Peter Wayner writes: "A friend of mine who works as a public defender knows a thing or two about selling fear to the jury filled with doubts. Several months before December 31st, 1999, he asked me if we should be worried about the Y2K disasters. My answer was: The machines crash every day. Why should it matter if it happens on December 31st?" This time around though, the fears are of a different nature and scope: Peter reviews below Edward Yourdon's latest book Byte Wars, one aimed at everyone concerned about online terrorism in the post-9/11 climate.
My friend who nodded as if this was the same game he played every day in the courtroom. If no one knew what was going to happen, the jury's instincts could be manipulated with a mixture of fear, sympathy and tribalism. Juries were always afraid of watching a good, relatively innocent man lose everything, he explained. Corporate executives were just as worried of the same thing happening to them.
The Y2K binge is long gone and the biggest effect on computers seems to be found in the bits representing the bank accounts of Y2K consultants. Gimmicks may fade but human nature and human fear remains the same. The destruction of the World Trade Center has given new life to the fear mongers who worry that someone may obliterate our electronic infrastructure. Edward Yourdon, the old school computer consultant who made plenty of noise about Y2K, is back with another book, Byte Wars: The Impact of September 11th on Information Technology .
When I say old school, I mean that he started programming and writing about programming in the mid 1970s and this shows in the way he spells ( "Obe Wan Kenobee") and talks about "paradigm shifts" instead of "memes." He comes from the age group that decided how much to spend on Y2K and he knows how to talk to the group that will control how much we spend on our fears of terrorism.
There is no mention of his record on Y2K on the book cover or the biography, but if you're interested, the net never forgets. The book does mention the scary days of December 1999 a bit in passing, but only to note that there was "very little awareness in the media" that some "small organizations did suffer moderate-to-severe Y2K problems." He also notes with some pride that many companies survived the turmoil after the World Trade Center attack because they made so many preparations for the turn of the millennium.
This time around Yourdon is blessed with a much more concrete threat and this both helps and hurts his cause. On one hand, no one can debate the power of airplanes as weapons in the same way we can still debate whether Y2K would make a difference to embedded controllers. On the other hand, it's not really clear what the latest attacks have to do with computer networks. He even notes that the DOD's computers were relatively unhurt by the destruction of the Pentagon. How many web sites or e-commerce sites can anyone knock out with a box cutter? One company I knew with offices on the 81st floor of the World Trade Center used a co-lo facility that survived. Their web site kept on pumping out hits even after their entire office turned to dust.
Yourdon dodges all of this by being politely vague and abstract. His chapter on risk management, for instance, counsels that we should find a "realistic assessment of risks" and weigh the probability against the danger. If we develop a process to deal with the risk, then we can ensure that the risks are shared between the stakeholders. Most of the chapter could have been written at any time about any risk , but he makes it all a bit more current by including a few references to kamikaze players who are shifting the paradigm.
Some of his advice gets so abstract that it's hard to know exactly what he is suggesting. He tells us to "examine the practical impact of increased security and decreased privacy." To him, that means warning people who rely upon the social freedom of "don't ask, don't tell" to realize that so much information about us will eventually be documented by the new security state. "Now is the time to think about such matters, not two or three years from now when you suddenly find that you can't get a job, or can't buy a house in a particular neighborhood." Should we rise up or acquiesce? Which side is he on? I'm still not sure. He does such a good job playing to everyone's fears.
Occasionally, he doles out some practical advice that is close to the needs of managers worried about the aftereffects of 9/11. We are told that terrorists may be posing as "ordinary employees" or even government employees who've "risen to high levels of trust and authority." He reminds us that "hardly anyone watches the programmers." Is some terrorist slipping in a buffer-overflow loophole? Or maybe just a crook? One of the most practical suggestions is that corporations should do more code reviews.
He's also hip to some of the latest intellectual fads. Emergent organisms like Napster can be useful and resilient. He's a big fan of empowering employees by cutting away bureaucracy so the organization can evolve some emergent intelligence. Of course, we must also be ready for more scrutiny from the security bureaucracy checking to ensure that the emergent organism isn't evolving buffer-overflow backdoors. This gets a bit confusing and he waves away much of conflict with abstract calls for balance.
In the end, Yourdon can't offer many answers because there aren't many answers to give. We had risks, terrorism, info warfare, bombs and whatnot before September 11th and we'll meet them again despite the security. Anarchists detonated a horse powered wagon filled with explosives in front of the NY Fed in the 1920s. Not much has really changed and the book ends up being a distilled version of the inchoate fears that haunt us.
The real challenge is determining how much fear we should have. Yourdon is far from the only person who automatically assumes that the attacks on New York mean more attention to cybersecurity. All of the major beltway consultants near Washington are gearing up with the new tools. The more I read the book, the more I began wondering why. Why do some kamikaze hijackers mean that the web needs to be locked down? Who really has time to worry about some al Queda l33t d00dz owning my site when so many people are dying true deaths that can't be fixed with backup tapes?
At the end of one of the chapters, Yourdon exhorts us to get our act together and secure our home computers. Our old, pre-9/11 computing style was equivalent to "living in a house with the doors and windows wide open", he says, something that was "a pleasant way to live if you were in a small town in the 1950s."
Ah, the 50s. He and everyone else should rent a copy of George Lucas's pre-Star Wars classic, "American Graffiti." In one scene, the teenagers cheerfully drop a cherry bomb down the school's toilet. In another, they destroy a police car by wrapping a chain around the rear axle. The laugh track blessed both events in the movie, but all of us know that they would bring out the SWAT teams today.
The movie managed to avoid much of the discussion about Eisenhower, Francis Gary Powers, the Russian H-Bomb, or any of the other fears rippling down our spines. The 50's seem so much more fun after editing out the fact that the Russians had (and still have) fusion bombs on the tips of missiles. No amount of frisking by airport security can keep them out of our airspace. Yet we survived and managed to laugh about kids trashing police cars.
Another solution is not to quiver and worry about Osama bin Hacker's script kiddies. We can redefine the terms of engagement in much the same way that the cops in the "American Graffiti" just laughed at those impish kids. Hacked web sites are easy to restore if you have adequate backups. Denial of service attacks from zombies on cable modems sound threatening, but they rarely last longer than Friday evening rush hour.
It's hard to argue with much of the plainspoken, largely abstract advice offered by Yourdon. All of it makes good sense. The harder problem is finding the right attitude to carry us through the night. This book is filled with worry for our future and awe of the unseen l33t d00dz hiding under the bed. There are bits of light and a stab at optimism near the end, but most of the book trades on the thoughts that will keep us up well past midnight.
Peter Wayner has two resilient books emerging this spring: Translucent Databases , an exploration of database security, and Disappearing Cryptography: Information Hiding, Steganography and Watermarks , the second edition devoted to hiding secret messages in plain sight. You can purchase Byte Wars from bn.com. Want to see your own review here? Just read the book review guidelines, then use Slashdot's handy submission form.