Lab Notes

The London police arrested and held overnight a man who met their definition of a terrorist. Unfortunately, their definition of what constitutes a terrorist is pretty broad, and could include just about anybody taking public transportation. In this case, the man was "wearing a jacket 'too warm for the season'" while using a cell phone. I believe in relying on humans to catch suspicious behavior — the plot to detonate a bomb in LAX was foiled by an alert customs agent who felt the suspect looked "hinky." The problem comes when you define suspicious behavior so broadly that you can't find the real terrorists for all the innocent people caught up in your dragnet.

This kind of overload of suspicious behavior is a problem for computer security as well. Windows system administrators are familiar with Event Viewer, the centralized, catch-all logging tool for Windows servers. It contains thousands of entries at any given moment, some important, most not. While there is the ability to flag entries as critical, the most useful information is in the non-critical entries. For instance, a critical error could be a message saying the a user tried to log in with an invalid password. This indicates that the system is working correctly — the system should reject invalid logins. Real problems are caused when the system is working incorrectly. Information about this is frequently mired in the non-critical entries, if it is logged at all. One of the major features we are working on for the next major version of Elektron is better reporting and management of the deluge of information that can be generated so that system administrators can access the server data they need when they need it.