embedded in you company will be much more capable and resilient. You can design every process with security in mind. You can choose specific products with a good security track-record. You can have system administrators with a very intimate knowledge of your network and IT-landscape, who can provide for a very fine-grained incident-response and emergency management.

But most smaller companies can’t have that. Because they don’t have the expertise, the money to hire specialists, and most of all, an IT-landscape that is not modeled by security-considerations but by habit. And habit is of course the biggest foe of security. It could be his friend too, but old habits die hard, and most people today grew up in a world where not everything was networked, and where systems of a company which gave a damn about networks and security were, and still are, prevalent. So the people in these companies don’t have the slightest clue about security, e-mail their passwords around, get their negotiations eavesdropped on mobile phones, infect their computers with viruses and get their e-banking accounts phished.

And this is where Security as Service can help. It can’t make you into a company where everything is secure. But it can mitigate some of the effects the security-unconscious acts of your employees cause. It can filter out malicious emails before someone can click on it, or some stupid mail client executes the malware-payload on its own. It can encrypt the emails at least between hosts. It can keep the botnets at bay that try to penetrate your servers. And it can provide incident-response if something goes wrong.

And finally, Security as Service is the fundamental better idea than Security as Product. Because Security is a Process, it never ends; and because with any product you bought, the sale is done, and the supplier is only interested in selling you another product, but not in making the already sold product better. Furthermore, if you lack the expertise, will you even be able to manage the product correctly?

There are those who can, with in-house security expertise, where it would be stupid to outsource it. But for the rest of us, there’s at least a certain measure of security available with Security as Service.