Mehari Pro

Posted 7 November 2014 by vfp15
Categories: Information Security

I am reading up on Mehari, the suite of FREE risk management tools from CLUSIF, the French association of information security professional. (Yes, it’s FREE. Really, 100% free. A software implementation costs money, but you don’t need the software. You can work with the free Excel spreadsheets perfectly well.)

The thing is so dry and low-key, so unsexy that it might put off people new to it, especially in these “Age of Bling” times. Also, there seems to be very little in the way of books about Mehari (no “Mehari for Dummies” for instance).


However, because it’s French, it’s popular among those Quebec civil servants who care about risk and other information security professionals. Upper cadres (oh, I shouldn’t write this,..) are risk analysis averse because it brings ugly little problems to the forefront when they’d prefer those problem to remain hidden…

A Mehari project begins by looking at the big picture: what is at stake, what is it that the organization can lose and how losing this or that asset would impact the concern, This makes Mehari extremely attractive to me.

When talking about business continuity planning (or crisis management, disaster recovery, and other related disciplines), it would always bother me that people would fixate on specific scenarios: what do we do if there is a flood, what do we do if there is a fire. I prefer abstract scenarios about the impact of an event. By focusing on losses, for instance losing specific systems or other information assets, Mehari gets it right.

Mehari’s real problem is that it is huge. Such a heavy system has little chance of making it into an organization. By the time enough people understand it sufficiently well to use it efficiently, the team will have turned over and the organization will have lost its institutional memory.

But last year, ASIQ (l’Association de la sécurité de l’Information du Québec, sorry French only) came up with Mehari Pro, a scaled down version of Mehari that can be rapidly implemented. It’s especially suited to small organizations, but it can just as well be used by small departments of large organizations, Unfortunately it’s only available in French for the moment. Should CLUSIF adopt it, I hope it will be translated. A tool like this could have a huge impact on the profession.

Copyright 2014 Vincent Poirier Read the rest of this post »


First Amazon review since September!

Posted 16 February 2014 by vfp15
Categories: Information Security

I just reviewed Bruce Schneier’s excellent Applied Cryptography.


It’s a fantastic reference on cryptographic protocols and techniques and despite being written in 1996, the material s not dated.

This is my first review, and my first blog post, since I started my new job. I haven’t been reading as much and I’ve been busy looking for a place to live, buying it, and moving in. Over the Christmas Holidays no less!


Vincent Poirier, Quebec City

What has happened to us?

Posted 20 September 2013 by vfp15
Categories: Information Security

I stopped by my old junior high school earlier today, École secondaire Saint-Germain (it’s actually the Saint-Germain campus of the École secondaire Saint-Laurent). All the doors were locked, including the main entrance for teachers and visitors. I rang and they let me in. I had not visited the school in 34 years and I just wanted to walk around the hallways. The secretary told me I’d have to talk to the school principal. While I was waiting, I took a look at the commemorative plate by the entrance; the school I attended from 1977 to 1979 was built in 1953 and blessed by Cardinal Paul-Émile Léger, a man I’ve actually met as a boy when he came to pay his respects at my aunt’s wake.

The principal finally appeared. He was a young man who might not have been born when I was a student in his school. He told me it would not be possible for me to visit, for security reasons.

What has the world come to when a man can’t visit his old school? Where is the trust? Security is as much about trust as it is about control.  Now, I will concede that a school’s mission isn’t to allow a middle aged man to relive his early teens, and I will also concede that we are more conscious of security than we used be. But then why didn’t the young principal offer to take ten minutes to accompany me on a round? I asked and he told me he had work to do. At this point I wasn’t dealing only with bureaucratic rules anymore, I was dealing with someone who simply wanted me to leave. I won’t single him out though: it’s an attitude he shares with too many of his colleagues. The ones who thought up these rules, for starters.

I held my ground. I insisted and he realized that if he toured the place with me, he’d get rid of me more quickly than if he argued with me for fifteen minutes.  I got my visit,  but the young principal wasn’t happy about it.

Would we find this obsession with control and security in Europe? I suspect not. For instance, I’ve always found passport control in France, the UK, and Germany to be less authoritarian than in Canada or the USA.  Today in Quebec we are debating whether or not we ought to allow teachers to wear kippahs, turbans, or hijabs and all this in the name of Quebec values. However, hiding behind a fig leaf we call “security”, we’ve joined the rest of North America and we’ve adopted a Soviet style of bureaucratic legalism. We’ve forgotten what it means to be kind, thoughtful, and considerate.

Copyright 2013, Vincent Poirier

Edward Snowden, the NSA, and Isaac Asimov

Posted 17 June 2013 by vfp15
Categories: Governance, Information Security

Spoiler alert

I give away the ending of Isaac Asimov’s 1956 SF story entitled “The Dead Past”. If you plan to read it and don’t want the  ending revealed, consider yourself warned.

I’ve made up my mind about Edward Snowden and the National Security Agency, affectionately known as the NSA.

  • Edward is the good guy in all this.
  • The NSA is not actually evil.
  • An exhaustive and rational public debate on privacy and security is overdue.

As a bonus, I am pleasantly surprised to find Isaac Asimov correctly predicted all this, though he made the government into the good guys and us common folks into the unwitting bad guys.

Edward Snowden is the good guy

First, calling him a traitor is just plain wrong. He did not sell out his country’s interests to a foreign power: he sought to inform his own countrymen of something their own government is doing.  He did not hurt anyone, he did not reveal details that would harm individual operatives, he did not divulge anyone’s private data.

It is legitimate to refuse to obey an illegal order, and it might be necessary to report criminal activities. If the whistleblower doesn’t trust official channels, he will use unofficial channels. That’s what Snowden did and breaking his confidentiality agreement with the NSA will hurt him. There is a chance that it will pay off (book royalties, speaking engagements) but there is a bigger chance that it will land him in jail for 25 years.

The NSA is not evil

Nevertheless, nothing in what I’ve read so far about what the NSA is doing has surprised me. If anything, there is more oversight than I though there was. I don’t think the oversight is sufficient or that it is effective enough, but it is not at zero and that’s a start.

The NSA and other agencies have to spend resources on obfuscating those to whom they report. That’s wrong but it’s also human nature and should be expected. And of course that is precisely why current oversight isn’t enough.

So what has the NSA been doing?

It’s been looking at metadata for every digital message going through the USA. Metadata is all about the envelope: the destination, the sender, the size and weight, when and how often the two parties exchange information. Metadata is everything about the message except the message itself. Let me emphasize that this is not trivial data. It’s important and anyone collecting such ought to be held responsible in some way about what they do with that data.

NSA Seal

The NSA is  searching through terabytes and terabytes of data for a few interesting kilobytes. Think needle in a haystack: we are NOT the needle, we are the hay and we DO want the needle found.

It’s been studying the data for patterns. Think putting together pieces of a jigsaw puzzle. Basic investigating objectives. Again not only do we want this to happen, we don’t really mind when Google or Facebook do it. If we did mind, we’d stop using Google and Facebook, right? Why should the NSA not be allowed to do what private corporations are doing all the time?

And the NSA is probably storing the data they gather, or at least I expect they are. Somewhere secret. To be taken out at need. Occasionally shared with other agencies. Like the IRS, customs, and immigration. That’s creepy and no, I do not think that is something we want.

Time to debate

The problem isn’t so much what the NSA is doing, it’s first that we don’t know what they are doing and second we know they are keeping their overseers from finding out.

We can certainly understand why the NSA doesn’t want to tell us what they know. It’s not because the government knows something that it should reveal it. I do want Revenu Quebec to have my tax records on file but I do not want them to make those records public.

I do want the police to catch criminals, and I do not want criminal suspects to read on the internet how well or how badly the investigation is going.


But I do want the police accountable. I want them to follow approved procedures and I want them to be under permanent scrutiny. Police forces are subject to oversight and they are reasonably transparent. In the end, their investigation will be on trial along with the suspect: if the police is found to have violated proper procedures, the suspect walks free. That’s a big incentive for the police to follow the law.

What the NSA does is preventive. If they work well, they never get to trial which is another reason why they need oversight. Their work needs to be scrutinized and if they cross a line, they need to be taken to task.

Isaac Asimov’s The Dead Past

Asimov got it...

Asimov got it…

Isaac Asimov has written about privacy and technology in one of his own favorite stories entitled “The Dead Past“.

The story takes place in the mid 21st century. A historian specializing in Carthage wants access to a chronoscope in order to have a look at Carthage as it was at the time of Hannibal. Chronoscopes are huge expensive machines under government control and time on them is precious. His request is turned down.

The historian and a science journalist to whom he turns for advice together find out that chronoscopes should be easy to build, and that the government has been keeping that fact secret.

Government agents confront them and we learn why the government has been suppressing chronoscope technology: when does the past start? A mere moment ago is the past. The chronoscope can look at the past, so it can look anywhere it wants as long as it is a millisecond ago.

Asimov’s chronoscope would make privacy impossible and in a chronoscope world we would find ourselves living in a fish bowl.  Welcome to today’s internet.

The only thing Asimov got wrong was who cared more about privacy. In his story, it’s the government who cares about our privacy while it’s the citizens who don’t understand the harmful consequences of the device on that privacy. In this case, it is we the citizens who understand and worry about the loss of our privacy resulting from government actions.

Copyright 2013, Vincent Poirier

(Pet peeve: I’m getting sick and tired of US media, US officials, and US citizens always talking about the safety of Americans this or the values of Americans that. Guys, clue into this: we are all sharing the same living space and you are the elephant in the room. When you sneeze, we worry.)

Still around, what with all that’s happening!

Posted 11 June 2013 by vfp15
Categories: Governance, Information Security, Operational Risk

I am working again (yippee!).  I’m an IT auditor for the Quebec government. I’m bound by confidentiality rules so it’s safer not to talk too much about my work.

The main information security story in the news is of course the NSA’s snoopîng in phone records and that this was leaked by a 29 year old private consultant to the CIA.

Some hail him as a hero, others call him a grandiose narcissist who deserves to be in prison. I am reserving judgement.

For one thing, it’s not clear what the NSA did was wrong. Its mandate is to make the United States safe after all, and the NSA is subject to congressional oversight. They did acquire and mine mountains of phone records, but without targetting individuals and without actually listening to conversations (probably).

A question we need to answer to our satisfaction is what do we mean by “privacy”?

We accept some government intrusion and that our right to keep secrets should sometimes be curtailed: we can’t secretly carry drugs or weapons on planes. This essay by law professor Daniel Solove proposes that privacy should be seen not as a single attribute in need of protection, but as a family of related concepts involving things from surveillance to interference.

Solove argues thar privacy involves much more than the right to keep secrets. For instance, when a government agency collects data on us, we ought to have a say in how that data is used. And when private data is gathered for a specific purpose, we ought to be able to restrict its use to that purpose.

Before we start getting to worked up about what the NSA is doing, we need to understand what it is in fact doing and what we mean when we say our privacy is being violated.

Copyright 2013, Vincent Poirier

Philosophy puns on Facebook

Posted 21 April 2013 by vfp15
Categories: Miscellaneous


A recent post by my friend Daniel Beck on Facebook led to a Barry B. Longyear type battle among friends. An epic perhaps, but then again perhaps we should all be hanged, drawn, and quartered for this. Thankfully,  judicial torture has been abolished as a punishment.

On April 10th, Daniel Beck shared an image that read:

I would like to make a pun about philosophy, but I Kant.


Vincent Poirier: I knew you could Russell up something.
10 April at 17:44

Andy Boon: But that might be putting Descartes before the horse…
10 April at 17:45

Vincent Poirier: Well, that wraps it up Locke, stock, and barrel.
10 April at 17:46

Andy Boon: I think we can be pretty sure of that. It is a dead Sartre.
10 April at 17:49

Vincent Poirier: Oh, look at Andy, Dan. He just Hobbes along.
10 April at 17:50

Andy Boon: I’m just trying to find my Nietzsche in life.
10 April at 17:51 · Unlike · 3

Vincent Poirier: When Hegel freezes over.
10 April at 17:51

Andy Boon: Well, sometimes it’s a lot of trouble. Life can be such a Husserl.
10 April at 17:52

Vincent Poirier: Another hit, you’re quite the Marx man I see.
10 April at 17:53

Andy Boon: Well, sometimes I feel that I am buried under a lot of soil. I need a Heidegger to get me out!
10 April at 17:54

Vincent Poirier: Euclidding. You gotta be.
10 April at 17:54

Andy Boon: Well, recently I have a lot on my Plato.
10 April at 17:55

Vincent Poirier: Arrrrrrrr…istotle.
10 April at 17:55

Andy Boon: Oh you are Socrates (such a tease) Socrates!
10 April at 17:56

Vincent Poirier: Dennett, I can’t beat that.
10 April at 17:57

Andy Boon: Are you Sassure?
10 April at 17:57

Vincent Poirier: Gödel only knows.
10 April at 17:57

Andy Boon: What the Foucault!
10 April at 17:58

Vincent Poirier: OK, you win. That’s where we should Engel it.
10 April at 17:59

Andy Boon: Or protect the captain of the Starship Enterprise – we should Kierkegaard.
10 April at 18:01

Jerry Talandis Jr.: Ha! Too funny. Here are more philosophy puns…

Steve Cornwell: Yes, but if Genghis Khan, then why Immanuel Kant?
10 April at 18:55

My New Year’s Resolution

Posted 29 December 2012 by vfp15
Categories: Opinion

My New Year’ s resolution is to boycott so-called reality TV shows and Candid Camera type shows. They debase us. This BBC clip is intended as a documentary report but it is itself part of the problem.

It’s about psychologists repeating the Milgram experiment first conducted in the 1960s. It showed that when instructed to do something we would normally never consider doing, like hurting someone who has never hurt us, we do it if the instruction comes from someone with authority. This experiment so traumatized test subjects (the ones tricked into thinking they were inflicting painful shocks on someone else) that it was afterwards considered unethical to conduct it.

We can forgive Milgram for conducting this experiment: experimental psychology was in its infancy and he might not have realized the effect the experiment would have on the test subject. Conducting it once early on was OK, but now that we have the results, why conduct it again? It was repeated anyway. Haven’t we learned anything?


Big science blindly following orders

Never mind that the test results are about the same, just please consider the people who produced this piece. In the name of entertaining an audience they are willing to traumatize someone. Aren’t the actions of the producers and the psychologists just as clear a demonstration of the human trait they are investigating?

The original Candid Camera starring Allen Funt played good natured practical jokes on people: they secretly spun restaurant tables to move the coffee cup away from unwitting diners or they put a humongous tanks in a VW Beetle to bewilder the gas station attendant filling it up. That was cute and clever but today things are getting out of hand. Today we trick pet owners into thinking their little canary has been eaten by a cat or we confront minimum wage fast food workers with extra agressive customers.

What has happened to courtesy? Why do we debase ourselves by watching some people deprive others of their dignity?

 Copyright 2012, Vincent Poirier

%d bloggers like this: