49 results back to index
Building Secure and Reliable Systems: Best Practices for Designing, Implementing, and Maintaining Systems by Heather Adkins, Betsy Beyer, Paul Blankinship, Ana Oprea, Piotr Lewandowski, Adam Stubblefield
anti-pattern, barriers to entry, bash_history, business continuity plan, business process, Cass Sunstein, cloud computing, continuous integration, correlation does not imply causation, create, read, update, delete, cryptocurrency, cyber-physical system, database schema, Debian, defense in depth, DevOps, Edward Snowden, fault tolerance, fear of failure, general-purpose programming language, Google Chrome, Internet of things, Kubernetes, load shedding, margin call, microservices, MITM: man-in-the-middle, performance metric, pull request, ransomware, revision control, Richard Thaler, risk tolerance, self-driving car, Skype, slashdot, software as a service, source of truth, Stuxnet, Turing test, undersea cable, uranium enrichment, Valgrind, web application, Y2K, zero day
If the system does break, this functionality extends the time available for responders to organize, prevent more damage, or, if necessary, engage in manual recovery. Resilience helps systems withstand attacks and defends against attempts to gain long-term access. If an attacker breaks into the system, design features like blast radius controls limit the damage. Ground your design strategies in defense in depth. Examine a system’s security the same way you view uptime and reliability. At its core, defense in depth is like N+1 redundancy for your defenses. You don’t trust all of your network capacity to a single router or switch, so why trust a single firewall or other defense measure? In designing for defense in depth, always assume and check for failures in different layers of security: failures in outer perimeter security, the compromise of an endpoint, an insider attack, and so on. Plan for lateral moves with the intent of stopping them. Even when you design your systems to be resilient, it’s possible that resilience will fall short at some point and your system will break.
This required strong partnership and a significant amount of help and buy-in from the release TPM team, and though we demonstrated the capability, we’ve rarely needed to use it, thanks to Chrome’s investment in defense in depth. Design for Defense in Depth No matter how fast the team is able to detect and fix any single security bug in Chrome, these bugs are bound to occur, particularly when you consider the security shortcomings of C++ and the complexity of a browser. Since attackers are continually advancing their capabilities, Chrome is continually investing in developing exploit mitigation techniques and an architecture that helps avoid single points of failure. The team has created a living color-by-risk component diagram so anyone can reason about Chrome’s security architecture and various layers of defense to inform their work. One of the best examples of defense in depth in practice is the ongoing investment in sandboxing capabilities.
what to do when you're stuck, What to Do When You’re Stuck-Improve access and authorization controls, even for nonsensitive systems declaring an incident, Beginning Your Response, Declaring an Incident decompilers, Integration of Static Analysis in the Developer Workflow defacing of websites, Activists Defense Advanced Research Projects Agency (DARPA), Automation and Artificial Intelligence defense in depth, Defense in Depth-Runtime layersChrome security team (case study), Design for Defense in Depth controlling blast radius, Controlling the Blast Radius-Time Separation Google App Engine analysis, Google App Engine Analysis-Runtime layers resilience and, Resilience Trojan Horse attack, The Trojan Horse-Compromise degradationcontrolling, Controlling Degradation-A foothold for humans differentiating costs of failures, Differentiate Costs of Failures-Speed of mitigation DoS attacks and, Graceful Degradation failing safe versus failing secure, Failing safe versus failing secure logs and, Budget for Logging resilience and, Controlling Degradation-A foothold for humans response mechanism automation, Automated response-Automated response Delta Airlines, Invisibility denial-of-service (DoS) attacks, Mitigating Denial-of-Service Attacks-Conclusionamplification attacks, Attacker’s Strategy attacker's strategy, Attacker’s Strategy CAPTCHA implementation, A DoS Mitigation System client retry behavior in self-inflicted attacks, Client Retry Behavior DDoS attacks versus, Defender’s Strategy defendable architecture, Defendable Architecture-Defendable Architecture defendable services, Defendable Services defender's strategy, Defender’s Strategy designing for defense against, Designing for Defense-Defendable Services graceful degradation, Graceful Degradation mitigating, Mitigating Attacks-Strategic Response mitigation system, A DoS Mitigation System monitoring/alerting, Monitoring and Alerting problems with failing open, Failing open reliability/security intersection, Availability self-inflicted attacks, Dealing with Self-Inflicted Attacks-Client Retry Behavior strategic response, Strategic Response user behavior in self-inflicted attacks, User Behavior deny lists, Deny lists dependencies, keeping up to date, Keep Dependencies Up to Date and Rebuild Frequently deploying code, Deploying Code-Conclusionactionable error messages, Provide Actionable Error Messages advanced mitigation strategies, Advanced Mitigation Strategies-Post-Deployment Verification, Securing Against the Threat Model, Revisited automation for, Rely on Automation best practices, Best Practices-Treat Configuration as Code binary provenance, Binary Provenance-What to put in binary provenance breakglass with, Include a Deployment Breakglass code reviews, Require Code Reviews code signing, What to put in binary provenance concepts and terminology, Concepts and Terminology-Concepts and Terminology creating unambiguous policies, Create Unambiguous Policies deployment choke points, Deployment Choke Points ensuring unambiguous provenance, Ensure Unambiguous Provenance errors manifested during deployment, Be mindful of correlation versus causation maintaining confidentiality of secrets, Treat Configuration as Code post-deployment verification, Post-Deployment Verification practical advice, Practical Advice-Include a Deployment Breakglass provenance-based deployment policies, Provenance-Based Deployment Policies-Implementing policy decisions securing against threat model, Securing Against the Threat Model-Securing Against the Threat Model supply chain issues, Take It One Step at a Time threat model, Threat Model treating configuration as code, Treat Configuration as Code trusting third-party code, Securing Against the Threat Model verifiable builds, Verifiable Builds-Unauthenticated inputs verifying artifacts, Verify Artifacts, Not Just People deployment (generally)definition, Concepts and Terminology response mechanism, Deploy Response Mechanisms-A foothold for humans system, From Design to Production Trojan Horse attack, Deployment of the attack DER (Distinguished Encoding Rules), Programming Language Choice design document template (Google), Example: Google Design Document design tradeoffs, Design Tradeoffs-Conclusionbalancing requirements, Balancing Requirements-Security risks cost of adding reliability and security to existing systems, Balancing Requirements feature requirements, Feature Requirements features versus emergent properties, Features Versus Emergent Properties-Features Versus Emergent Properties Google design document template, Example: Google Design Document initial versus sustained velocity, Initial Velocity Versus Sustained Velocity-Initial Velocity Versus Sustained Velocity managing tensions/aligning goals, Managing Tensions and Aligning Goals-Aligning Emergent-Property Requirements microservices and Google web application framework, Example: Microservices and the Google Web Application Framework nonfunctional requirements, Nonfunctional Requirements objectives/requirements, Design Objectives and Requirements-Example: Google Design Document payment processing example, Example: Payment Processing-Security risks developers, least privilege and, Impact on Developer Complexity Device Inventory Service tools, Cloud logs DevOps, Conclusion DevSecOps, Foreword by Royal Hansen, Conclusion dictionaries, fuzz engines and, How Fuzz Engines Work digital forensics, The Investigative Process-Sharding the investigation disassemblers, Integration of Static Analysis in the Developer Workflow disaster planning, Disaster Planning-Conclusionconfiguring systems, Configuring Systems defining "disaster", Defining “Disaster” dynamic response strategies, Dynamic Disaster Response Strategies prestaging systems and people before an incident, Prestaging Systems and People Before an Incident-Processes and Procedures processes and procedures, Processes and Procedures real-world examples from Google, Google Examples-Industry-Wide Vulnerabilities risk analysis, Disaster Risk Analysis setting up an incident response team, Setting Up an Incident Response Team-Ensure Access and Update Mechanisms Are in Place testing systems and response plans, Testing Systems and Response Plans-Evaluating Responses training, Training Disaster Recovery Testing (DiRT) program, Crisis Response, DiRT Exercise Testing Emergency Access disaster risk analysis, Disaster Risk Analysis, A Disaster Risk Assessment Matrix distinct failure domains, Failure Domains-Low-dependency componentsalternate component pitfalls, Common pitfalls alternate component types, Component Types-Low-dependency components benefits of splitting system into, Practical aspects data isolation, Data isolation functional isolation, Functional isolation high-availability components, High-availability components high-capacity components, High-capacity components low-dependency components, Low-dependency components-Low-dependency components resilience and, Resilience distributed denial-of-service (DDoS) attacks, Attacker’s Strategy(see also denial-of-service (DoS) attacks) Anonymous's attack on Israeli websites, Activists DoS attacks versus, Defender’s Strategy reliability/security intersection, Availability DNS (Domain Name System) queries, Network-based logging and detection documentationculture of awareness and, Culture of Awareness maintaining access to, Ensure Access and Update Mechanisms Are in Place rereading, Reread the docs dogfooding, Reduce Fear with Risk-Reduction Mechanisms DoS extortion, Mitigating Denial-of-Service Attacks dumb fuzzing, How Fuzz Engines Work dynamic program analysis, Dynamic Program Analysis-Dynamic Program Analysis dynamic type checking, Use strong typing and static type checking E elections, hacking of, Criminal Actors Elliptic Curve Cryptography (ECC), Controlling Degradation emailcommunicating when system is compromised, Develop Response Plans crisis management email attack example, The Investigative Process embargoed vulnerabilities, Different Changes: Different Speeds, Different Timelines emergency accessaccess controls, Access Controls communication channels, Communications designing for recovery, Emergency Access-Responder Habits responder habits, Responder Habits emergent propertiesaligning security/reliability goals, Aligning Emergent-Property Requirements feature requirements versus, Features Versus Emergent Properties-Features Versus Emergent Properties reliability and security as, Features Versus Emergent Properties empathy, Build Empathy encryptiondefense in depth and, Resilience log data, Take Privacy into Consideration encryption keys (see key rotation) Envoy HTTP proxy, Single system testing/fault injection epoch, Limit Your Dependencies on External Notions of Time error messages, Provide Actionable Error Messages Error Prone, Incremental rollout, Automated Code Inspection Tools, Automated Code Inspection Tools errors, threat modeling and, Threat modeling insider risk escalations, problem resolution and, Escalations and Problem Resolution espionage, Intelligence gathering EternalBlue, Compromise evolution of systems, Evolution exception handling, Provide Actionable Error Messages explicit revocation mechanism, Use an Explicit Revocation Mechanism-Avoiding risky exceptionsavoiding risky exceptions, Avoiding risky exceptions centralized service to revoke certificates, A centralized service to revoke certificates failing open, Failing open handling emergencies directly, Handling emergencies directly removing dependency on accurate notions of time, Removing dependency on accurate notions of time revoking credentials at scale, Revoking credentials at scale exponential backoff, Client Retry Behavior, Example: Framework for RPC Backends external researchers, External Researchers-External Researchers F Facetime privacy bug, Trading Good OpSec for the Greater Good failing closed (secure)failing safe versus, Failing safe versus failing secure security/reliability tradeoffs, Failing safe versus failing secure failing open (safe)failing secure versus, Failing safe versus failing secure revocation system, Failing open security/reliability tradeoffs, Failing safe versus failing secure failing static, A DoS Mitigation System failover strategies, Failover strategies, System-wide failures/failovers failure domains (see distinct failure domains) failures, cost ofcomputing resources consumed by, Computing resources differentiating costs of, Differentiate Costs of Failures-Speed of mitigation effect on user experience, User experience speed of mitigation, Speed of mitigation failures, system-wide, System-wide failures/failovers false positives/negatives, Static Program Analysis fault injection, Single system testing/fault injection fearreducing with risk-reduction mechanisms, Reduce Fear with Risk-Reduction Mechanisms-Reduce Fear with Risk-Reduction Mechanisms resistance to change and, Changing Culture Through Good Practice feature requirements, Feature Requirements FIDO security keys, Example: Strong second-factor authentication using FIDO security keys-Example: Strong second-factor authentication using FIDO security keys firmwarecapturing state for updates, Device firmware rollbacks, Rolling back firmware and other hardware-centric constraints first-party insiders, First-party insiders fixits, Testing ForceCommand, Custom OpenSSH ForceCommand forensic timeline, The Investigative Process forensics, digital, The Investigative Process-Sharding the investigation forward-only MASVN, Rolling back firmware and other hardware-centric constraints Fourth Industrial Revolution, Conclusion Frama-C, Abstract Interpretation frameworks, software development, Example: Microservices and the Google Web Application Framework(see also application frameworks) access control policies, Access control benefits of, Benefits of Using Frameworks lessons for evaluation/construction, Lessons for Evaluating and Building Frameworks-Legacy conversions reliability/security benefits of, Example: Microservices and the Google Web Application Framework reliability/security enforcement, Frameworks to Enforce Security and Reliability-Example code snippets rollout strategy, Rollout Strategy RPC backends, Example: Framework for RPC Backends-Example code snippets simple, safe, reliable libraries for common tasks, Simple, Safe, Reliable Libraries for Common Tasks understandability and, Using Application Frameworks for Service-Wide Requirements-Using Application Frameworks for Service-Wide Requirements full-stack frameworks, Using Application Frameworks for Service-Wide Requirements functional isolation, Functional isolation functional requirements, Feature Requirements fuzz engines, How Fuzz Engines Work-How Fuzz Engines Work fuzz testing (fuzzing), Testing Code, Fuzz Testing-Example: ClusterFuzz and OSSFuzzChrome security team and, Security Is a Team Responsibility ClusterFuzz, Example: ClusterFuzz and OSSFuzz continuous fuzzing, Continuous Fuzzing example fuzzer, An Example Fuzzer-An Example Fuzzer fixits and, Testing how fuzz engines work, How Fuzz Engines Work-How Fuzz Engines Work "known safe" functions, How Fuzz Engines Work OSS-Fuzz, Example: ClusterFuzz and OSSFuzz security/reliability benefits, Fuzz Testing writing effective fuzz drivers, Writing Effective Fuzz Drivers G games, for developing culture of awareness, Culture of Awareness General Electric (GE), First-party insiders GFE (Google Front End), Example: Google’s frontend design global network failure, Low-dependency components Gmail, Complexity Versus Understandability Go, Programming Language Choice Go Race Detector, Go: Race Detector goals, aligning, Managing Tensions and Aligning Goals-Aligning Emergent-Property Requirementsemergent-property requirements, Aligning Emergent-Property Requirements microservices and Google web application framework, Example: Microservices and the Google Web Application Framework participant incentives and, Align Project Goals and Participant Incentives GoogleDiRT exercise testing emergency access, DiRT Exercise Testing Emergency Access disaster planning at, Google Examples-Industry-Wide Vulnerabilities earthquake response test, Test with Global Impact embedding security at, Example: Embedding Security at Google-Example: Embedding Security at Google industry-wide vulnerabilities in Linux kernel, Industry-Wide Vulnerabilities password manager incident, On Passwords and Power Drills reliability- and security-related sections of design doc template, Example: Google Design Document safe proxies case study, Case Study: Safe Proxies-Conclusion security/reliability education, Culture of Awareness smart system for intake, Example: Embedding Security at Google sustainable reliability and security culture at, Culture of Sustainability Tool Proxy, Google Tool Proxy-Google Tool Proxy Google App Engineculture of yes and, Culture of Yes defense in depth and, Google App Engine Analysis-Runtime layers runtime layers, Runtime layers threat modeling, Risky APIs Google design document template, Example: Google Design Document Google Front End (GFE), Example: Google’s frontend design Google Sanitizers, C++: Valgrind or Google Sanitizers, Dynamic Program Analysis Google Search, Threat modeling insider risk governmentsas attackers, Governments and Law Enforcement-Protecting your systems from nation-state actors cyber attacks as domestic activity monitoring, Policing domestic activity intelligence gathering, Intelligence gathering military purposes of attacks, Military purposes protecting systems from nation-state actors, Protecting your systems from nation-state actors graceful degradationDoS attacks and, Graceful Degradation logs and, Budget for Logging resilience and, Controlling Degradation-A foothold for humans graceful failure, Graceful Failure and Breakglass Mechanisms Gregg, Brendan, Test your hypotheses with actual data H Hacker Camp, Build Empathy hacking (origin of term), Attacker Profiles hacktivistsas attackers, Activists protecting systems from, Protecting your systems from hacktivists handovers, Handovers-Handovers, Handover, Handing Back the Incident hardware security module (HSM), Securing Third-Party and Open Source Components health, of team members, Culture of Sustainability Heartbleed security bug, Example: Growing Scope—Heartbleed, How Fuzz Engines Work hedging, Hedging hermetic builds, Verifiable build architectures hero mode, Handovers HIDS (host intrusion detection system), Host agents high-availability components, High-availability components high-capacity service, High-capacity components hobbyists, as attackers, Hobbyists Honggfuzz, How Fuzz Engines Work host intrusion detection system (HIDS), Host agents host management, Host management-Host management HSM (hardware security module), Securing Third-Party and Open Source Components HTTPS, Initial Velocity Versus Sustained Velocity, Example: Increasing HTTPS usage-Example: Increasing HTTPS usage human resource testing, Human resource testing I IC (incident commander), Identify Team Members and Roles, Beginning Your Response idempotent operations, Pay attention to idempotent operations identifiers, Identities identitiesGoogle production system model, Example: Identity model for the Google production system understandable, Identities-Example: Identity model for the Google production system IMAG (see Incident Management at Google) imminent risk, Trading Good OpSec for the Greater Good immutability, logging design for, Design Your Logging to Be Immutable implicit casting, Use Strong Types implicit type conversions, Use Strong Types in-memory state, Host management incentives, aligning goals with, Align Project Goals and Participant Incentives Incident Command System, Crisis Response, Beginning Your Response incident commander (IC), Identify Team Members and Roles, Beginning Your Response incident management (see crisis management; disaster planning) Incident Management at Google (IMAG)crisis management, Crisis Management, Beginning Your Response crisis response, Crisis Response IR team training, Training incident response (IR) team, Setting Up an Incident Response Team-Ensure Access and Update Mechanisms Are in Placeavoiding single points of failure, Identify Team Members and Roles communicating when email or instant messaging system is compromised, Develop Response Plans communications, Communications-Keeping the Right People Informed with the Right Levels of Detail creating/staffing, Setting Up an Incident Response Team-Ensure Access and Update Mechanisms Are in Place developing response plans, Develop Response Plans-Develop Response Plans establishing team charter, Establish a Team Charter handovers, Handovers-Handovers, Handover identifying team members and roles, Identify Team Members and Roles-Identify Team Members and Roles keeping control of the incident, Keeping Control of the Incident-Morale maintaining access to documentation and update information, Ensure Access and Update Mechanisms Are in Place morale issues, Establish a Team Charter, Morale operating parameters, Define Operating Parameters for Engaging the IR Team playbooks for, Create Detailed Playbooks processes and procedures, Processes and Procedures severity/priority models, Establish Severity and Priority Models training, Training incident, crisis versus, Is It a Crisis or Not?
Site Reliability Engineering: How Google Runs Production Systems by Betsy Beyer, Chris Jones, Jennifer Petoff, Niall Richard Murphy
Air France Flight 447, anti-pattern, barriers to entry, business intelligence, business process, Checklist Manifesto, cloud computing, combinatorial explosion, continuous integration, correlation does not imply causation, crowdsourcing, database schema, defense in depth, DevOps, en.wikipedia.org, fault tolerance, Flash crash, George Santayana, Google Chrome, Google Earth, information asymmetry, job automation, job satisfaction, Kubernetes, linear programming, load shedding, loose coupling, meta analysis, meta-analysis, microservices, minimum viable product, MVC pattern, performance metric, platform as a service, revision control, risk tolerance, side project, six sigma, the scientific method, Toyota Production System, trickle-down economics, web application, zero day
Maintaining a guarantee of data integrity at large scale, a challenge that is further complicated by the high rate of change of the involved software systems, requires a number of complementary but uncoupled practices, each chosen to offer a high degree of protection on its own. The 24 Combinations of Data Integrity Failure Modes Given the many ways data can be lost (as described previously), there is no silver bullet that guards against the many combinations of failure modes. Instead, you need defense in depth. Defense in depth comprises multiple layers, with each successive layer of defense conferring protection from progressively less common data loss scenarios. Figure 26-2 illustrates an object’s journey from soft deletion to destruction, and the data recovery strategies that should be employed along this journey to ensure defense in depth. The first layer is soft deletion (or “lazy deletion” in the case of developer API offerings), which has proven to be an effective defense against inadvertent data deletion scenarios. The second line of defense is backups and their related recovery methods.
Google was able to restore the lost data in a timely manner by executing a plan designed according to the best practices of Defense in Depth and Emergency Preparedness. When Google publicly revealed that we recovered this data from our previously undisclosed tape backup system [Slo11], public reaction was a mix of surprise and amusement. Tape? Doesn’t Google have lots of disks and a fast network to replicate data this important? Of course Google has such resources, but the principle of Defense in Depth dictates providing multiple layers of protection to guard against the breakdown or compromise of any single protection mechanism. Backing up online systems such as Gmail provides defense in depth at two layers: A failure of the internal Gmail redundancy and backup subsystems A wide failure or zero-day vulnerability in a device driver or filesystem affecting the underlying storage medium (disk) This particular failure resulted from the first scenario—while Gmail had internal means of recovering lost data, this loss went beyond what internal means could recover.
., the medical industry and the military, as previously discussed) have very different pressures, risk appetites, and requirements, and their processes are very much informed by these circumstances. Defense in Depth and Breadth In the nuclear power industry, defense in depth is a key element to preparedness [IAEA12]. Nuclear reactors feature redundancy on all systems and implement a design methodology that mandates fallback systems behind primary systems in case of failure. The system is designed with multiple layers of protection, including a final physical barrier to radioactive release around the plant itself. Defense in depth is particularly important in the nuclear industry due to the zero tolerance for failures and incidents. Postmortem Culture Corrective and preventative action (CAPA)4 is a well-known concept for improving reliability that focuses on the systematic investigation of root causes of identified issues or risks in order to prevent recurrence.
The Web Application Hacker's Handbook: Finding and Exploiting Security Flaws by Dafydd Stuttard, Marcus Pinto
call centre, cloud computing, commoditize, database schema, defense in depth, easy for humans, difficult for computers, Firefox, information retrieval, lateral thinking, MITM: man-in-the-middle, MVC pattern, optical character recognition, Ruby on Rails, Turing test, web application
■ Parameter placeholders cannot be used for any other parts of the query, such as the asc or desc keywords that appear within an order by clause, or any other SQL keyword, since these form part of the query structure. As with table and column names, if it is necessary for these items to be specified based on user-supplied data, rigorous white list validation should be applied to prevent attacks. 342 Chapter 9 Attacking Data Stores Defense in Depth As always, a robust approach to security should employ defense-in-depth measures to provide additional protection in the event that frontline defenses fail for any reason. In the context of attacks against back-end databases, three layers of further defense can be employed: ■ The application should use the lowest possible level of privileges when accessing the database. In general, the application does not need DBA-level permissions.
Although these measures will not defeat the most patient and determined attacker, they will deter many more casual attackers and will buy additional time for administrators to monitor the situation and take more drastic action if desired. Chapter 2 ■ Core Defense Mechanisms 55 Reacting to apparent attackers is not, of course, a substitute for fixing any vulnerabilities that exist within the application. However, in the real world, even the most diligent efforts to purge an application of security flaws may leave some exploitable defects. Placing further obstacles in the way of an attacker is an effective defense-in-depth measure that reduces the likelihood that any residual vulnerabilities will be found and exploited. Managing the Application Any useful application needs to be managed and administered. This facility often forms a key part of the application's security mechanisms, providing a way for administrators to manage user accounts and roles, access monitoring and audit functions, perform diagnostic tasks, and configure aspects of the application's functionality.
Prevent Misuse of the Password Change Function ■ A password change function should always be implemented, to allow periodic password expiration (if required) and to allow users to change passwords if they want to for any reason. As a key security mechanism, this needs to be well defended against misuse. ■ The function should be accessible only from within an authenticated session. ■ There should be no facility to provide a username, either explicitly or via a hidden form field or cookie. Users have no legitimate need to attempt to change other people's passwords. ■ As a defense-in-depth measure, the function should be protected from unauthorized access gained via some other security defect in the application — such as a session-hijacking vulnerability, cross-site scripting, or even an unattended terminal. To this end, users should be required to reenter their existing password. ■ The new password should be entered twice to prevent mistakes. The application should compare the "new password" and "confirm new password" fields as its first step and return an informative error if they do not match
Secrets and Lies: Digital Security in a Networked World by Bruce Schneier
Ayatollah Khomeini, barriers to entry, business process, butterfly effect, cashless society, Columbine, defense in depth, double entry bookkeeping, fault tolerance, game design, IFF: identification friend or foe, John von Neumann, knapsack problem, MITM: man-in-the-middle, moral panic, mutually assured destruction, pez dispenser, pirate software, profit motive, Richard Feynman, risk tolerance, Silicon Valley, Simon Singh, slashdot, statistical model, Steve Ballmer, Steven Levy, the payments system, Y2K, Yogi Berra
Recall the attack trees:a series of OR nodes are only as secure as the weakest, while a series of AND nodes are as strong as their combination. In general, the security of a particular technology depends on the easiest way to break that technology: the weakest link. The security of several security countermeasures depends on the easiest way to defeat all those countermeasures: defense in depth. For example, a network protected by two firewalls, one each at two different network ingresses, is not defense in depth. This system is only as secure as the weakest link: An attacker can attack either firewall. A network protected by two firewalls, one behind the other, is defense in depth: An attacker has to penetrate one firewall and then the other in order to attack the network. (It always amazes me when I see complex networks with different brands of firewalls protecting different access points, or even the same brand of firewall with different configurations.
Cryptography can be defeated by brute-forcing the key, crypt- analyzing the algorithm, or (the weak link) social-engineering the password from an oblivious secretary. But protecting the computer behind a locked door, or a well-configured firewall, provides defense in depth. Remember the opening scenes of Raiders of the Lost Ark? Indiana Jones had to get past the spiders, the wall-of-spikes trap, the pit, the poison darts released by stepping on the wrong floor stones, and the self- destruct mechanism tied to moving the statue. This is defense in depth. He bypassed the wall-of-spikes trap by avoiding the triggering mechanism, but he might have dodged the wall, jammed the mechanism, or done half a dozen other things. The security of the trap depends on the easiest way to avoid it. But just as attacking a system is more complicated than simply finding a vulnerability, defending a system is more complicated than dropping in a countermeasure.
These all allow attackers to bypass choke points. Networks have more subtle breaches of this type. Sometimes a company has strong network security in place, and for whatever reason links its network to that of another company. That other company may not be as secure. This both violates the choke points, and means that the network has a new weakest link that needs securing. Provide Defense in Depth Defense in depth is another universal security principle that applies to computers just as it applies to everything else. A good perimeter defense—door locks and window alarms—is more effective when combined with motion sensors inside the house. Forgery-resistant credit cards work better when combined with online verification and a back-end expert system that looks for suspicious spending patterns.
Building Microservices by Sam Newman
airport security, Amazon Web Services, anti-pattern, business process, call centre, continuous integration, create, read, update, delete, defense in depth, don't repeat yourself, Edward Snowden, fault tolerance, index card, information retrieval, Infrastructure as a Service, inventory management, job automation, Kubernetes, load shedding, loose coupling, microservices, MITM: man-in-the-middle, platform as a service, premature optimization, pull request, recommendation engine, social graph, software as a service, source of truth, the built environment, web application, WebSocket
Another problem is that if we have decided to offload responsibility for authentication to a gateway, it can be harder to reason about how a microservice behaves when looking at it in isolation. Remember in Chapter 7 where we explored some of the challenges in reproducing production-like environments? If you go the gateway route, make sure your developers can launch their services behind one without too much work. One final problem with this approach is that it can lull you into a false sense of security. I like the idea of defense in depth — from network perimeter, to subnet, to firewall, to machine, to operating system, to the underlying hardware. You have the ability to implement security measures at all of these points, some of which we’ll get into shortly. I have seen some people put all their eggs in one basket, relying on the gateway to handle every step for them. And we all know what happens when we have a single point of failure… Obviously you could use this gateway to do other things.
Depending on the sensitivity of the operation in question, you might have to choose between implicit trust, verifying the identity of the caller, or asking the caller to provide the credentials of the original principal. Securing Data at Rest Data lying about is a liability, especially if it is sensitive. Hopefully we’ve done everything we can to ensure attackers cannot breach our network, and also that they cannot breach our applications or operating systems to get access to the underlying close up. However, we need to be prepared in case they do — defense in depth is key. Many of the high-profile security breaches involve data at rest being acquired by an attacker, and that data being readable by the attacker. This is either because the data was stored in an unencrypted form, or because the mechanism used to protect the data had a fundamental flaw. The mechanisms by which secure information can be protected are many and varied, but whichever approach you pick there are some general things to bear in mind.
We want to back up our important data, and almost by definition data we are worried enough about that we want to encrypt it is important enough to back up! So it may seem like an obvious point, but we need to make sure that our backups are also encrypted. This also means that we need to know which keys are needed to handle which version of data, especially if the keys change. Having clear key management becomes fairly important. Defense in Depth As I’ve mentioned earlier, I dislike putting all our eggs in one basket. It’s all about defence in depth. We’ve talked already about securing data in transit, and securing data at rest. But are there other protections we could put in place to help? Firewalls Having one or more firewalls is a very sensible precaution to take. Some are very simple, able only to restrict access to certain types of traffic on certain ports.
Future War: Preparing for the New Global Battlefield by Robert H. Latiff
Asilomar, Asilomar Conference on Recombinant DNA, autonomous vehicles, Berlin Wall, cyber-physical system, Danny Hillis, defense in depth, drone strike, Elon Musk, failed state, friendly fire, Howard Zinn, Internet of things, low earth orbit, Nicholas Carr, orbital mechanics / astrodynamics, self-driving car, South China Sea, Stephen Hawking, Stewart Brand, Stuxnet, Wall-E
“A robot’s targets”: Chris Baraniuk, “World War R: Rise of the Killer Robots,” New Scientist, November 15, 2014. Death by algorithm: Robert H. Latiff and Patrick J. McCloskey, “With Drone Warfare, America Approaches the Robo-Rubicon,” The Wall Street Journal, March 14, 2013. Echoing the concerns of senior combat leaders: Janine Davidson, “The Warrior Ethos at Risk: H. R. McMaster’s Remarkable Veterans Day Speech,” Defense in Depth blog, Council on Foreign Relations, November 18, 2014, https://fortunascorner.com/2014/11/19/the-warrior-ethos-at-risk-h-r-mcmasters-remarkable-veterans-day-speech/. Yale University ethicist: Wendell Wallach, A Dangerous Master: How to Keep Technology from Slipping Beyond Our Control (New York: Basic Books, 2014). DARPA has recently begun to address: Jean-Lou Chameau, William F. Ballhaus, and Herbert S.
President and Congress,” CFR Backgrounders, Council on Foreign Relations, June 20, 2011, http://www.cfr.org/united-states/balance-war-powers-us-president-congress/p13092. Conor Friedersdorf, writing in The Atlantic: Conor Friedersdorf, “The Congress Shall Have the Power…to Declare War,” The Atlantic, August 27, 2014. In 2009, lawmakers tried to use OCO funds: Emerson Brooking and Janine Davidson, “How the Overseas Contingency Operations Fund Works—and Why Congress Wants to Make It Bigger,” Defense in Depth blog, Council on Foreign Relations, June 16, 2015, https://www.geopolintelligence.com/how-the-overseas-contingency-operations-fund-works-and-why-congress-wants-to-make-it-bigger/. The Government Accountability Office: Chris Edwards and Nicole Kaeding, “Federal Government Cost Overruns,” Tax and Budget Bulletin 72 (Washington, DC: Cato Institute, September 2015). Another GAO study reported: Sandra I.
Multitool Linux: Practical Uses for Open Source Software by Michael Schwarz, Jeremy Anderson, Peter Curtis
business process, Debian, defense in depth, GnuPG, index card, indoor plumbing, Larry Wall, MITM: man-in-the-middle, optical character recognition, publish or perish, RFC: Request For Comment, Richard Stallman, SETI@home, slashdot, web application
Summary Tripwire is a useful part of a complete system defense. It is, however, only a part, and it is, in fact, rather the last bastion of a defense in depth. It detects system changes made by an intruder already in your system. With the tools available to the modern script kiddie, by the time Tripwire detects, your system is probably pretty messed up. Fortunately, if you have been keeping your Tripwire database on CD-R media, you can use it to undo everything the intruder has done. No Linux system that spends any time connected to the Internet should be without Tripwire. But likewise, no such system should rely on Tripwire as its sole protection. A defense in depth should include a firewall, which is covered in Chapter 3, plus a network monitor such as the one discussed in Chapter 13. Chapter 13.
In some ways it is worse, because you now have a false sense of security. You assume that the absence of alerts means no attempts are being made and your system is secure. This is the reason we presented Tripwire first. To borrow from the Cold War again (and this is an apt metaphor, because it is fair to say that crackers and defenders are engaged in an arms race of attack versus defense tools), you need "defense in depth." Snort is an extremely effective part of your network defense, but it can be much more effective when used as part of a system of defense. I recommend a minimum five-part defense: 1. Snort on the outside, set to alert only on extremes. 2. A properly cond firewall; at minimum a transparent outbound masquerade with no back channels. Ideally explicit rules set for outbound traffic as well as inbound. 3.
This is another powerful capability, and some of the provided plug-ins, like Xml and Alert_unixsock can greatly expand the capabilities of Snort. This is another area you should explore on your own. Summary Snort is a very powerful tool for improving the security of whole networks. It is only as good as you are, however. This tool is not best used by someone who doesn't understand the IP, ICMP, TCP, UDP, and RPC protocols at a fundamental level. It is also most effective as part of a defense in depth. If you are not particularly knowledgeable about TCP/IP and Linux administration, don't let the difficulty of this topic and this chapter drive you away from Linux and into the comforting but feeble arms of "easier" systems. Any operating system that implements any service using TCP/IP (and if you use the Internet, then your system is using TCP/IP) is potentially vulnerable to these types of attack.
Everyware: The Dawning Age of Ubiquitous Computing by Adam Greenfield
augmented reality, business process, defense in depth, demand response, demographic transition, facts on the ground, game design, Howard Rheingold, Internet of things, James Dyson, knowledge worker, late capitalism, Marshall McLuhan, new economy, Norbert Wiener, packet switching, pattern recognition, profit motive, QR code, recommendation engine, RFID, Steve Jobs, technoutopianism, the built environment, the scientific method
, questions that enable just about any defensible space to enforce its own accesscontrol policy—not just on the level of gross admission, either, but of finely grained differential permissioning. What is currently done with guards, signage, and physical barriers ranging from velvet rope to razor wire, can still more effectively be accomplished when those measures are supplemented by gradients of access and permission—a "defense in depth" that has the additional appeal of being more or less subtle. If you're having trouble getting a grip on how this would work in practice, consider the ease with which an individual's networked currency cards, transit passes and keys can be traced or disabled, remotely—in fact, this already happens.* But there's a panoply of ubiquitous security measures both actual and potential that are subtler still: navigation systems that omit all paths through an area where a National Special Security Event is transpiring, for example, or subways and buses that are automatically routed past.
Target devaluation seeks to make vulnerable items less desirable to those who would steal them, and this is certainly the case where self-identifying, self-describing devices or vehicles can be tracked via their network connection. For that matter, why even try to steal something that becomes useless in the absence of a unique biometric identifier, key or access code? This is the goal of offender incapacitation, a strategy also involved in attempts to lock out the purchase of denied items. Target insulation and exclusion are addressed via the defense in depth we've already discussed—the gauntlet of networked sensors, alarms, and cameras around any target of interest, as well as all the subtler measures that make such places harder to get to. And finally there is the identification of offenders or potential offenders, achieved via remote iris scanning or facial recognition systems like the one currently deployed in the Newham borough of London.
Ender's shadow by Orson Scott Card
The farther out you deploy your defenses, the more of them you have to have, and if your resources are limited, you soon have more fortifications than you can man. What good are bases on moons, Jupiter or Saturn or Neptune, when the enemy doesn't even have to come in on the plane of the ecliptic? He can bypass all our fortifications. The way Nimitz and Mac Arthur used two-dimensional island-hopping against the defense in depth of the Japanese in World War II. Only our enemy can work in three dimensions. Therefore we cannot possibly maintain defense in depth. Our only defense is early detection and a single massed force." Dimak nodded slowly. His face showed no expression. "Go on." Go on? That wasn't enough to explain two hours of reading? "Well, so I thought that even that was a recipe for disaster, because the enemy is free to divide his forces. So even if we intercept and defeat ninety-nine of a hundred attacking squadrons, he only has to get one squadron through to cause terrible devastation on Earth.
"Sounds like you've analyzed my personality anyway," said Bean. "You just don't let up, do you?" Bean said nothing. There was nothing to say. "I've been looking at your reading list," said Dimak. "Vauban?" "Yes?" "Fortification engineering from the time of Louis the Fourteenth?" Bean nodded. He thought back to Vauban and how his strategies had adapted to fit Louis's evermore-straitened finances. Defense in depth had given way to a thin line of defenses; building new fortresses had largely been abandoned, while razing redundant or poorly placed ones continued. Poverty triumphing over strategy. He started to talk about this, but Dimak cut him off. "Come on, Bean. Why are you studying a subject that has nothing to do with war in space?" Bean didn't really have an answer. He had been working through the history of strategy from Xenophon and Alexander to Caesar and Machiavelli.
The Art of Software Security Assessment: Identifying and Preventing Software Vulnerabilities by Justin Schuh
Albert Einstein, Any sufficiently advanced technology is indistinguishable from magic, bash_history, business process, database schema, Debian, defense in depth, en.wikipedia.org, Firefox, information retrieval, iterative process, loose coupling, MITM: man-in-the-middle, MVC pattern, RFC: Request For Comment, slashdot, web application
As an auditor, however, you want to look closely at the impact of choosing this trust model and determine whether a chain of trust is appropriate. You also need to follow trusts across all the included components and determine the real exposure of any component. You’ll often find that the results of using a chain of trust are complex and subtle trust relationships that attackers could exploit. Defense in Depth Defense in depth is the concept of layering protections so that the compromise of one aspect of a system is mitigated by other controls. Simple examples of defense in depth include using low privileged accounts to run services and daemons, and isolating different functions to different pieces of hardware. More complex examples include network demilitarized zones (DMZs), chroot jails, and stack and heap guards. Layered defenses should be taken into consideration when you’re prioritizing components for review.
Therefore, they should be accessible only over restricted network segments when possible and never exposed to Internet-facing connections. Protective Measures A range of additional protective measures can affect an application’s overall security. In consultant speak, they are often referred to as mitigating factors or compensating controls; generally, they’re used to apply the concept of defense in depth mentioned in Chapter 2. These measures can be applied during or after the development process, but they tend to exist outside the software itself. The following sections discuss the most common measures, but they don’t form an exhaustive list. For convenience, these measures have been separated into groups, depending on whether they’re applied during development, to the deployed host, or in the deployed network.
See COM (Component Object Model) Computer Security: Art and Science, 5 concurrent programming APCs (asynchronous procedure calls), 765 deadlocks, 760-762 multithreaded programs, 810-825 process synchronization, 762 interprocess synchronization, 770-783 lock matching, 781-783 synchronization object scoreboard, 780-781 System V synchronization, 762-764 Windows NT synchronization, 765-770 race conditions, 759-760 reentrancy, 757-759 repetition, 806-809 shared memory segments, 763 signals, 783 asynchronous-safe function, 791-797, 800-801, 804-809 default actions, 784-785 handling, 786-788 interruptions, 791-796, 806-809 jump locations, 788-791 non-returning signal handlers, 797-801, 804, 806 sending, 786 signal handler scoreboard, 809-810 signal masks, 785 vunerabilities, 791-801, 804-809 starvation, 760 threads deadlocks, 823-825 PThreads API, 811-813 race conditions, 816-823 starvation, 823-825 Windows API, 813-815 condition variables, PThreads API, 812-813 conditions, ACC logs, unanticipated conditions, 364-365 confidentiality, 41 encryption algorithms, 41-42 block ciphers, 42 common vunerabilities, 43-45 exchange algorithms, 43 IV (initialization vector), 42 stream ciphers, 42 expectations of, 7-8 configuration files OpenSSH, 160 UNIX, 508-509 configuration settings ASP, 1118 ASP.NET, 1121-1123 Java servlets, 1112-1113 PHP, 1104-1105 CONNECT method, 1021 Connection header field (HTTP), 1018 connection points, objects, 736 connections RPCs (Remote Procedure Calls), 706 TCP (Transmission Control Protocol), 865, 869 blind connection spoofing, 876-879 connection tampering, 879 establishing, 871-872 fabrication, 875-876 flags, 870 resetting, 872 states, 869-870 ConnectNamedPipe( ) function, 704 constraint establishment, test cases, code audits, 144-145 Content-Encoding header field (HTTP), 1019 Content-Language header field (HTTP), 1019 Content-Length header field (HTTP), 1019 Content-Location header field (HTTP), 1019 Content-MD5 header field (HTTP), 1019 Content-Range header field (HTTP), 1019 Content-Transfer-Encoding header field (HTTP), 1019 Content-Type header field (HTTP), 1019 CONTENT_LENGTH (environment variable), 1088 CONTENT_TYPE (environment variable), 1088 context handles, RPCs (Remote Procedure Calls), 718-721 contexts, Windows NT sessions, access tokens, 644-645 control flow, auditing, 326-339 flow transfer statements, 336 looping constructs, 327-336 switch statements, 337-339 control-flow sensitive coide navigation, 109-110 Controller component (MVC), 1045 controlling terminals, UNIX, 574 conversion rules, type conversions, C programming language, 225-231 ConvertSidToStringSid( ) function, 637 ConvertStringSidToSid( ) function, 637 cookies, 1036-1038 stack cookies, 190-191 COPY method, 1022 core files, 519 CoRegisterClassObject( ) function, 744 Correct Use of GetFullPathName( ) listing (8-13), 416 corruption (memory), 167 buffer overflows, 168-169 global overflows, 186 heap overflows, 183-186 off-by-one errors, 180-183 process memory layout, 169 SHE (structured exception handling) attacks, 178-180 stack overflows, 169-178 static overflows, 186 protection mechanisms, 189-190 ASLR (address space layout randomization), 194 assessing, 196-202 function pointer obfuscation, 195-196 heap hardening, 191-193 nonexecutable stack, 193 SafeSEH, 194-195 stack cookies, 190-191 shellcode, 187-189 Cost header field (HTTP), 1019 counter (CTR) mode cipher, 42 CP (candidate point), code audits, 112, 119-128 application-specific CPs, 128 automated source analysis tools, 120-122 black box generated CPs, 123-128 general approach, 119-120 simple binary CPs, 122 simple lexical CPs, 122 crackaddr( ) function, 303 CRC (cyclic redundancy check) routines, 46 Create*( ) functions, 631 CreateEvent( ) function, 768 CreateFile( ) function, 632, 661, 664-665, 667, 674-675, 699-700 CreateHardLink( ) function, 676 CreateMutex( ) function, 630, 766 CreateNamedPipe( ) function, 699-700, 704 CreateNewKey( ) function, 684 CreatePrivateNamespace( ) function, 631 CreateProcess( ) function, 426, 654 CreateRestrictedToken( ) function, 642 CreateSemaphore( ) function, 768 CreateWaitableTimer( ) function, 769 credentials, authorization, untrustworthy credentials, 37 critical sections, Windows API, 814 cross-site scripting ASP, 1118 ASP.NET, 1121 Java servlets, 1110-1111 Perl, 1096 PHP, 1103 XSS, 1071-1074 cryogenic sleep attacks, 545-546 crypto subsystem, SSH server, code audits, 160 cryptographic hash functions, 46 cryptographic signatures, 47 cryptography, 41 cryptographic data integrity, 45 cryptographic signatures, 47 hash functions, 45-46 originator validation, 47 salt values, 46 encryption algorithms, 41-42 block ciphers, 42 common vunerabilities, 43-45 exchange algorithms, 43 IV (initialization vector), 42 stream ciphers, 42 CRYPTO_realloc_clean( ) function, 380 Cscope source code navigator, 149 Ctags source code navigator, 149-150 CTR (counter) mode cipher, 42 Cutler, David, 626 cyclic redundancy check (CRC) routines, 46 D DACL (discretionary access control list), 632 daemons, UNIX, 467-468 Dangerous Data Type Use listing (7-41), 374 Dangerous Use of IsDBCSLeadByte( ) listing (8-30), 454 Dangerous Use of strncpy( ) listing (8-2), 396 data assumptions, ACC logs, 365-366 data buffers, OpenSSH, vunerabilities, 307-310 data flow, vunerabilities, 18-19 data flow diagrams (DFDs), 55-58 data hiding, 307 data integrity, 45 cryptographic signature, 47 hash functions, 45-46 originator validation, 47 salt values, 46 data link layer, network segmentation, 84-85 data ranges, lists, 324, 326 data storage, C programming language, 204-211 data tier (Web applications), 1042-1043 Data Truncation Vulnerability listing (8-11), 415 Data Truncation Vulnerability 2 listing (8-12), 415 data types, application protocols, matching, 927-934 data verification, application protocols, 935 data-flow sensitivee code navigation, 109-110 datagrams, IP datagrams, 834-836 data_xfer( ) function, 355 Date header field (HTTP), 1019 DCE (Distributed Computing Environment) RPCs, 618, 706 DCOM (Distributed Component Object Model), 328, 725-754, 829 access controls, 734-736 Active X security, 749-754 application audits, 741-749 application identity, 732-733 application registration, 741-743 ATL (Active Template Library), 740 automation objects, fuzz testing, 749 DCOM Configuration utility, 731-732 impersonation, 736-737 interface audits, 743-749 MIDL (Microsoft Interface Definition Language), 738-740 subsystem access permissions, 733-734 DCOM Configuration utility, 731-732 DDE (Dynamic Data Exchange), 658 Windows messaging, 697 DDE Management Library (DDEML) API, 697 de Weger, Benne, 48 deadlocks concurrent programming, 760, 762 threading, 823-825 debuggers, code auditing, 151-154 DecodePointer( ) function, 195 DecodeSystemPointer( ) function, 195 decoding, Unicode, 449-450 Decoding Incorrect Byte Values listing (8-28), 443 decoding routines, RPCs (Remote Procedure Calls), UNIX, 622-623 decomposition, software design, 27-28 default argument promotions, 232, 237 default settings, insecure defaults, 69 default site installations, Web-based applications, 75 Default Switch Case Omission Vulnerability listing (7-24), 338 default type conversions, 224 defense in depth, 31 definition files, RPCs (Remote Procedure Calls), UNIX, 619-622 DELETE method, 1020 delete payloads, ISAKMP (Internet Security Association and Key Management Protocol), 969-971 delete_session( ) function, 201 Delivering Signals for Fun and Profitî, 806 demilitarized zones (DMZs), 86 denial-of-service (DoS) attacks. See DoS (denial of service) attacks dependency alnalysis, code audits, 135-136 DER (Distinguished Encoding Rules), ASN.1 (Abstract Syntax Notation), 977-979 Derived-From header field (HTTP), 1019 descriptors, UNIX files, 512-513 design SDLC (Systems Development Life Cycle), 13 software, 26 abstraction, 27 accuracy, 32 algorithms, 26-27 clarity, 32 decomposition, 27-28 failure handling, 35-36 loose coupling, 33 strong cohesion, 33 strong coupling exploitation, 34 threat modeling, 49-66 transitive trust exploitation, 35 trust relationships, 28-31 vunerabilities, 14-15 design conformity checks, DG (design generalization) strategy, 131-133 desk checking, code audits, 137-139 desktop object, IPC (interprocess communications), 690-691 Detect_attack Small Packet Algorithm in SSH listing (6-18), 261 Detect_attack Truncation Vulnerability in SSH listing (6-19), 262 developer documentation, reviewing, 51 developers, interviewing, 51 development protective measures, operational vulnerabilities, 76-79 ASLR (address space layout randomization), 78 heap protection, 77-78 nonexecutable stacks, 76 registered function pointers, 78 stack protection, 77 VMs (virtual machines), 79 device files UNIX, 511 Windows NT, 666-668 DeviceIoControl( ) function, 677 DFDs (data flow diagrams), 55-58 DG (design generalization) strategies, code audits, 112, 128-133 design conformity check, 131-133 hypothesis testing, 130-131 system models, 129-130 Different Behavior of vsnprintf( ) on Windows and UNIX listing (8-1), 394 Digital Encryption Standard (DES) encryption, 44 Digital Equipment Corporation (DEC) Virtual Memory System (VMS), 626 dilimiters embedded delimiters, metacharacters, 408-411 extraneous dilimiters, 598-601 direct program invocation, UNIX, 565-570 directionality, stateful firewalls, 906 directories, UNIX, 462-464, 514-516 creating, 500-503 entries, 514 Filesystem Hierarchy Standard, 463 mount points, 463 parent directories, 503 permissions, 498-499 public directories, 507-508 race conditions, 535-538 root directories, 574 safety, 503 working directories, 574 directory cleaners, UNIX temporary files, 546-547 directory indexing, Web servers, 74 Directory Traversal Vulnerability listing (8-15), 420 discretionary access control list (DACL), 632 Distributed Component Object Model (DCOM).
Cities Under Siege: The New Military Urbanism by Stephen Graham
addicted to oil, airport security, anti-communist, autonomous vehicles, Berlin Wall, call centre, carbon footprint, clean water, congestion charging, creative destruction, credit crunch, DARPA: Urban Challenge, defense in depth, deindustrialization, digital map, edge city, energy security, European colonialism, failed state, Food sovereignty, Gini coefficient, global supply chain, Google Earth, illegal immigration, income inequality, knowledge economy, late capitalism, loose coupling, market fundamentalism, mass incarceration, McMansion, megacity, moral panic, mutually assured destruction, Naomi Klein, New Urbanism, offshore financial centre, one-state solution, pattern recognition, peak oil, planetary scale, private military company, Project for a New American Century, RAND corporation, RFID, Richard Florida, Scramble for Africa, Silicon Valley, smart transportation, surplus humans, The Bell Curve by Richard Herrnstein and Charles Murray, urban decay, urban planning, urban renewal, urban sprawl, Washington Consensus, white flight, white picket fence
London: Ashgate, 2005, 40. 155 Laurent Gutierrez and Valérie Portefaix, Mapping HK, Hong Kong: Map Books, 156 Cowen, ‘Securing systems’, 2. 157 Antulio Echevarria and Bert Tussing, From ‘Defending Forward’ to a ‘Global Defense-In-Depth’: Globalization and Homeland Security, Strategic Studies Institute, 2003, available at www.strategicstudiesinstitute.army.mil. 158 Deborah Cowen and Neil Smith, ‘After Geopolitics? ‘From the Geopolitical Social to Geoeconomics’, Antipode, 41: 1, 2009, 22–48. 159 Donna Miles, ‘With Ongoing Terror Fight Overseas, NORTHCOM Focuses on Homeland’, SecurityInnovator.com, 17 November 2006. 160 Ibid. 161 Deborah Cowen and Neil Smith, After Geopolitics?’. 162 Stephen Flynn, ‘The False Conundrum: Continental Integration versus Homeland Security’, in The Rebordering of North America, Peter Andreas and Thomas Biersteker, eds, New York: Routledge, 2003, 11. 163 Echevarria and Tussing, From ‘Defending Forward’ to a ‘Global Defense-In-Depth’. 164 This term draws on Deborah Cowen’s idea of containing insecurity’ published in her contribution to a book I edited, Disrupted Cities: When Infrastructures Fail, New York: Routledge, 2009. 165 See Keller Easterling, Enduring Innocence, Cambridge MA: MIT Press, 2006. 166 This system organizes 90 per cent of global trade through global supply chains and advanced logistics and delivers 95 per cent of the overseas trade entering the US. 167 ‘When trade and security clash’, The Economist, 4 April 2002. 168 Jon Haveman and Howard Shatz, Protecting the Nation’s Seaports: Balancing Security and Cost, San Francisco: Public Policy Institute of California, 2006. 169 IBM, Expanded Borders, Integrated Controls, marketing brochure. 170 Cowen and Smith After Geopolitics?’.
By trying to establish anticipatory surveillance systems which parallel the key architectures of circulation – electronic finance, Internet communications, airline travel, seaports and trade – they oscillate continually between the scale of the human body, the city, the nation, and transnational capitalism. Of great importance here are new ideas of US national security, expressed in the notions of ‘defending forward’ and ‘global defense in depth’.157 The new security doctrine is based on the argument that no matter how much money, technology or militarized fencing is thrown at the problem of filtering the boundaries which separate the US nation from the rest of the world, such geopolitical ideas of security are rendered less and less useful in a world where the flows continually work through US cities and regions via a myriad of infrastructural connections and systems.158 Homeland security is thus increasingly seen as an ‘away game’.
Software Engineering at Google: Lessons Learned From Programming Over Time by Titus Winters, Tom Manshreck, Hyrum Wright
Timeline of the developer workflow The same basic pattern emerges many times in this book. Bugs that are caught by static analysis and code review before they are committed are much cheaper than bugs that make it to production. Providing tools and practices that highlight quality, reliability, security early in the development process is a common goal for many of our infrastructure teams. No single process or tool needs to be perfect, we can assume a defense-in-depth approach, hopefully catching as many defects on the left side of the graph as possible. Tradeoffs & Costs If we understand how to program, understand the lifetime of the software we’re maintaining, and understand how to maintain it as we scale up with more engineers producing and maintaining new features, then all that is left is to make good decisions. This seems obvious - in software engineering, as in life, good choices lead to good outcomes.
The Tangled Web: A Guide to Securing Modern Web Applications by Michal Zalewski
barriers to entry, business process, defense in depth, easy for humans, difficult for computers, fault tolerance, finite state, Firefox, Google Chrome, information retrieval, RFC: Request For Comment, semantic web, Steve Jobs, telemarketer, Turing test, Vannevar Bush, web application, WebRTC, WebSocket
As with XMLHttpRequest, restricting access to HTTP APIs from HTTPS origins may be a good way to stamp out mixed-content bugs. Content Security Policy: This is safe to use as defense in depth. Review the caveats related to the interactions among script-src, object-src, and so on, and the dangers of permitting data: origins. Do not accidentally allow mixed content: Always specify protocols in the rulesets and make sure they match the protocol the requesting page is served over. Sandboxed frames: This is safe to use as a way to embed gadgets from other origins, but the mechanism will fail dramatically in noncompliant browsers. You should not sandbox same-origin documents. Strict Transport Security: This is safe to use as defense in depth. Be sure to mark all relevant cookies as secure and be prepared for the possibility of cookie injection via spoofed, non-STS locations in your domain.
The Lion's Gate: On the Front Lines of the Six Day War by Steven Pressfield
When the pen passed over a house, one half of that dwelling fell under the jurisdiction of the Hashemite kingdom, the other half under that of the Israeli military command. In effect the home had to be abandoned. It became, inevitably, one of scores of blockhouses and bricked-up strongpoints lining the corridor of minefields and barbed-wire entanglements that divided Jerusalem. A strategy of defense-in-depth is not possible in a nation that is only nine miles wide at its waist and whose commercial concentrations and population centers lie within artillery range of its enemies. Offense is the only effective posture. War, if war comes, must be fought on the enemy’s territory, not our own. The IDF and IAF have been built upon the principles of speed, aggression, and audacity. An Israeli lieutenant or captain in the field does not expect the luxury of being able to appeal for instructions to higher command.
Lanes between boxes will be covered by artillery and reachable easily by the tanks in reserve. This is the British system, developed by her generals Wavell, Auchinleck, Alexander, and Montgomery in the North African desert during World War II. These officers and others passed this wisdom on to their clients, the Egyptians. On top of this, Soviet engineers have overlaid the Russian system. Russian doctrine is linear. Its principle is defense in depth. You can recognize a Soviet position from the air by its multiple trench lines, one behind the other. In the rear of the first three trench lines is the artillery. Russians love artillery. The Soviet doctrine evolved from defense of the homeland against the Nazis. The concept is one of attrition. At Um Katef, Soviet engineers have built three successive trench lines of reinforced concrete, extending from impassable dunes on one side to similar obstacles on the other.
Puppet 3 Cookbook by John Arundel
HAProxy has a vast range of configuration parameters which you can explore; see the HAProxy website: http://haproxy.1wt.eu/#docs If you need SSL capabilities, you can put Nginx in front of HAProxy to handle this. Although it's most often used as a web server, HAProxy can proxy a lot more than just HTTP. It can handle any amount of TCP traffic, so you can use it to balance the load of MySQL servers, SMTP, video servers, or anything you like. Managing firewalls with iptables As experienced system administrators know, security comes from defense in depth. It's not enough to stick a single firewall in front of your network and hope for the best. Every machine needs to be securely configured so that only the required network ports are accessible, and this means that every machine needs to have its own firewall. Linux comes with its own industrial-strength, kernel-based packet filtering firewall, iptables. However, it's not particularly user-friendly, as a typical iptables rule looks something as follows: iptables -A INPUT -d 10.0.2.15/32 -p tcp -m tcp --dport 80 -j ACCEPT It would be nice to be able to express firewall rules in a more symbolic and readable way.
Essential SQLAlchemy by Rick Copeland
(PyCrypto is available from the Python Package Index via “easy_install pycrypto”.) The encrypted extension provides the DSL statement acts_as_encrypted( ), which takes the following parameters: for_fields= List of field names for which encryption will be enabled with_secret='abcdef' A secret key used to perform encryption on the listed fields The encrypted extension is particularly useful when data must be stored on an untrusted database or as part of a defense-in-depth approach to security. For instance, you might encrypt passwords that are stored in the database. Keep in mind, however, that the source code of your application must be kept in a trusted location because it specifies the encryption key used to store the encrypted columns. Versioned Extension The elixir.ext.versioned extension provides a history and versioning for the fields in an entity.
The Diamond Age by Neal Stephenson
British Empire, clean water, dark matter, defense in depth, digital map, edge city, Just-in-time delivery, low earth orbit, Mason jar, pattern recognition, sensible shoes, Silicon Valley, Socratic dialogue, South China Sea, the scientific method, Turing machine, wage slave
The Throneless King was Confucius, and Lau Ge was now the highest-ranking of all the mandarins. The Encyclopædia did not say much more about Colonel Arthur Hornsby Moore, except that he'd resurfaced as an adviser a few years later during some outbreaks of nanotech terrorism in Germany, and later retired and became a security consultant. In this latter capacity he had helped to promulgate the concept of defense in depth, around which all modern cities, including Atlantis/Shanghai, were built. Nell cooked the Constable an especially nice dinner one Saturday, and when they were finished with dessert, she began to tell him about Harv and Tequila, and Harv's tales of the incomparable Bud, their dear departed father. Suddenly it was about three hours later, and Nell was still telling the Constable stories about Mom's boyfriends, and the Constable was continuing to listen, reaching up occasionally to fiddle with his white beard but otherwise displaying an extremely grave and thoughtful countenance.
The Coastal Republic checkpoints at the intersections of the roads were gray and fuzzy, like house-size clots of bread mold, so dense was the fractal defense grid, and staring through the cloud of macro- and microscopic aerostats, Hackworth could barely make out the hoplites in the center, heat waves rising from the radiators on their backs and stirring the airborne soup. They let him pass through without incident. Hackworth expected to see more checkpoints as he continued toward Fist territory, but the first one was the last; the Coastal Republic did not have the strength for defense in depth and could muster only a one-dimensional picket line. A mile past the checkpoint, at another small intersection, Hackworth found a pair of very makeshift crucifixes fashioned from freshly cut mulberry trees, green leaves still fluttering from their twigs. Two young white men had been bound to the crucifixes with gray plastic ties, burned in many places and incrementally disemboweled. From the looks of their haircuts and the somber black neckties that had been ironically left around their necks, Hackworth guessed they were Mormons.
The Practice of Cloud System Administration: DevOps and SRE Practices for Web Services, Volume 2 by Thomas A. Limoncelli, Strata R. Chalup, Christina J. Hogan
active measures, Amazon Web Services, anti-pattern, barriers to entry, business process, cloud computing, commoditize, continuous integration, correlation coefficient, database schema, Debian, defense in depth, delayed gratification, DevOps, domain-specific language, en.wikipedia.org, fault tolerance, finite state, Firefox, Google Glasses, information asymmetry, Infrastructure as a Service, intermodal, Internet of things, job automation, job satisfaction, Kickstarter, load shedding, longitudinal study, loose coupling, Malcom McLean invented shipping containers, Marc Andreessen, place-making, platform as a service, premature optimization, recommendation engine, revision control, risk tolerance, side project, Silicon Valley, software as a service, sorting algorithm, standardized shipping container, statistical model, Steven Levy, supply-chain management, Toyota Production System, web application, Yogi Berra
At the same time 1 to 5 percent of all disks will die and each machine will crash at least twice (2 to 4 percent failure rate) (Dean 2009). Graceful degradation, discussed previously, means software is designed to survive failures or periods of high load by providing reduced functionality. For example, a movie streaming service might automatically reduce video resolution to conserve bandwidth when some of its internet connections are down or otherwise overloaded. The other strategy is defense in depth, which means that all layers of design detect and respond the failures. This includes failures as small as a single process and as large as an entire datacenter. An older, more traditional strategy for achieving reliability is to reduce the chance of failure at every place it can happen. Use the best servers and the best network equipment, and put it in the most reliable datacenter: There will still be outages when this strategy is pursued, but they will be rare.
., 79 “Choose Your Own Adventure” talk, 173 Chubby system, 231, 314 Churchill, Winston, 119 Classification systems for oncall, 292 Clos networking, 137 Cloud computing era (2010-present), 469–472 Cloud-scale service, 80–81 global load balancing methods, 82, 83–85 internal backbones, 83–84 points of presence, 83–85 CM (configuration management) languages, 260–262 CMDB (Configuration Management Database), 222 CMM (Capability Maturity Model), 405–407 CNN.com web site, 13–14 Code approval process, 47–48 automated reviews, 268–269 lead time, 201 live changes, 236 sufficient amount, 269–270 Code latency in DevOps, 178–179 Code pushes description, 225, 226 failed, 239–240 Code review system (CRS), 268–269 Cognitive systems engineering (CSE) approach, 248 Cold caches, 106 Cold storage factor in service platform selection, 54 Collaboration in DevOps, 183 Collection systems, 345 central vs. regional collectors, 352–353 monitoring, 349–353 protocol selection, 351 push and pull, 350–351 server component vs. agents vs. pollers, 352 Colocation CDNs, 114 service platform selection, 65–66 Command-line flags, 231 Comments in style guides, 267 Commit step in build phase, 202–203 Commodity servers, 463 Communication emergency plans, 317–318 postmortems, 302 virtual offices, 166–167 Compensation in oncall schedules, 290 Compensatory automation principle, 244, 246–247 Compiled languages, 260 Complementarity principle, 244, 247–248 Compliance in platform selection, 63 Comprehensiveness in continuous deployment, 237 Computation, monitoring, 353–354 Confidence in service delivery, 200 Configuration automating, 254 deployment phase, 213–214 in designing for operations, 33–34 DevOps, 185 four-tier web service, 80 monitoring, 345–346, 362–363 Configuration management (CM) languages, 260–262 Configuration Management Database (CMDB), 222 Configuration management strategy in OS installation, 219 Configuration packages, 220 Conflicting goals, 396–397 Congestion problems, 15 Consistency ACID term, 24 CAP Principle, 21 Consistency and partition tolerance (CP), 24 Constant scaling, 475–476 Containers, 60–62 Content delivery networks (CDNs), 114–116 Content distribution servers, 83 Continuous builds in DevOps, 186 Continuous Delivery, 223 Continuous delivery (CD) deployment phase, 221 DevOps, 189–192 practices, 191 principles, 190–191 Continuous deployment DevOps, 186 upgrading live services, 236–239 Continuous improvement technique DevOps, 153, 183 service delivery, 201 Continuous integration (CI) in build phase, 205–207 Continuous tests, 186 Contract questions for hosting providers, 64–65 Contributing conditions analysis (CCA), 301 Control in platform selection, 64 Convergent orchestration, 213–214 Cookies, 76–78 Coordination for oncall schedules, 290 Core drivers capacity planning, 373–374 defined, 366 Coredumps, 129 Corporate emergency communications plans, 317–318 Corpus, 16–17 Correlation coefficient, 367 Correlation in capacity planning, 375–378 Costs caches, 105 cloud computing era, 469–470 dot-bomb era, 464–465 first web era, 459 platform selection, 63–64 pre-web era, 454 second web era, 468–469 service platform selection, 66–67 TCO, 172 Counters in monitoring, 348–350, 358 CPU core sharing, 59 Crash-only software, 35 Crashes automated data collection and analysis, 129 software, 128–129 Craver, Nick, 430 CRS (code review system), 268–269 CSE (cognitive systems engineering) approach, 248 Current usage in capacity planning, 368–369 Customer functionality, segmentation by, 103 Customers in DevOps, 177 Cycle time, 196 Daemons for containers, 61 Daily oncall schedules, 289 Dark launches, 233, 383–384 Dashboards for alerts, 293 Data analysis in capacity planning, 375–380 Data import controls, 41–42 Data scaling in dot-bomb era, 463 Data sharding, 110–112 Database-driven dynamic content, 70 Database views in live schema changes, 234 Datacenter failures, 137–138 Dates in design documents, 277, 282 Dawkins, Richard, 475 DDoS (distributed denial-of-service) attacks, 140 Deallocation of resources, 160 Dean, Jeff canary requests, 131 scaling information, 27 Debois, Patrick, 180 Debug instrumentation, 43 Decommissioning services, 404 assessments, 437–438 description, 156 overview, 160 Dedicated wide area network connections, 83 Default policies, 40 Defense in depth, 119 Defined level in CMM, 406–407 Degradation, graceful, 39–40, 119 Delays in continuous deployment, 238 Delegating capacity planning, 381 Delegations of authority in Incident Command System, 324 Deming, W. Edwards, 172 Denial-of-service (DoS) attacks, 140 Dependencies containers, 60–61 service launches, 158 Deployment and deployment phase, 195, 197, 211 approvals, 216–217 assessments, 444–445 configuration step, 213–214 continuous delivery, 221 defined, 196 DevOps, 185 exercises, 223 frequency in service delivery, 201 infrastructure as code, 221–222 infrastructure automation strategies, 217–220 installation step, 212–213 installing OS and services, 219–220 KPIs, 392–393 operations console, 217 physical machines, 217–218 platform services, 222 promotion step, 212 summary, 222–223 testing, 215–216 virtual machines, 218 Descriptions of outages, 301 Descriptive failure domains, 127 Design documents, 275 adopting, 282–283 anatomy, 277–278 archive, 279–280 changes and rationale, 276 exercises, 284 overview, 275–276 past decisions, 276–277 review workflows, 280–282 summary, 283 templates, 279, 282, 481–484 Design for operations, 31 access controls and rate limits, 40–41 auditing, 42–43 backups and restores, 36 configuration, 33–34 data import controls, 41–42 debug instrumentation, 43 documentation, 43–44 exception collection, 43–44 exercises, 50 features, 45–48 graceful degradation, 39–40 hot swaps, 38–39 implementing, 45–48 improving models, 48–49 monitoring, 42 operational requirements, 31–32 queue draining, 35–36 redundancy, 37 replicated databases, 37–38 software upgrades, 36 startup and shutdown, 34–35 summary, 49–50 third-party vendors, 48 toggles for features, 39 Design patterns for resiliency.
Ansible for DevOps: Server and Configuration Management for Humans by Jeff Geerling
AGPL, Amazon Web Services, cloud computing, continuous integration, database schema, Debian, defense in depth, DevOps, fault tolerance, Firefox, full text search, Google Chrome, inventory management, loose coupling, microservices, Minecraft, MITM: man-in-the-middle, Ruby on Rails, web application
It’s a little like user and group file permissions, but allowing far finer detail—with far more complexity. You’d be forgiven if you disabled SELinux or AppArmor in the past; both require extra work to set up and configure for your particular servers, especially if you’re using less popular distribution packages (extremely popular packages like Apache and MySQL are extremely well supported out-of-the-box on most distributions). However, both of these tools are excellent ways to add defense in depth to your infrastructure. You should already have decent configurations for firewalls, file permissions, users and groups, OS updates, etc. But if you’re running a web-facing application—especially one that runs on a server with any other applications—it’s great to have the extra protection SELinux or AppArmor provides from applications accessing things they shouldn’t. SELinux is usually installed and enabled by default on Fedora, RedHat and CentOS systems, is available and supported on most other Linux platforms, and is widely supported through Ansible modules, so we’ll cover SELinux in a bit more depth.
Spam Nation: The Inside Story of Organized Cybercrime-From Global Epidemic to Your Front Door by Brian Krebs
barriers to entry, bitcoin, Brian Krebs, cashless society, defense in depth, Donald Trump, employer provided health coverage, John Markoff, mutually assured destruction, offshore financial centre, payday loans, pirate software, placebo effect, ransomware, Silicon Valley, Stuxnet, the payments system, transaction costs, web application
While having antivirus software and a firewall on your system can help ward off threats, these are far from panaceas, and today’s cyberthreats are being built to evade detection by these, especially in that critical first twelve-to twenty-four-hour period after which the malware is blasted out via spam and social networking site links. It’s important to understand that a key tenet of securing any system is the concept of “defense in depth,” or having multiple layers of security and not depending too much on any one approach or technology to block all attacks. And guess which layer is the most important one of all? You! Memorize and practice Krebs’s “Three Rules for Online Safety,” and you will drastically reduce the chances of handing over your computer or mobile device to the bad guys. In short: •Rule 1: “If you didn’t go looking for it, don’t install it.”
Guadalcanal Diary by Richard Tregaskis
Hunt’s CP, later in the afternoon, I heard the official news that Matanikau and Kokumbona had been taken. Gunner Edward S. Rust (of Detroit, Mich.), an officer attached to Col. Hunt’s staff, came in to tell an exciting tale of the Matanikau attacks. Rust had accompanied Capt. Spurlock’s troops—the group which closed in on Matanikau from the jungle or land side—and had seen plenty of action. Capt. Spurlock’s forces had run into Jap entrenchments, good defenses in depth which had been hard to take. They had killed sixty to seventy of the defenders, and a handful had escaped. THURSDAY, AUGUST 20 Awakened this morning by the sound of cannonading, coming from the direction of Tulagi. Getting to be a routine occurrence. I quickly went to Kukum, where a group of marines stood on the beach looking toward the north. “A damn Jap cruiser was in, shelling Tulagi,” said one of the watchers.
Seeking SRE: Conversations About Running Production Systems at Scale by David N. Blank-Edelman
Affordable Care Act / Obamacare, algorithmic trading, Amazon Web Services, bounce rate, business continuity plan, business process, cloud computing, cognitive bias, cognitive dissonance, commoditize, continuous integration, crowdsourcing, dark matter, database schema, Debian, defense in depth, DevOps, domain-specific language, en.wikipedia.org, fault tolerance, fear of failure, friendly fire, game design, Grace Hopper, information retrieval, Infrastructure as a Service, Internet of things, invisible hand, iterative process, Kubernetes, loose coupling, Lyft, Marc Andreessen, microservices, minimum viable product, MVC pattern, performance metric, platform as a service, pull request, RAND corporation, remote working, Richard Feynman, risk tolerance, Ruby on Rails, search engine result page, self-driving car, sentiment analysis, Silicon Valley, single page application, Snapchat, software as a service, software is eating the world, source of truth, the scientific method, Toyota Production System, web application, WebSocket, zero day
Examples of constant integration of recovery into daily processes include the following: Building integration environments Building testing environments Regularly replacing nodes in production clusters If your environment does not allow for enough opportunities to rebuild data stores, you can also create a continuous testing process, whereby recovery of the most recent backup is a constant process, followed by verification of the success of that restore. Regardless of the presence of automation, even off-site backup tiers do require occasional testing. With these building blocks, you can create a defense in depth for different recovery scenarios. By mapping out the scenarios and tools used to recover them, you can then begin evaluating your needs in terms of development and resources. Championing Recovery Reliability Much of this section has been about creating infrastructure and focusing on enabling development teams to make better choices about how they store, change, and recover their data.
Trying to do multiple things at once either doubles the time it takes to complete the task or doubles the mistakes.1 A team that’s expected to make progress with project work while being expected to be available for interrupt work (tickets, on-call, walk-ups) is destined to fail. And yet, operations attracts people who like being distracted by novel events. Do one thing at a time. “Timebox” inbound communications as well as interrupt time. Operations teams are expected to manage risk and uncertainty for their organization. We build philosophies for reasoning about risk; strategies for coping with bad outcomes; defense in depth, playbooks, incident management, escalation policies, and so on. When humans are exposed to uncertainty, the resultant “Information Gap” results in a hunger for information, often exaggerated past the point of utility.2 This can lead to information overload in the shape of ludicrously ornate and hard-to-understand dashboards, torrents of email, alerts, and automatically filed bugs. We all know engineers who have hundreds of bugs assigned to them, which they cannot possibly ever fix, but refuse to mark them “Won’t Fix.”
House to House: An Epic Memoir of War by David Bellavia
Fallujah is shaping up to be the Verdun of the War on Terror. We face a battle of attrition fought within a maze of interlocking fortresses. Attrition is such a sterile word. We’ll be trading our lives for theirs. Sims makes it clear that our initial objectives will be heavily defended. The insurgents have deployed foreign fighters on the city’s approaches. They form the outer crust of their defense-in-depth, so we will face them first. Intelligence reports tell us we’ll face Syrians, Iranians, Saudis, Filipinos, even Italians and Chechnyans. They’re well trained, ideologically motivated, and armed with ample ammunition and equipment. They’ve trained for years to kill us infidels. Some have cut their teeth in Chechnya, Afghanistan, and Somalia. They are veterans just like us—a regular Islamist all-star team.
Scratch Monkey by Stross, Charles
Somehow she got her hand around the slippery-slick head of the halberd, just behind the hook-and-blade; using it as a staff made it easier to shuffle along. For a moment she hesitated: willing to do anything to get out of this madhouse, even to the extent of ditching a fellow-inmate. But that would be -- no. If he's part of some kind of resistance I need him. Got to get his friends behind me and set the tide turning. Organize a defense in depth fuckwads won't work for me so I'll get a new bunch in charge and let them do it. Ow! My back is never going to be the same again. Which way is home? Laboriously, painfully, Oshi crept out into the corridor. Ignoring the corpse of the Goon, she trudged towards the darkened stretch of passage. Something rang a bell within her, rewinding her sense of direction: sometime soon -- Disorientated though she was, her backbrain navigator kept her on course for the vestibule.
The Seventh Sense: Power, Fortune, and Survival in the Age of Networks by Joshua Cooper Ramo
Airbnb, Albert Einstein, algorithmic trading, barriers to entry, Berlin Wall, bitcoin, British Empire, cloud computing, crowdsourcing, Danny Hillis, defense in depth, Deng Xiaoping, drone strike, Edward Snowden, Fall of the Berlin Wall, Firefox, Google Chrome, income inequality, Isaac Newton, Jeff Bezos, job automation, Joi Ito, market bubble, Menlo Park, Metcalfe’s law, Mitch Kapor, natural language processing, Network effects, Norbert Wiener, Oculus Rift, packet switching, Paul Graham, price stability, quantitative easing, RAND corporation, recommendation engine, Republic of Letters, Richard Feynman, road to serfdom, Robert Metcalfe, Sand Hill Road, secular stagnation, self-driving car, Silicon Valley, Skype, Snapchat, social web, sovereign wealth fund, Steve Jobs, Steve Wozniak, Stewart Brand, Stuxnet, superintelligent machines, technological singularity, The Coming Technological Singularity, The Wealth of Nations by Adam Smith, too big to fail, Vernor Vinge, zero day
This sort of charmless arrogance—The Holy Land… we must have that—doesn’t much suit our age. Gatekeepers, after all, depend on the good will of the gatekept. But Lloyd George’s comprehensive view should be a model. What oil and irrigation and Suez were to the British Empire, finance and data flows and gates are to our age. 4. Hard Gatekeeping echoes the postures of some of the most enduring orders in human history—the “defense in depth” of the Roman Empire, for instance, or the protective isolation of Tokugawa Japan or the walls of Han China. The aim of these systems was to survive through defense. Strategists of those empires learned they should avoid attack except when absolutely necessary; a defensive posture was safer. Gatekeeping is similar. It resists unnecessary profligacy. Hard Gatekeeping can be summarized simply: The development and control of the physical and topological spaces that will define any nation’s future security.
The Longest Day by Cornelius Ryan
As Otway marched quickly through the night, small groups of his men appeared everywhere, confirming his worst suspicions. He wondered just how bad the drop had been. Had his special glider train been scattered, too? Otway badly needed the glider-borne guns and other equipment if his plan of assault was to succeed, for Merville was no ordinary battery. Around it ranged a formidable series of defenses in depth. To get to the heart of the battery—four heavy guns in massive concrete emplacements—the 9th would have to pass through mine fields and over antitank ditches, penetrate a fifteen-foot-thick hedge of barbed wire, cross more mine fields and then fight through a maze of machine-gun-filled trenches. The Germans considered this deadly fortification with its garrison of two hundred men almost impregnable.
Our 50-State Border Crisis: How the Mexican Border Fuels the Drug Epidemic Across America by Howard G. Buffett
Over time and thanks to complaints from ranchers, many agents become educated to these issues and change their behavior, but BP agents are rotated frequently and there is significant attrition. Ranchers have to start all over again. Another common complaint is that BP sends too many agents to staff inland checkpoints instead of stopping smugglers and illegal border crossers right at the border. BP uses a layered strategy called Defense in Depth that means there are roadside checkpoints as well as permanent checkpoints well inland of the border. Today, by law, only authorized federal agents can actually stop and detain individuals suspected of immigration violations. I think the inland checkpoints represent a solid approach, especially when K-9s are used, but I also think it’s a fair question to ask if you need only fully authorized, armed agents in large numbers at these locations, or if at least some of the duties could be handled by other categories of BP personnel.
On Thermonuclear War by Herman Kahn
This did have the danger that the attacker had exposed flanks which might be pinched off by the defender, but it was assumed, and correctly, that in the confusion of the attack the defender would generally not be able to exploit this weakness of the attacker; that before the defender could organize a counterattack and cut off the penetrating troops, they would have had time to fan out and attack the bypassed troops from the rear. Since the new tactic was not so dependent on a lengthy preliminary artillery barrage it allowed the Germans to use surprise attack tactics. The Germans also developed the counter to this attack, which was to organize a defense in depth, a defense that did not care if it was penetrated. The new tactic was not invented by the Germans. A French officer, a Captain Laffargue, had found out experimentally the value of the new tactic and had written a remarkably complete pamphlet on the new ideas. His ideas had no effect on the French or English, but a copy fell into the hands of the Germans, and according to Captain G. C. Wynne it was: ". . . the concise expression of a doctrine which exactly corresponded to the course they themselves had been trying to follow by cumbersome and slow degrees.
They had a treaty of mutual assistance with France, signed December 1925, pledging each party to come immediately to the support of the other in the event of unprovoked aggression on the part of Germany. They had concluded a similar treaty with Russia in May 1935, which would apparently bring the Soviets to the aid of Czechoslovakia if the Franco-Czech pact went into operation. In support of these two agreements, France had signed a pact of mutual assistance with Russia in 1935. With French cooperation they had built a miniature Maginot Line providing for a defense in depth behind which the Czech General Staff were confident that their excellently equipped army of forty divisions could hold up any German attack for at least six weeks, by which time it was supposed that France and Russia would be engaging the aggressor on the West and the East, respectively. This plan ignored the extreme defensive-mindedness of the French and the counter-deterrent of the Siegfried Line built in 1936.
Beautiful security by Andy Oram, John Viega
Albert Einstein, Amazon Web Services, business intelligence, business process, call centre, cloud computing, corporate governance, credit crunch, crowdsourcing, defense in depth, Donald Davies, en.wikipedia.org, fault tolerance, Firefox, loose coupling, Marc Andreessen, market design, MITM: man-in-the-middle, Monroe Doctrine, new economy, Nicholas Carr, Nick Leeson, Norbert Wiener, optical character recognition, packet switching, peer-to-peer, performance metric, pirate software, Robert Bork, Search for Extraterrestrial Intelligence, security theater, SETI@home, Silicon Valley, Skype, software as a service, statistical model, Steven Levy, The Wisdom of Crowds, Upton Sinclair, web application, web of trust, zero day, Zimmermann PGP
256 CHAPTER SIXTEEN Better Practices for Desktop Security What can computer users do to improve on the current, unsatisfactory security situation? First, you will need to embrace the fact that there is no silver bullet or all-powerful talisman that will make your computer invulnerable to malware infection. We suggest dual principles to guide you: • Security is about assessing and reducing risk, not making intrusions impossible. • Simpler solutions tend to be better ones. A related and well-known principle—defense in depth—suggests using a mix of solutions. This does not mean you have to resort to the “more is better” approach of resource-hungry, intrusive, and annoying HIPS products or sandboxing. Although these approaches have merit in expert hands for specific situations, we don’t find them appropriate for average users who cannot make the choices they require and don’t really need such über-paranoid configurations.
Atrocity Archives by Stross, Charles
airport security, anthropic principle, Berlin Wall, brain emulation, British Empire, Buckminster Fuller, defense in depth, disintermediation, experimental subject, glass ceiling, haute cuisine, hypertext link, Khyber Pass, mandelbrot fractal, Menlo Park, MITM: man-in-the-middle, NP-complete, the medium is the message, Y2K, yield curve
Extensive safety protocols are discussed which must be implemented before this technology can be deployed nationally, in order to minimize the risk of misactivation. Projected deployment of CCTV monitoring in public places is estimated to result in over one million cameras in situ in British mainland cities by 1999. Coverage will be complete by 2004""06. Anticipated developments in internetworking and improvements in online computing bandwidth suggest for the first time the capacity of achieving a total coverage defense-in-depth against any conceivable insurgency. The implications of this project are discussed, along with its possible efficacy in mitigating the consequences of CASE NIGHTMARE GREEN in September 2007 . . . . Speaking of Mahogany Row, Angleton's picked the boardroom with the teak desk and the original bakelite desk fittings, and frosted windows onto the corridor, as the venue for my debriefing. He's sitting behind the desk tapping his bony fingers, with Andy looking anxious and Boris imperturbable when I walk in and flip the red MEETING light on.
Dangerous Waters: Modern Piracy and Terror on the High Seas by John S. Burnett
British Empire, cable laying ship, Dava Sobel, defense in depth, Exxon Valdez, Filipino sailors, illegal immigration, Khyber Pass, low earth orbit, Malacca Straits, North Sea oil, South China Sea, transcontinental railway, UNCLOS, UNCLOS
Three or four of these devices, each the size of a large teacup, connected by wire to a shore station, detect anomalies on the otherwise smooth lines of the vessel’s hull. The line of sensors would be strung on the seafloor under the channel over which all ships pass, and trigger an alarm. One complete line of sensors, he estimates, costs between $15,000 and $20,000. “I would have thought the system is cheap considering the alternative.” “At the end of the day,” he says, “it is not just about new gadgets but about the human factor. What is needed is defense in depth, but today the precautions still stop at the waterside. Risk assessment still rules the sea. It will take six to twelve months just to change the mindset. Our own government’s attitude and that of others is that we will muddle through, we always have. They have the attitude of the bobby on the beat.” There are significant international efforts to combat terrorism and piracy at sea, and while well intentioned, they are the workings of a large international bureaucracy that plods along at a dolorously slow pace.
Hot: Living Through the Next Fifty Years on Earth by Mark Hertsgaard
addicted to oil, Berlin Wall, business continuity plan, carbon footprint, clean water, Climategate, Climatic Research Unit, corporate governance, cuban missile crisis, decarbonisation, defense in depth, en.wikipedia.org, Fall of the Berlin Wall, fixed income, food miles, Intergovernmental Panel on Climate Change (IPCC), Kickstarter, megacity, Mikhail Gorbachev, mutually assured destruction, peak oil, Port of Oakland, Ronald Reagan, Silicon Valley, smart grid, South China Sea, the built environment, transatlantic slave trade, transit-oriented development, University of East Anglia, urban planning
"We're Repeating the Same Mistakes" Going forward, the question is whether New Orleans can realistically be defended against the Category 4 and 5 hurricanes that will become more common during global warming's second era. The Dutch example suggests that, technologically, the answer is yes. The social context of New Orleans, however, gives much less reason for confidence. "It's very important for the rest of America to understand that we can protect Louisiana if we want to," said van Heerden, who, in his book The Storm, urged a three-layered approach to hurricane protection known as "defense in depth." "For your inner layer of defense," van Heerden told me, "you put hardened levees or flood walls in front of major population centers [such as New Orleans] or other high-value assets. You protect that inner layer with a middle layer of defense, which is comprised of as large an expanse of swamp or wetlands as possible to absorb and weaken incoming storm surges. The data suggest that every mile of wetlands reduces storm surge by 0.7 feet, and every mile of swamp reduces it by 5 to 6 feet.
One Bullet Away: The Making of a Marine Officer by Fick, Nathaniel C.(October 3, 2005) Hardcover by Nathaniel C. Fick
Mortars continued to fall, including one that hit the pavement nearby, throwing sparks into the sky. When our turn came, each Humvee swung around to the south, and we accelerated behind War Pig, passing the rest of the battalion as it sat facing north. The night was moonless, with a low overcast threatening rain. Helicopters could not fly under the weather, and jets above it couldn’t provide accurate close air support. Facing a coordinated defense-in-depth, with little idea of what lay to the north, the colonel decided to pull back two kilometers and set up a hasty defense on the roadside. With a little distance between us and the enemy positions, we could call in jets and wait for daylight. I lined the platoon up along a berm a few hundred meters off the road. War Pig had done most of the shooting, so the Marines weren’t too amped-up. We started watch rotations, and I crawled under the Humvee to enjoy an hour’s insomnia.
The Precipice: Existential Risk and the Future of Humanity by Toby Ord
3D printing, agricultural Revolution, Albert Einstein, artificial general intelligence, Asilomar, Asilomar Conference on Recombinant DNA, availability heuristic, Columbian Exchange, computer vision, cosmological constant, cuban missile crisis, decarbonisation, defense in depth, delayed gratification, demographic transition, Doomsday Clock, Drosophila, effective altruism, Elon Musk, Ernest Rutherford, global pandemic, Intergovernmental Panel on Climate Change (IPCC), Isaac Newton, James Watt: steam engine, Mark Zuckerberg, mass immigration, meta analysis, meta-analysis, Mikhail Gorbachev, mutually assured destruction, Nash equilibrium, Norbert Wiener, nuclear winter, p-value, Peter Singer: altruism, planetary scale, race to the bottom, RAND corporation, Ronald Reagan, self-driving car, Stanislav Petrov, Stephen Hawking, Steven Pinker, Stewart Brand, supervolcano, survivorship bias, the scientific method, uranium enrichment
Like the dust kicked up by an asteroid, the lethal substance could have spread everywhere in the environment; like a pandemic it could be carried by people wherever people go; or in an intentional plan to cause extinction, it could be actively targeted to kill each last pocket of survivors. We can fight a risk at any of these stages: prevention can avoid its origin, response can limit its scaling, and resilience can thwart its endgame. Depending on the risk, we may want to direct our efforts to the most efficient stage at which to block it, or adopt a strategy of defense-in-depth, addressing all stages at once. This classification lets us break down the probability of extinction into the product of (1) the probability it gets started, (2) the probability it reaches a global scale given it gets started, and (3) the probability it causes extinction given it reaches a global scale: Prevention, response and resilience act to lower each factor respectively. Because the probabilities are multiplied together, we can see that a reduction in one factor by some amount would be matched by reducing any other factor by the same proportion.
The Cold War by Robert Cowley
anti-communist, Berlin Wall, British Empire, cuban missile crisis, defense in depth, Dissolution of the Soviet Union, Doomsday Clock, friendly fire, Henry Ford's grandson gave labor union leader Walter Reuther a tour of the company’s new, automated factory…, means of production, Mikhail Gorbachev, mutually assured destruction, RAND corporation, refrigerator car, Ronald Reagan, South China Sea, Stanislav Petrov, transcontinental railway
He not only wanted to contain it, he wanted to inflict maximum punishment on the enemy. He knew that for the time being, he would have to give some ground, but he wanted the price to be high. South of the Han River, he assigned Brigadier General Garrison Davidson, a talented engineer, to take charge of several thousand Korean laborers and create a “deep defensive zone” with a trench system, barbed wire, and artillery positions. Ridgway also preached defense in depth to his division and regimental commanders in the lines they were holding north of the Han. Although they lacked the manpower to halt the Chinese night attacks, he said that by buttoning up tight, unit by unit, at night and counterattacking strongly with armor and infantry teams during the day, the U.N. army could inflict severe punishment on anyone who had come through the gaps in their line.
A Better War: The Unexamined Victories and Final Tragedy of America's Last Years in Vietnam by Lewis Sorley
Military Efforts” reported that “in the last six months our military efforts against enemy main force units seem to be significantly improved,” citing changed operational tactics under Abrams as the reason. “We are using more small patrols for intelligence and spoiling, and we are conducting fewer large-scale sweeps, and those sweeps that we are conducting are smaller in territorial scope. General Abrams has begun to concentrate much more on area control than on kills. He has been aided in this approach by his defense in depth, particularly around the major cities.”28 Saigon, the most major city of all, was a showcase for this new approach. The impact of these changes on the Saigon government’s outlook was just as Abrams had anticipated. “I am more optimistic now,” confirmed newly appointed Premier Tran Van Huong. “It is working much better. Abrams . . . is a good man, shrewd, sincere, a fighter. No politics.”29 Even General Vo Nguyen Giap, the venerable North Vietnamese commander, testified to the changes.
We Were Soldiers Once...and Young: Ia Drang - the Battle That Changed the War in Vietnam by Harold G. Moore, Joseph L. Galloway
Mcculley and his men headed out at a low crouch, moving fast in short bounds across the open ground under heavy enemy automatic-weapons fire. They lost two killed and two wounded--including Sergeant Mcculley, who was wounded in the neck--during the dangerous move but finally made it to the right center of the Charlie Company sector, about fifteen yards behind their lines. There, taking up positions that gave them good fields of fire, the remnants of the 2nd Platoon men provided some measure of defense in depth to Charlie Company. But the loss of four men crossing the clearing convinced me that further internal movements were inadvisable until we reduced the enemy grazing fire. Unnoticed at my command post because of the deafening uproar from the Charlie and Delta Company sectors was a stiff little firefight taking place forty yards north, involving Specialist Wallenius and his fellow Bravo Company, 2nd Battalion mortarmen.
Hunting in the Shadows: The Pursuit of Al Qa'ida Since 9/11: The Pursuit of Al Qa'ida Since 9/11 by Seth G. Jones
airport security, battle of ideas, defense in depth, drone strike, Google Earth, index card, Khyber Pass, medical residency, Murray Gell-Mann, RAND corporation, Saturday Night Live, Silicon Valley, trade route, WikiLeaks
Haqqani had been described by the Soviet government, which had a high threshold for violence itself, as “a cruel and uncompromising person” who “displays exceptional brutality toward people suspected of loyalty to the ruling regime.”12 This mixture of fighters was a good illustration of the close links the Taliban and other Afghan militant groups had with al Qa’ida. In the Shah-i-Kot, they communicated through couriers as well as on VHF and HF radios. They also used more arcane ways to send messages, such as blankets and smoke and flares. The enemy, led by Mansour and supported by al Qa’ida fighters, planned to employ a “defense in depth” strategy if they were attacked, inflicting as many casualties as possible on American and allied soldiers instead of denying access. They would permit U.S. and allied forces to enter the lower Shah-i-Kot Valley, draw them in, and engage targets of opportunity. Enemy observation posts provided early warning of approaching U.S. forces. Mansour’s Taliban forces were arrayed in two outer security belts, where they manned checkpoints and lookout positions.
The Gun by C. J. Chivers
air freight, Berlin Wall, British Empire, cuban missile crisis, defense in depth, G4S, illegal immigration, joint-stock company, Khartoum Gordon, mutually assured destruction, offshore financial centre, Ponzi scheme, RAND corporation, South China Sea, trade route, Transnistria
And Captain Meinertzhagen, who published his diaries years later and with the benefit of seeing the outcome on the Western Front, could not, even with the passing of time, understand the technical picture for what it was: Intensive machine-gun fire could hardly be beaten back by men with rifles using tactics of yore. By this time, the Western Front was taking on an air of permanence, and the war in Europe was settling into the shape for which it would be remembered. The trench systems were a complicated and carefully considered network. A set of forward trenches served as the front line, supporting trenches were dug farther back, and the reserve trenches farther still—all part of a defense in depth that could absorb an enemy thrust. Along the lines, trenches rarely ran in straight lines for any distance; soldiers dug them according to the contours of the countryside—the sides of hills, across knolls, in positions overlooking concealed routes of approach—in ways that gave the occupants a commanding view of the ground out front. This maximized their defensive potential by providing clear fields of fire into likely infiltration routes.
Dead or Alive by Tom Clancy, Grant (CON) Blackwood
active measures, affirmative action, air freight, airport security, Bay Area Rapid Transit, Benoit Mandelbrot, defense in depth, failed state, friendly fire, Google Earth, Panamax, post-Panamax, Skype, uranium enrichment, urban sprawl
Each ‘packet’ will be encased in two nested canisters, one made of almost an inch of a highly corrosion-resistant metal called Alloy 22, then a two-inch-thick second canister made of something called 316NG—essentially, nuclear-grade stainless steel. Overhanging the nested canisters will be a titanium shield designed to protect them from seepage and falling rocks.” “Is that something you’re worried about?” Steve smiled. “Engineers don’t worry. We plan. We try to model every possible scenario and plan for it. These three components—the two nested canisters and the titanium shield—form what we call a ‘defense-in-depth.’ The packets will be stored horizontally and commingled with different grades of waste, so each chamber maintains a uniform temperature.” “How big are these packets?” “About six feet in diameter and ranging in length from twelve to eighteen feet.” “What happens if the packets get . . . misplaced?” the other California candidate asked. “Couldn’t happen. The number of steps involved to move a packet and the people that have to sign off on it make that a virtual impossibility.
America in the World by Robert B. Zoellick
Albert Einstein, anti-communist, banking crisis, battle of ideas, Berlin Wall, Bretton Woods, British Empire, Corn Laws, coronavirus, cuban missile crisis, defense in depth, Deng Xiaoping, Donald Trump, Douglas Engelbart, Douglas Engelbart, energy security, European colonialism, facts on the ground, Fall of the Berlin Wall, hypertext link, illegal immigration, immigration reform, imperial preference, Isaac Newton, Joseph Schumpeter, land reform, Mikhail Gorbachev, MITM: man-in-the-middle, Monroe Doctrine, mutually assured destruction, Norbert Wiener, Paul Samuelson, RAND corporation, reserve currency, Ronald Reagan, Ronald Reagan: Tear down this wall, Scramble for Africa, Silicon Valley, The Wealth of Nations by Adam Smith, trade liberalization, transcontinental railway, undersea cable, Vannevar Bush, War on Poverty
The pre–Constitutional Congress, meeting in Annapolis over the winter of 1783–84, had been slow to gather a quorum of states. While waiting, Jefferson, brimming with plans for the new republic, wrote thirty-one reports in four months, including a paper on coinage that led to the adoption of the dollar and decimal system.1 On March 1, 1784, Jefferson presented a committee plan for the governance of the trans-Appalachian territories. Jefferson viewed these lands as vital to U.S. security; they offered “defense in depth” against neighboring European colonies. Jefferson had helped organize Virginia’s military expedition to seize the Illinois country, and as governor had ceded vast real estate to the Confederation’s Western Reserve. But security required settlement.2 The key principle of Jefferson’s committee report was that new lands should become coequal states with the original thirteen. Indeed, in seeking states of approximately the same size, Jefferson recommended fourteen new states, even outnumbering the thirteen of the Revolution, and giving the entrants more votes than their predecessors under the Articles of Confederation.3 This powerful republican principle was not Jefferson’s alone, although he had first included it in a draft constitution for Virginia in 1776.
Without Remorse by Tom Clancy
Grishanov was quite proud of it, not the least because it was the clear presentation of a highly sophisticated operational concept. Zacharias ran his fingers over it, reading the notations in English, which looked incongruous on a map whose legend was in Cyrillic. He smiled his approval. A bright guy, Kolya, a good student in his way. The way he layered his assets, the way he had his aircraft patrolling back rather than forward. He understood defense in depth now. SAM traps at the ends of the most likely mountain passes, positioned for maximum surprise. Kolya was thinking like a bomber pilot now instead of a fighter jock. That was the first step in understanding how it was done. If every Russian PVO commander understood how to do this, then SAC would have one miserable time ... Dear God. Robin's hands stopped moving. This wasn't about the ChiComs at all.
Why the West Rules--For Now: The Patterns of History, and What They Reveal About the Future by Ian Morris
addicted to oil, Admiral Zheng, agricultural Revolution, Albert Einstein, anti-communist, Arthur Eddington, Atahualpa, Berlin Wall, British Empire, Columbian Exchange, conceptual framework, cuban missile crisis, defense in depth, demographic transition, Deng Xiaoping, discovery of the americas, Doomsday Clock, en.wikipedia.org, falling living standards, Flynn Effect, Francisco Pizarro, global village, God and Mammon, hiring and firing, indoor plumbing, Intergovernmental Panel on Climate Change (IPCC), invention of agriculture, Isaac Newton, James Watt: steam engine, Kickstarter, Kitchen Debate, knowledge economy, market bubble, mass immigration, Menlo Park, Mikhail Gorbachev, mutually assured destruction, New Journalism, out of africa, Peter Thiel, phenotype, pink-collar, place-making, purchasing power parity, RAND corporation, Ray Kurzweil, Ronald Reagan, Scientific racism, sexual politics, Silicon Valley, Sinatra Doctrine, South China Sea, special economic zone, Steve Jobs, Steve Wozniak, Steven Pinker, strong AI, The inhabitant of London could order by telephone, sipping his morning tea in bed, the various products of the whole earth, The Wealth of Nations by Adam Smith, Thomas Kuhn: the structure of scientific revolutions, Thomas L Friedman, Thomas Malthus, trade route, upwardly mobile, wage slave, washing machines reduced drudgery
In 297 Rome even got some revenge for Valerian by capturing the Persian royal harem. The emperor Diocletian (reigned 284–305) exploited this turnaround with administrative, fiscal, and defensive reforms that adapted the empire to deal with the new world. The army more or less doubled in size. The frontiers never entirely settled down, but Rome was now winning more battles than it lost, blunting Germanic raids with defense in depth and wearing the Persians down in sieges. To handle all this activity Diocletian split his job into four parts, with one ruler and a deputy handling the western provinces and another ruler and deputy the eastern. Predictably, the empire’s multiple rulers fought two-, three-, or four-way civil wars as often as they fought external enemies, but compared to the twenty-seven-way civil war in China’s Jin Empire in the 290s, this was stability indeed.
Hirohito and the Making of Modern Japan by Herbert P. Bix
When a huge American armada closed on Saipan in mid-June to begin the conquest of the main Japanese bases in the Marianas, the Combined Fleet threw in a restored strike force of nine carriers and more than 460 aircraft to oppose the landings.95 The ensuing naval, air, and land battles of the Marianas, fought between June and August 1944, were the decisive battles of the war for the Japanese navy and its air force. Three Japanese aircraft carriers were sunk and 395 planes shot down, without inflicting any serious damage on the American invasion force.96 After desperate fighting, in which Japanese ground commanders once again failed to prepare adequate defenses in depth, Saipan, Guam, and Tinian fell and quickly became forward U.S. bases for long-range B-29 (“Superfortress”) bombers. The capture of Saipan on July 7, 1944, was a particularly heavy blow for the high command. Resistance was bitter, and when it ended, after three weeks, Japan had lost virtually the entire garrison of 23,811 as well as ten thousand noncombatants.97 It had also lost control of the air and the seas everywhere in the Pacific.
Fall; Or, Dodge in Hell by Neal Stephenson
Ada Lovelace, augmented reality, autonomous vehicles, back-to-the-land, bitcoin, blockchain, cloud computing, coherent worldview, computer vision, crossover SUV, cryptocurrency, defense in depth, demographic transition, distributed ledger, drone strike, easy for humans, difficult for computers, game design, index fund, Jaron Lanier, life extension, microbiome, Network effects, off grid, offshore financial centre, pattern recognition, planetary scale, ride hailing / ride sharing, sensible shoes, short selling, Silicon Valley, telepresence, telepresence robot, telerobotics, The Hackers Conference, Turing test, Works Progress Administration
You now have unlimited read-only access to Dodge’s Brain. As long as you remember that password—and no one steals it.” Meaning that she could read all she wanted and write programs that would pull data from the files, but not alter them. “And are we going to stick with old-school passwords?” Sophia asked. “No, we are not,” C-plus said. “Over time you want to migrate over to a DID protocol.” Sophia knew what it meant: Defense in Depth. Instead of all-or-nothing access to a whole system, you sort of had to work your way in, proving and reproving who you were using various factors. To make a long story short, it wasn’t very useful unless it was hooked up to a PURDAH-based system. Because that was the whole point of anonymous holography: your identity was verifiable not because you happened to know a password but because of your “handwriting”—which here meant just about every way in which you made an impression on the world.
Strategy: A History by Lawrence Freedman
Albert Einstein, anti-communist, Anton Chekhov, Ayatollah Khomeini, barriers to entry, battle of ideas, Black Swan, British Empire, business process, butterfly effect, centre right, Charles Lindbergh, circulation of elites, cognitive dissonance, coherent worldview, collective bargaining, complexity theory, conceptual framework, corporate raider, correlation does not imply causation, creative destruction, cuban missile crisis, Daniel Kahneman / Amos Tversky, defense in depth, desegregation, Edward Lorenz: Chaos theory, en.wikipedia.org, endogenous growth, endowment effect, Ford paid five dollars a day, framing effect, Frederick Winslow Taylor, Gordon Gekko, greed is good, information retrieval, interchangeable parts, invisible hand, John Nash: game theory, John von Neumann, Kenneth Arrow, lateral thinking, linear programming, loose coupling, loss aversion, Mahatma Gandhi, means of production, mental accounting, Murray Gell-Mann, mutually assured destruction, Nash equilibrium, Nelson Mandela, Norbert Wiener, Norman Mailer, oil shock, Pareto efficiency, performance metric, Philip Mirowski, prisoner's dilemma, profit maximization, race to the bottom, Ralph Nader, RAND corporation, Richard Thaler, road to serfdom, Ronald Reagan, Rosa Parks, shareholder value, social intelligence, Steven Pinker, strikebreaker, The Chicago School, The Myth of the Rational Market, the scientific method, theory of mind, Thomas Davenport, Thomas Kuhn: the structure of scientific revolutions, Torches of Freedom, Toyota Production System, transaction costs, ultimatum game, unemployed young men, Upton Sinclair, urban sprawl, Vilfredo Pareto, War on Poverty, women in the workforce, Yogi Berra, zero-sum game
Jomini, Liddell Hart, and John Boyd had referred to this level as one for grand tactics. Jomini described these as “the maneuvering of an army upon the battle-field, and the different formation of troops for attack.” Luttwak believed that the operational level was the critical sphere for generalship and for that reason deplored its absence in contemporary American military thought. It was there that “schemes of warfare such as blitzkrieg or defense in depth evolve or are exploited.” Americans had neglected this because of their dependence on an “attrition style of war.”26 The idea of an operational level of war as a politics-free zone where commanders could demonstrate their mastery of managing large forces over wide areas in a series of complex engagements with the enemy was an inheritance from von Moltke. It was given added salience because of its prominence in Soviet military thought.
Debt of Honor by Tom Clancy
airport security, banking crisis, Berlin Wall, buttonwood tree, complexity theory, cuban missile crisis, defense in depth, job satisfaction, low earth orbit, margin call, New Journalism, oil shock, Silicon Valley, tulip mania, undersea cable
Each system-trio had battery backups sufficient to run the hardware for twelve hours. New York safety and environmental codes perversely did not allow the presence of emergency generators in the buildings, an annoyance to the systems engineers who were paid to worry about such things. And worry they did, despite the fact that the duplication, the exquisite redundancies that in a military context were called "defense in depth," would protect against anything and everything that could be imagined. Well, nearly everything. On the front service panel of each of the mainframes was an SCSI port. This was an innovation for the new models, an implicit bow to the fact that desktop computers were so powerful that they could upload important information far more easily than the old method of hanging a tape reel. In this case, the upload terminal was a permanent fixture of the system.
Executive Orders by Tom Clancy
affirmative action, Ayatollah Khomeini, card file, defense in depth, Dissolution of the Soviet Union, experimental subject, financial independence, friendly fire, lateral thinking, Monroe Doctrine, one-China policy, out of africa, Own Your Own Home, plutocrats, Plutocrats, rolodex, South China Sea, trade route
The guards would be wary, and though they couldn't check everything-even the American Secret Service had limits on its time and resources-he couldn't afford to dawdle. His initial impressions were not at all favorable. Access was limited. So many students-picking out the right two would be difficult. The guards were many and dispersed. That was the bad part. Numbers mattered less than physical space. The most difficult defense to breach was a defense in depth, because depth meant both space and time. You could neutralize any number of people in a matter of seconds if you had the proper weapons and they were bunched up. But give them anything more than five seconds, and their training would kick in. The guards would be well-drilled. They'd have plans, some predictable, some not. That Coast Guard boat, for example, could dart into shore and take the targets clear.
Reaganland: America's Right Turn 1976-1980 by Rick Perlstein
"Robert Solow", 8-hour work day, affirmative action, airline deregulation, Alistair Cooke, American Legislative Exchange Council, anti-communist, Ayatollah Khomeini, Berlin Wall, Bernie Sanders, Brewster Kahle, business climate, clean water, collective bargaining, colonial rule, COVID-19, Covid-19, creative destruction, crowdsourcing, cuban missile crisis, currency peg, death of newspapers, defense in depth, Deng Xiaoping, desegregation, Donald Trump, energy security, equal pay for equal work, facts on the ground, feminist movement, financial deregulation, full employment, global village, Golden Gate Park, illegal immigration, In Cold Blood by Truman Capote, index card, indoor plumbing, Internet Archive, invisible hand, Julian Assange, Kitchen Debate, kremlinology, land reform, Marshall McLuhan, mass immigration, MITM: man-in-the-middle, Monroe Doctrine, moral panic, mutually assured destruction, New Journalism, oil shock, open borders, Potemkin village, price stability, Ralph Nader, RAND corporation, rent control, road to serfdom, Robert Bork, rolodex, Ronald Reagan, Rosa Parks, Saturday Night Live, Silicon Valley, traveling salesman, unemployed young men, union organizing, unpaid internship, Unsafe at Any Speed, Upton Sinclair, upwardly mobile, urban decay, urban planning, urban renewal, wages for housework, walking around money, War on Poverty, white flight, WikiLeaks, Winter of Discontent, yellow journalism, Yom Kippur War, zero-sum game
.… And it roared.… I looked out the window and I saw this huge column going up in the air and roaring.” A worker had mistakenly left open a valve, which stuck, displacing the water required to cool the core of Three Mile Island’s Unit 2. Several minutes of confused frenzy followed—thanks to an unintended consequence of a design feature actually described by Jack Lemmon in The China Syndrome: “ ‘Defense in depth.’ That means backup systems to backup systems”—more than one hundred alarms shrieking at once. Each represented a single failed backup system. Since so many were sounding, it was impossible to determine which required attention. The first official word from a representative of the utility company Metropolitan Edison, or Met-Ed, was “Everything is under control. There is and was no danger to public health.”