Cryptography Brakes Big Data

No, that's not a typo, it's pithy commentary!

So, what do brakes have to do with cryptography and Big Data?  Actually quite a bit.

People forget that, in the litany of technological safety advances that have been added to cars, brakes weren't there from the beginning.  Although horse and steam-powered transportation had used a wooden block that would press against a wooden wheel, internal combustion engines also ushered in the use of rubber tires, for which wooden brakes were useless.  Looking through the history books, it wasn't until Renault invented the first drum brake in 1902 that internal-combustion engine automobiles got a viable braking system.  When brakes were added to cars, they could actually go faster... in the decade before drum brakes were added to automobiles, your speed was regulated by your sense of how long it would take for you to coast to a stop if something stepped in front of you.  Once brakes were added, automobiles could go 10, 15, even 20 miles per hour!  This is a perfect example of a control, that would literally control the speed of the car.

I'd contend that appropriate uses of cryptography, anonymization and tokenization permits confidential and private data to be used in Big Data and Cloud repositories, enabling the business to go faster.  Without the right controls to provide safe use of sensitive information, Big Data and Cloud are both hampered by how much private and confidential data can be analyzed.  By adding controls, we enable the business to maximize the level of value, without increasing the risk.

There you have it - you can now tell the business you want to allow them to go faster, by applying controls in much the same way as their car.

Pi and Writing your own SAML Engine

Writing your own SAML Engine, like Pi, is not rational.  Unlike Pi, it can seem rational.  I promise you, writing your own SAML engine is not a rational act.  I have coached and counseled dozens of third-party developers, to the point of even getting in their face, and they don't quite believe me.  Hopefully you'll take this to heart, and avoid some pain.

I've been implementing SAML since 2002.  In fact, I've been doing commercial SAML as long as anyone has.  I was tech lead on the team that was the first to deploy SAML in the real world for real transactions.  We implemented the very first SAML interface to a 3rd party August of 2002, and then did the first 3-way handshake (chained assertion) a few minutes later.  Our commercial system, doing financial transactions via SAML federation, went live 6-Jan-2003.  Since those early day of SAML 1.0, I've implemented dozens of SAML 1.0, 1.1 and 2.0 systems, in roles that have included identity architect, certification engineer, build/run team, solution architect and consultant.  Undoubtedly, there are folks with more SAML experience than I have, but I've got quite a bit, and several implementations that have created scars.

Now that you know my bona-fides, let me tell you why creating your own SAML engine is not a rational act... even though it may appear to be a great idea.

Coding a SAML engine is one of the great examples of a bear trap laid before developers called Just a Matter of Programming (JAMP).  It seems pretty simply, doesn't it?  This is just some WS-Security Web Services with a canonical XML construct, easy-peasy.   Add a dash of auth and a quick crypto lib call, and done!  Yeah, no.   I have not quite seen professional developers break down and cry, but I have seen highly-lauded developers with impressive resumes founder on the rocks of SAML, even though they had all the right skills on paper.  Developers with 10 years experience doing hundreds of custom Web Services implementations have failed to deliver.  In fact, I can confidently say that I have NEVER seen a home-grown SAML implementation delivered in less than 3 months overdue for Browser Artifact SAML, and Browser Post Profile SAML is even worse, because getting mutually authenticating digital certificates seems to be a barrier that crack programmers slam against unexpectedly.  The scary thing is that we're not talking about script kiddies, but highly qualified developers that I've seen fail repeatedly -- kinda like watching a NASCAR driver fail to parallel park when given 100 tries.  It's not an expected outcome.

Perhaps you've had differing experience.  If so, you've been lucky.  I have yet to discuss homegrown SAML engine development with an experienced federation colleague and have anyone take the position that writing your own SAML engine is a good idea.

I'll admit that it's been 14 years since I was a hard-core client-server developer.  I cannot speak authoritatively and explicitly to the exact reason why this is hard, but point out that a SAML engine is the intersection of interactive web-services, session management, access management, cryptography and web access management engines.  Add in load-balancers, firewalls, VLANs, application firewalls and packet rewrites along the way, and it's a devil's brew.  I've also noticed that the incredible complexity that has been added within .Net and Java means that developers increasingly do not have a strong systems perspective.  Most developers seem to focus entirely within software, so may not readily understand network communications and protocols.  Whatever the actual cause, I can tell you that it's a big barrier.

Homegrown SAML engines also have enormous quality problems.  Since the Sunny Day positive- test scenario takes weeks to develop and get working, you can bet there is a lot of buggy code that will be discovered as unexpected conditions result in un-trapped exceptions.  In one notable case I saw a decade ago, whenever a load balancing error resulted in a timeout, an un-trapped exception in the code caused the last session to be provided to the new user -- session hijacking was the result.

Without a commercial SAML engine, who will provide documentation, support, training, maintenance, patching, upgrades and troubleshooting?  With a commercial SAML engine, changing the SAML exchange is a simple configuration change, while home-grown SAML means custom code changes.  Hopefully, the hot-shot developer who decided to write a custom engine is still available, and can figure out their code... but, frequently, they've already moved on.

Now that ADFS 2.0 provides for full SAML 2.0 interoperability, there is no longer any excuse.  It's been bad practice for a decade, it's time to kill this practice once and for all.  If your developers want to play with SAML, let them do so at home.  Meanwhile, buy a commercial SAML engine.  You'll be glad you did.

The next time someone suggests coding their own SAML engine, tell them it's as rational as writing your own Microsoft Excel, since you don't want to pay $150 for a spreadsheet.  Sure, Excel is just some C++ code, so anyone could write a replacement Excel, but it's not a rational act!

On Password Complexity - and why it doesn't matter

The lowly password is one of the oldest technologies in recorded history that is still in use, right up there with beer, bread and bows.  So, why have we failed to eject passwords, even though we know better.  I mean, really, we all certainly know that passwords are prone to losing the very attribute that otherwise makes them useful, that of being a shared secret.  Once it becomes a discoverable or broadly-shared secret, game over.

So, how do we protect passwords?  Largely, we presume that controls added to the passwords themselves (length, complexity, age, history, randomness) will actually do some good.  For a short investment period, they do.  However, once you've added age, history and non-dictionary, the rest is a crap shoot.  The real problem that we have is that users are not like key generating machines - the passwords they select are decidedly NON-random, closely clustered on predictable fault-lines, and look more like housing tracks following BART stations than a random distribution.  With the advent of GPUs and collaborative hash-cracking rainbow table generation, even salted hash is rapidly eroding in usefulness.  We're reaching a real tipping point here, people, where it doesn't matter what you do to the password, it's reaching the pint where you can't add more complexity and still have a human remember it.  We're going to have to go to crazy salt next, where we salt our password hashes with 60-80 byte random strings.

Problem 2 with passwords is that we know they are trivial to crack if we can gain access to the hashes.  Passwords can be cracked in minutes, not days, and creating highly complex passwords doesn't really effectively change that problem space, particularly with GPUs and rainbow tables.  Here's a tough question you should be asking yourself:  Since we know that to be the case, why do you ask users to create and remember crazy complex passwords?

Here I insert a pseudo-joke told to me by Kevin Flanagan, awesome crypto guy at RSA.  He noted the irony that organizations achieve FFIEC multi-factor compliance and FedEx tokens to their customers, and then the user account is a Hotmail, GMail or Yahoo!mail account.  The irony is nearly snort-out-loud funny, except that it's one of pain.  When you have a super-strong password, yet the only thing required to change it is to login to a web-mail account, who are we kidding here?  If you're armoring passwords and not armoring your password reset process, you have ventured into the realm of self-delusion and waste.  You must armor both, if that is your path.  I think an alternative path is much better, personally.  Multi-factor, adaptive authentication, fraud detection over the life of the transaction, span of control & toxic combination/segregation of duties and authorization certification are far more effective than forcing KX@CWLIJv909rdRwp032 as a password.

No, we can't really rely on passwords much longer at all, their usefulness is fading like that of the buggy whip -- great technology that provided acceleration in transportation for 3000+ years that has been eclipsed.  Passwords are ready to fall into antiquated history as anything more than 1 factor amongst 3-4.  Once you're past 2 into multi-factor, why keep password at all?

My answer to 3 Tough Questions

Reprinted from interview with Brent Huston I provided on MSI:  State of Security

I recently spent some time discussion certifications, training, the future of the information security community and the “hacker conference” scene with Dan Houser. While I don’t agree with some of his views, especially about how hackers play a role in our community, I think his view points are interesting and worth a discussion. I also think his keen attention to sexism in our community is both timely and important for us to resolve. Here are my 3 Tough Questions for Dan.

----

Question #1: I know you are involved in a lot of professional organizations focused not only on providing continuing education for Information Security Professionals, but also on teaching information security skills to adults and children in the community. When Information Security Professionals come to training courses and seminars, we see they have a wide range of skills, various areas of interest and different levels of technical capability. Why do you think information security has so many problems with level-setting knowledge? Is it simply because there is such a large body of information that must be encompassed in order to be an effective security person? Or could it be the high rate of change present in the industry, or even a particular personality trait common to information security practitioners? Why is it so hard to build an Information Security Professional?

Mr. Houser: There are many reasons why it’s hard to build an Information Security Professional, (and there are some great clues in the awesome book “The Great Influenza” by John M Barry – this book is definitely worth a read!). In essence, we are building a new profession from the ground up, and 50% of the job titles you now see in information security (infosec) didn’t even exist 30 years ago. For example, my own job title didn’t exist 15 years ago: Sr. Security & Identity Architect. 

We can look to modern medicine as a parallel that began roughly 100 years ago. Although medicine has been practiced since someone first noticed bear grease on a wound seemed to help in healing, it’s only in the recent past that science was diligently applied to the practice of medicine. Law enforcement started experiencing the same thing when a scientific study of policing reversed a 4000 year old belief that patrolling was an effective deterrent to crime. The study showed that this practice in fact had a zero impact on crime prevention. Although I hope it won’t take us 4000 years to really move forward, we have to anticipate that there are a number of changes in our field that universities and corporations are finding difficult to track. One lesson we can learn from medicine is the advent of the “nurse practitioner”. This is a medical professional who has nearly the same skill in general medicine as a full M. D., but who only requires about half the investment in schooling. 

At this point, the information security industry does not have an undergraduate program, (at least one I’m familiar with), that can turn out graduates who are ready to jump right into InfoSec at a meaningful level. We also lack a journeyman/apprenticeship program in the profession. By studying our craft scientifically, encouraging professionalism, and understanding “what it is that makes a great Information Security Professional”, we will be able to determine the root studies necessary for competency, and get to train people on “the right thing”. 

We have to discard the notion that there is a single path to information security. We have to stop teaching InfoSec Professionals from curricula created to churn out developers, and understand the complete spectrum of pathways that lead to true information security. We need to understand what isvaluable (and what is not).

I have made an impassioned plea, (and continue to do so), for an investment in scientific study of the information security profession; in particular to understand the root causes behind the lack of women in the field. Are they not finding the same on-ramps as men? Are they taking an off-ramp due to sexism, lack of opportunity, lack of fulfillment? We have no clue as an industry. We have some solid data showing Science, Technology, Engineering and Math (STEM) issues with gender split, and that STEM isn’t engaging and keeping women in associated disciplines. But that doesn’t necessarily mean that that is the root cause in the information security industry; we just pretend to believe it is so. Just as police practiced patrolling and doctors used blood-letting, because “everyone knows it helps”. 

Our profession is at the same point as breast-cancer research (note: not being crass, I lost my Mom to cancer). We are focusing so much on walks, runs, screening and exams that we have COMPLETELY lost sight of the fact that 18,000 women in the US die each year from breast cancer, and we have NO CLUE WHY. Frankly, that ticks me off. We must focus on understanding the cause before we can make any reasonable statements about a cure.

Through an actual scientific study of the development of the Information Security Professional – and I’m talking by actual PhD sociologists and psych folks, not geeks in InfoSec — we can learn the actual on-ramps and off-ramps in our profession. What creates a strong InfoSec Professional, why women don’t enter or quickly leave the InfoSec Profession, and how to start repairing the actual problems with the industry instead of fighting only symptoms. That will usher in a new age for creating Information Security professionals, and truly achieve gender equity in our field.

Question #2: As you look to the future of information security, what do you see as the long term role of certifying bodies such as ISC2, ISACA, etc.? What about future roles of educational organizations such as OWASP, ISSA and the like?

Mr. Houser: I think that the future is bright for these organizations because we have a continued need for differentiating professionals from pretenders, and certification is the only mechanism I can currently see that allows us to know that an individual has attained a base level of competency in a stated area of expertise. According to Frost & Sullivan statistics, we’re going to be growing by nearly double in the next decade, which will create TREMENDOUS market pressures. We must find InfoSec professionals somewhere, and we must have mechanisms in place that allow us to determine whether or not they have the requisite skills. I see no other viable means of determining that cross-market other than certification. 

Additionally, Security and Audit professional certification authorities like (ISC)2, ASIS and ISACA provide a code of ethics that governs the membership. And that’s inherently quite valuable; to know that my peers have not only met an independent standard for competency and knowledge, but are also held to an ethical code of conduct for their behavior. With us doubling-down in the next decade, we’re going to have a lot of people entering the profession from other professions, and certifications will grow in importance. (ISC)2, ASIS and ISACA further promote professionalism through local chapter representation, which is another key way to tie together the complete package.

Educational organizations that provide solid educational experiences, such as ISSA, OWASP and Infragard, can also provide vital networking and educational programs in communities to broaden the reach of the InfoSec community. I’d also add that there are some non-traditional avenues that should be considered — such as LockSport/TOOOL, Make and Meetup IT communities who often fill in the edges of our BoK with valuable insights.

Question #3: What role does the “Not a Conference” movement like BSides, DerbyCon, NotaCon play in advancing Information Security?

Mr. Houser: Our profession is challenging the nature of information use, and the exceptionally difficult challenges we have in protecting intellectual property with an increasingly advanced foe in the face of mobile, big data, cloud and internationalization.  One challenge we have as an industry is understanding the role that non-traditional knowledge plays in moving the profession forward.  There is great excitement in the industry from less-formal means of sharing information, such as DefCon, BSides, NotaCon, DerbyCon — all great stuff.  Certainly, there is substantial value we gain from meeting in different ways to share knowledge with each other.  What we must be cognizant of is that these should become further pathways for intellectual pursuit, and not forces that hold us back – that we don’t lose sight in the “not-a-conference” up-the-establishment ribaldry that we are a serious profession with serious problems, and deserve to be taken seriously.  That doesn’t mean we can’t have fun, but have to be careful that we aren’t sending the message that any rank amateur can do the work of a security professional. 

Sure, there is a lot of talent in the hacker community, just like there are uber-thieves.  However, at some point, the FBI agent who hangs out with organized crime becomes part of the problem, and can no longer be differentiated from the good guys, and have shredded their image and reputation.  Greyhat is dangerous in what it can do to your reputation and the professionalism we’ve fought very hard to achieve over the past 25 years.  There is also the issue that you absorb from associating with amateurs – sure it’s refreshing and great to feel the passion from those who do it for the love, but the unguided amateur sends the wrong message about the profession.  If anyone can do it, with the huge scarcity of Information Security folks right now, then why should they pay you a professional rate, when they can get an amateur for $12 an hour? 

The other big issue I see from greyhat conferences is that many provide glorification and validation of hacking, which I think is freaking stupid – this is like arming terrorists.  By glorifying hackers, you’re recruiting for them and filling their ranks with talented people that are then going to fight against you.  How stupid is that?!?!?  Hackers are roaches that should be squashed, not bred to make them stronger.  So, InfoSec professionals are advised to study from afar, and not wallow in the grey/black hat mentality.  What I see in some of the “not a conference” tracks is that the response to a hacker zero-day has undergone a subtle but important transition, from “Wow, that’s stunning”, to “Wow, you’re awesome”, to “What you do is awesome”… which is a whisker from “please hack more”.  By treating hackers like rock stars, you encourage their craft.  That’s nothing less than arming your enemy.  Even if you aren’t cheering, does your presence validate?  Lie down with dogs, get up with fleas.  Careful, colleagues, you’re playing with fire, and we all may get burned.

Thanks to Dan for sharing his time with us and thanks to you for reading. I look forward to doing more 3 Tough Questions articles, and if there are people in the community you think we should be talking to, point them out to me on Twitter (@lbhuston) or in the comments.

I can't afford Microsoft Windows, I'm sticking with Mac

I'm old school Apple, my first computer was Apple ][+ in 1981.  However, I switched to MS-DOS in 1987, and I didn't use a Mac until a year ago.  Now it's my predominant platform.  I'm not going back to Windows, and it's not for any of the reasons you think.  

Now let's get the naysayers out of the way -- I was an NT admin for years, and Windows has been my predominant platform for over 20 years.  Back in my youth, I could make DOS and Windows dance, and even had published tech articles on Windows internals.  I have utmost respect for the awesome way that Microsoft has gone from the dregs of information security to leading the industry with the SDL.  It also has nothing to do, directly, with Linux, as I'm a relative N00b at Linux.  I get by, but am no expert.  I never thought I'd say "I'm a Mac guy."  I sneered at the Über-Mac snobs sipping latte while wearing black turtle-necks.  Until now.  Unexpectedly, I've become a "Mac guy", though I prefer straight black coffee and my black shirts say Harley-Davidson.

No, the reason I'm changing is one of simple economics.  Windows costs too much.

I know that that seems counter-intuitive, since a base model 8Gb MacBook Pro costs over $1500 with warranty, and a comparable base model Dell with Windows 8 is $1000 less.  No, the real issue is that the $1000 difference is a gap in price and not cost.   Mac has a higher price, Windows PCs have a higher cost.

As I look at my experience with Windows over the past 10+ years, it seems I spend about 20-30 hours a year dealing with various OS issues... patches, fixes, errors, blue screens of death, backups, firmware updates, video driver updates, abends, printer configs going haywire, support calls and more.  The 3rd party software model of Windows means that I'm fairly consistently installing something to update and reboot as a further interruption.  Then I go into work, and have to maintain that Windows platform too.  Since my job is measured by output, not time in the seat, it doesn't matter that I'm paid to do it, it's still time away from family.  That adds about 2 hours a month, conservatively.  That may not be your experience, but I'm using a personal computer at least 40 hours a week -- some weeks 70 hours, and I'm a power user.  I demand a lot from my machines. I'm also in security, so maintain a high security model, and that takes more care and feeding on a Windows platform than your normal user.

I don't have the same support problems with Mac.  It. Just. Works.  

Between maintaining home PC and dealing with work PC, that's a conservative 30 hours per year of extra time I spend keeping Windows going, instead of a BYOC model, and that's frustration and drudgery taking away from personal time.  My personal time is valuable.  If someone wanted to pay me to do drudgery instead of playing with my kids or riding my motorcycle, I'd charge them $50 an hour, minimum.  I figure Microsoft would have to pay ME to take a Microsoft PC at this point, just to make the economics work. The MacBook costs me $1500 capital for 3 years, and minor expense.  The Microsoft PC costs me $500 capital and $4500 expense over 3 years, or $5000 total.

So, Microsoft, if you send me two laptops and $3500, we'll call it even, and I'll use Windows 8 at home and work.  Otherwise, I'm a Mac, not a PC.

Peacemaking Criminology

"Peace is not the absence of conflict, it is the presence of justice." 
    - Dr. Martin Luther King

The principles of peacemaking criminology looks to the community to resolve the social issues causing crime, and prefers restoration and restitution in a participatory process, over retribution and punishment by the criminal justice system.  This Peacemaking Criminology perspective seems predicated on the belief that peace is brought about by removing all social ills and social injustice.  Rather than the conflict-based legal system where there is always one winner and one loser (either the criminal is convicted ((loser)) and state wins, or criminal is exonerated ((wins)) and the state loses), peacemaking criminology seeks to create a win-win system of criminology where agencies and criminals work together in order to address the social ills causing the crime and focusing on restoration and reparation.  This seems entirely based on the principle that the absence of conflict is the presence of peace.  

Harold E. Pepinsky and Richard Quinney advanced the theory of peacemaking criminology by advocating that society moves away from thinking that stopping crime is the answer to crime control, and that making peace between everyone, in particular, agencies of the criminal justice system and citizens.  The Peacekeeping Criminology theory advances principles of "commonsense" theories about crime, moving away from conflict based social policies based on classic methods of criminology, crime control as the enforcement and endorsement of human rights, the role of education in creating peace, and how community settings are utilized to address conflict resolution.

By ending human suffering via peacemaking and elimination of conflict, Quinney and Wilderman state that crime can be eliminated.  Instead of punishment, conflict resolution panels and alternative-dispute resolution is utilized to create participatory justice and focus on rehabilitation, repairing and restoration caused by crime, and that victims are centrally involved in the process of resolving crime.  Peacekeeping criminology presumes to advance social theories of criminology to the extent that both society and the criminal are presumed accountable for crime.

However, Dr. Martin Luther King, Jr. famously and correctly stated, "Peace is not the absence of conflict, it is the presence of justice."  A complete dictatorship where there is no conflict is not a system of peace, nor can there be peace without justice.   Critically, this theory seems incredibly naive, and you cannot solve crimes by providing a group hug.  What kind of reparation can you make for human suffering, loss of a limb/eye/mobility or death?  How will the destitute make reparations for thousands or even millions of dollars of damage from a crime?  The naive assumption that all crime can be blamed on society and societal problems, and that there is no personal accountability or psychology involved seems to have created a system that MIGHT operate effectively as arbitration for minor offenses, but seems ill-suited for violent crimes and felonies.

Indian reservations in the United States employ a number of alternative courts and dispute resolution processes, and many include restorative justice principles through alternative-dispute resolution.  As the article by Justin Peters published on Slate, Violent Crime on Indian Reservations Is Up, But Prosecutions Are Down demonstrates, violent crime on Indian reservations is more than 20 times the national average, and many estimate it to in fact be 200x more than the US.  The news article cites the reasons for this being ill-trained criminal justice systems, ineffective alternative-dispute resolution panels and general lack of quality in the agencies of criminal justice.  Violent crime cannot be resolved via dispute resolution, and drunken assaults are not going to be effected by the thought of going before a committee to explain your action.  Morning Star Brown, according to the article, had stabbed or threatened to stab her boyfriend's cousin, Jarret Two Bear, no fewer than 6 times in the 3 years of her relationship with her boyfriend.  She had been convicted of aggravated assault the year prior, but without effect.  Although it seems as though at least some of the courts adjudicating her various cases used classic retribution systems of incarceration, the overall lawlessness and prevalence of violent crime seems to have been caused by a lack of justice, not a lack of love and hugs by the community.  While the case could certainly be made that alcohol abuse was a substantive causative influence at the downfall of Morning Star Brown and the death of Jarret Two Bear. (Peters, Justin. 2013.)  

__

Peters, Justin. (2013).  Violent Crime on Indian Reservations Is Up, But Prosecutions Are Down. Slate, 8-Mar-2013. Retrieved 8-Mar-2013 from http://www.slate.com/blogs/crime/2013/03/08/morning_star_brown_violent_crime_on_indian_reservations_is_up_but_prosecutions.html 

Lying with Numbers

I've gotten feedback on "why quantitative measures are better", and how statistics provide a firm footing for higher-order discussions in our field.  Bullocks.

"There are three kinds of lies: lies, damned lies, and statistics." 
-Attributed by Mark Twain to Benjamin Disraeli, but actual source unknown

Gentle reader, please don't get sucked into the mythology of numbers.  I once was working with a veneer cutting laser system that was supposed to yield a 5-10% improvement in optimization of raw materials (which, if you've priced exotic hardwood veneer, you'll know that 1/4" of the really high-end stuff is about $.25, so gaining 1/4" on 5000 cuts a day really adds up).  After three days, the customer was yelling that our equipment was flawed and not calibrated correctly, because their waste scrap had gone UP not down.  

It turns out that the measurements were precise, but humans were gaming the system.  Through observation, we found substantial staff resistance to change had thwarted our efforts - they would take a precise measurement using the laser measuring systems, and then round up 1/4" to 3/8", just as they always had when using a measuring tape.  However, the human system meant that a 1/4" of rounding was actually barely sufficient sometimes, and was on a bell curve where the initial measurement was fractionally short.  

Why it had gotten worse was because, with precise measurements by lasers, the bell curve was flattened into a tight plateau.  The entire rounding padding added by the cutting staff was scrap, since the laser cutter was never "too short".  Precision of laser measurement had been confused with accuracy, and a sampling bias had created a substantially deviant wrong answer with high precision.  Once we got the staff to only round up 1/100", the customer got all the savings they had forecast, and the scrap pile was nothing but sawdust. (In the Hollywood version, I probably would have gotten a mahogany and teak inlaid armoire in appreciation.)

Yes, numbers can DEFINITELY lie, because the context gets twisted.

You have to look VERY carefully at what the number is reporting.  So, if you'll indulge me, let me tell the truth, while providing misleading statistics that would enable me to lie.

Example: You're picking participants for a research project, and you want to include a person with little experience in their field, and a person with a lot of experience.

Given the following, who do you choose?

1. Amanda's full-time experience spans 3 decades.
2. Bob has worked as a security guard for the Archdiocese for 32 years.
3. Chris logged 300,000 miles this year as a trucker.
4. Doug was Police Chief in Columbus for 15 years.
5. Emily served as a judge for 27 years.

In order, who had the most experience, from least to most?

------

you know how this works.

I have to add space.

If I don't, your eyeballs will immediately jump to the answer.

------

So, examine the statistics provided carefully, then see if you agree...

1. Amanda's full-time experience spans 3 decades.
2. Bob has worked as a security guard for the Archdiocese for 32 years.
3. Chris logged 300,000 miles this year as a trucker.
4. Doug was Police Chief in Columbus for 15 years.
5. Emily served as a judge for 27 years.

In order, who had the most experience, from least to most?

Answer:

Chris, Emily, Bob, Amanda, Doug.  (3, 5, 2, 1, 4)

How?

1. Chris is a trucker, hired this morning, and helped organize the records for the company today, documenting 300,000 miles of travels for the company.  It took her an hour to log those trips.
2. Emily has been judge of the church bake competition for 27 years.  This takes her an hour a year at the annual church picnic.  She has 27 hours experience, 27x more than Chris.
3. Bob works as security guard for the annual Archdiocese Casino Day fund-raiser, watching the cash box.  He has 32 days experience spread across 32 years, more than 25x more experience than Emily.
4. Amanda has 12 years experience, from 1999-2011, even though, on first reading, you might think she has 30+ years.  Her experience spans 3 decades, the '90s, '00s, and '10s.
5. Doug has 15 years experience as Police Chief, working 42 hours a week, for 15 years full-time experience.

I point this out, because I've seen these kinds of statistical lies in my career.  :-)

Dash Cam Evidence

My understanding is that it is common practice in many (most?) police forces that the dash-cam evidence be used by the officer to create an official written report of the offense, and then the tape is willfully and intentionally deleted, since it could contain evidence that could call into questions the actions of the officer.  I find this repugnant, yet I understand it has been upheld, provided the video evidence was destroyed as a normal and routine event in accordance with departmental guidelines.  

Here is one case where the dash-cam evidence of police abuse set aside felony charges against a civilian and caused Canton police officer Daniel Harless to be fired, for many abuses and a pattern of that behavior that seems to have been documented via video several times:  http://www.ohio.com/news/local/canton-fires-verbally-abusive-police-officer-1.254697

Here are a few videos showing the offense, interesting watching - note lots of F-Bombs here, NSFW: 

This video starts several minutes into the police stop, after the driver had tried repeatedly to tell the officers searching the back seat that he was legally carrying a firearm as a licensed CHL holder: http://www.youtube.com/watch?v=UkHQuyEQze4

Long version of same, showing the complete stop  http://www.youtube.com/watch?v=kassP7zI0qc

Harless busted again for issuing death threats during police stop: http://www.youtube.com/watch?v=GpC3-2ATmIo

This is the kind of thing the FOP lobbies against, and one of the reasons video evidence is routinely erased.