#onigirazu🍙 #burger
Also on:

The fix for IT supply chain attacks

The fix for IT supply chain attacks:

As I’ve written previously, I’m very skeptical of Bloomberg’s report about the Chinese placing hardware spy chips on server motherboards used by U.S. companies. China is actively spying on U.S. businesses all the time, I believe, and has already stolen most of the intellectual property secrets they are interested in. The Chinese are on their way to becoming the world’s leading economic power, and manufacturing computer chips is a big part of that equation. I don’t think they would jeopardize that business so blatantly.

If any good is to come out of the Bloomberg article, it is bringing the problem of the supply chain to the forefront. If nearly every computer device and chip is made by potential adversaries, how can you ever be assured that what you are buying doesn’t have intentional bugs or even spying chips?

The supply chain is the aggregation of all entities that provide the products and services needed for other entities to provide their products and services to their customers. Theoretically, any entity can knowingly or unknowingly introduce insecurity that impacts the final product. This is the exact issue that the Bloomberg authors and their anonymous sources allude to: that a spy chip can be placed on motherboards that eventually get placed into servers used by foreign companies.

IT supply chain risk has always existed

This is not a new issue. …

Keeping the supply chain status quo is not an option

So, one solution is no solution: Keep things as-is. As far as we know, incidents of nations using supply-chain malicious inducements are rare. If a nation-state compromised the supply chain too routinely, none of the other nations would buy its chips. It would be a self-solving solution. We’ve made it so far, so good, using this “strategy.”

When do you use a detect-and-regulate supply chain strategy?

… Well, for one, the military already has programs to prevent supply chain issues for its most critical infrastructure. Many levels of the U.S. government have programs that look for malicious supply chain issues. That’s precisely why I don’t believe that we have a widespread issue of Chinese spying chips all over the U.S.

The question is at what level of the supply chain do we start requiring stricter oversight and monitoring? …

The opposite school of thought to the “keep the status quo” argument is that we need to check all computer devices for spying hardware, software and firmware. This can be done by government or industry groups (like the Underwriter’s Laboratories [UL] or Consumer Reports). The problem is that all governments want to spy on people — its own people, and those in other countries. Asking the government to make sure everything is secure and not spying is asking for the fox to guard the henhouse. At the same time, I’m not sure we can do what needs to be done without governmental involvement.

The supply chain security solution needs to be global

… Every nation needs a nationally created and funded regulatory group that can look for supply chain issues but isn’t directly governed by the government. It’s not perfect. It’s like asking the foxes to pay for the shepherds who protect the henhouse, but I don’t see any other realistic way for a supply chain security solution to actually work. Or we can keep the status quo and hope for the best.

(Via CSO Online)

I agree with the article in large part. I disagree that government action and international agreements are the way to address supply chain risks. It is vulnerable in a multitude of ways independent of hardware hacking like the Bloomberg report claims. Compromising hardware not only requires physical access but its own reliance on a supply chain.

I tend toward industry and market forces addressing all aspects of supply chain insecurity. Redundancy, resiliency, supplier diversity, quality assurance, and monitoring are best done by those with the most at risk. Governments are too mercurial, international agreements and treaties often are not worth the paper they are printed on, and special interests can introduce new risks into the equation through self interest and a lack of vision.

Also on:

Japanese TV is too delightful. I am close to buckling. How crazy is it to get a set two years in?
Also on:

Pentagon Defense Department travel records data breach

Pentagon – Defense Department travel records suffered a data breach that compromised the PI and credit card data of U.S. military and civilian personnel.
— Read on securityaffairs.co/wordpress/77097/data-breach/pentagon-travel-records-data-breach.html

Twenty some odd years ago I worked on a proposal team to win this very contract. As a security practitioner in the 90’s, the level of security that the DoD wanted was refreshing. This was the first example of a potential client understanding the risk of metadata – that someone could potentially deduce what the DoD planned by watching non-military travel records without necessarily having access to the detail.

No one was thinking specifically about payment or personal information. It was probably assumed that other threat scenarios would cover this data, but my recollection is hazy at best.

By the way, my employer and deal partners did not win the contract.

Also on:

Pantsdrunk, the Finnish Art of Relaxation

You’ve likely heard of hygge, the Danish word for a special feeling of coziness that’s been productized on Instagram and elsewhere to within an inch of its charming life. The Finns have a slightly different take on the good life called kalsarikännit, which roughly translates to “pantsdrunk” in English. A promotional site from the Finnish government defines it as “the feeling when you are going to get drunk home alone in your underwear — with no intention of going out”. They made the emoji above to illustrate pantsdrunkenness.
Finnish journalist Miska Rantanen has written a book on kalsarikännit called Päntsdrunk (Kalsarikänni): The Finnish Path to Relaxation.

When it comes to happiness rankings, Finland always scores near the top. Many Finnish phenomena set the bar high: the best education system, gender equality, a flourishing welfare state, sisu or bull-headed pluck. Behind all of these accomplishments lies a Finnish ability to stay calm, healthy and content in a riptide of endless tasks and temptations. The ability comes from the practice of “kalsarikanni” translated as pantsdrunk.

Peel off your clothes down to your underwear. Place savory or sweet snacks within reach alongside your bed or sofa. Make sure your television remote control is nearby along with any and all devices to access social media. Open your preferred alcohol. Your journey toward inner strength, higher quality of life, and peace of mind has begun.

Kalsarikännit isn’t as photogenic as hygge but there is some evidence of it on Instagram. As Rantanen explains, this lack of performance is part of the point:

“Pantsdrunk” doesn’t demand that you deny yourself the little things that make you happy or that you spend a fortune on Instagrammable Scandi furniture and load your house with more altar candles than a Catholic church. Affordability is its hallmark, offering a realistic remedy to everyday stress. Which is why this lifestyle choice is the antithesis of posing and pretence: one does not post atmospheric images on Instagram whilst pantsdrunk. Pantsdrunk is real. It’s about letting go and being yourself, no affectation and no performance.

I have been off alcohol lately, but kalsarikännit is usually one of my favorite forms of relaxation, particularly after a hard week.
— Read on kottke.org/18/10/pantsdrunk-the-finnish-art-of-relaxation

Leave it to the Scandinavians to coin this phrase.

I wonder if there’s a Japanese analog …

Also on:

National Park Service on the verge of blocking most White House protests: comments due by MONDAY! / Boing Boing

Monday is the end of the comment period for a sweeping National Park Service proposal that will have a dramatic effect on the ability of Americans to protest in sight of their government.

Under the proposed new rules, protests around the White House and the National Mall would require permits, protestors would be barred from the sidewalk north of the White House. The proposal also seeks public comment on charging protesters fees for permits to gather.

You can and should comment.
— Read on boingboing.net/2018/10/13/trumplethinskin-3.html

I submitted my comment. It took about 5 minutes.

We should all vote, and we should provide candid feedback to government about things like this proposed rule change.

I don’t know or care about your politics. If your party or politicians you agree with are in power, just remember that someday they won’t be. Anyone trying to take your freedoms away should be a red flag to all.

Also on:

Do Not Eat Here: Fatburger in Tokyo!

America’s Fatburger is now available in Japan! They are famous for their patties that are roughly double the size of ordinary Japanese burgers.
— Read on jpninfo.com/120827

This news saddens me deeply.

No one I know in the US would describe Fatburger’s food as fresh. Authentic? I have no metric. Tasty is a personal thing, but for me this is not. Well, more accurately, it can be tasty while eating it. It’s about 15 minutes after that you probably will realize that you’ve made a huge mistake.

Japan, and Tokyo specifically, have so many better local hamburger options than gorging themselves on this supersized cholesterol bomb.

Also on:

On the Law of Diminishing Specialization

On the Law of Diminishing Specialization:

Deploying a technique called work value analysis, Sassone measured not only the amount of work conducted by his subjects, but also the skill level required for the work. He found that managers and other skilled professionals were spending surprisingly large percentages of their time working on tasks that could be completed by comparably lower-level employees.

An important lesson lurks in these results that’s just as relevant now as it was then, back in the early days of the front office IT revolution: optimizing people’s ability to create value using their brains is complicated. Just because a given technology makes things easier doesn’t mean that it makes an organization more effective, you have to keep returning to the foundational question of what best supports the challenge of thinking hard about valuable things.

(Via Blog – Cal Newport)

Also on:

Chinese Supply Chain Hardware Attack

Chinese Supply Chain Hardware Attack:

Bloomberg is reporting about a Chinese espionage operating involving inserting a tiny chip into computer products made in China.

I’ve written (alternate link) this threat more generally. Supply-chain security is an insurmountably hard problem. Our IT industry is inexorably international, and anyone involved in the process can subvert the security of the end product. No one wants to even think about a US-only anything; prices would multiply many times over.

We cannot trust anyone, yet we have no choice but to trust everyone. No one is ready for the costs that solving this would entail.

(Via Schneier on Security)

The story moved since poblication last week, but Bruce’s words still hold true.

Also on:

Chindōgu (珍道具), A Curious Tool

The 10 Commandments of Chindogu, the Japanese Art of Creating Unusually Useless Inventions:

Back in the 1990s I’d often run across volumes of the Unuseless Japanese Inventions series at bookstores. Each one features about a hundred ostensibly real Japanese devices, photographed and described with a disarming straightforwardness, that mash up other consumer products in outwardly bizarre ways: chopsticks whose attached miniature electric fan cools ramen noodles en route to the mouth; a plastic zebra crossing to unroll and lay across a street at the walker’s convenience; an inverted umbrella attached to a portable tank for rainwater collection on the go. Such things, at once plausible and implausible, turn out to have their own word in the Japanese language: chindōgu (珍道具), or “curious tool.”

(Via Open Culture)

Also on: