The feeling of being watched causes greater honesty

commonplace book, security, tech in changing society / /

From “Big Brother eyes ‘boost honesty’” (BBC News: 28 June 2006):

The feeling of being watched makes people act more honestly, even if the eyes are not real, a study suggests.

A Newcastle University team monitored how much money people put in a canteen “honesty box” when buying a drink.

They found people put nearly three times as much in when a poster of a pair of eyes was put above the box than when the poster showed flowers.

The brain responds to images of eyes and faces and the poster may have given the feeling of being watched, they say. …

Dr Melissa Bateson, a behavioural biologist from Newcastle University and the lead author of the study, said: “We found that people paid 2.76 times as much money when we put a notice on the wall that featured a pair of eyes as opposed to when the image was of some flowers.”

The feeling of being watched causes greater honesty Read More »

Microsoft: only way to deal with malware is to wipe the computer

business, security, tech in changing society, technology / /

From Ryan Naraine’s “Microsoft Says Recovery from Malware Becoming Impossible” (eWeek: 4 April 2006):

In a rare discussion about the severity of the Windows malware scourge, a Microsoft security official said businesses should consider investing in an automated process to wipe hard drives and reinstall operating systems as a practical way to recover from malware infestation.

“When you are dealing with rootkits and some advanced spyware programs, the only solution is to rebuild from scratch. In some cases, there really is no way to recover without nuking the systems from orbit,” Mike Danseglio, program manager in the Security Solutions group at Microsoft, said in a presentation at the InfoSec World conference here.

Offensive rootkits, which are used hide malware programs and maintain an undetectable presence on an infected machine, have become the weapon of choice for virus and spyware writers and, because they often use kernel hooks to avoid detection, Danseglio said IT administrators may never know if all traces of a rootkit have been successfully removed.

He cited a recent instance where an unnamed branch of the U.S. government struggled with malware infestations on more than 2,000 client machines. “In that case, it was so severe that trying to recover was meaningless. They did not have an automated process to wipe and rebuild the systems, so it became a burden. They had to design a process real fast,” Danseglio added.

… “We’ve seen the self-healing malware that actually detects that you’re trying to get rid of it. You remove it, and the next time you look in that directory, it’s sitting there. It can simply reinstall itself,” he said.

“Detection is difficult, and remediation is often impossible,” Danseglio declared. “If it doesn’t crash your system or cause your system to freeze, how do you know it’s there? The answer is you just don’t know. Lots of times, you never see the infection occur in real time, and you don’t see the malware lingering or running in the background.”

… Danseglio said the success of social engineering attacks is a sign that the weakest link in malware defense is “human stupidity.”

“Social engineering is a very, very effective technique. We have statistics that show significant infection rates for the social engineering malware. Phishing is a major problem because there really is no patch for human stupidity,” he said.

Microsoft: only way to deal with malware is to wipe the computer Read More »

Why the color-coded threat alert system fails

politics, security, tech in changing society / /

From Bruce Schneier’s “Color-Coded Terrorist Threat Levels” (Crypto-Gram Newsletter: 15 January 2004):

The color-coded threat alerts issued by the Department of Homeland Security are useless today, but may become useful in the future. The U.S. military has a similar system; DEFCON 1-5 corresponds to the five threat alerts levels: Green, Blue, Yellow, Orange, and Red. The difference is that the DEFCON system is tied to particular procedures; military units have specific actions they need to perform every time the DEFCON level goes up or down. The color-alert system, on the other hand, is not tied to any specific actions. People are left to worry, or are given nonsensical instructions to buy plastic sheeting and duct tape. Even local police departments and government organizations largely have no idea what to do when the threat level changes. The threat levels actually do more harm than good, by needlessly creating fear and confusion (which is an objective of terrorists) and anesthetizing people to future alerts and warnings. If the color-alert system became something better defined, so that people know exactly what caused the levels to change, what the change means, and what actions they need to take in the event of a change, then it could be useful. But even then, the real measure of effectiveness is in the implementation. Terrorist attacks are rare, and if the color-threat level changes willy-nilly with no obvious cause or effect, then people will simply stop paying attention. And the threat levels are publicly known, so any terrorist with a lick of sense will simply wait until the threat level goes down.”

Living under Orange reinforces this. It didn’t mean anything. Tom Ridge’s admonition that Americans “be alert, but go about their business” reinforces this; it’s nonsensical advice. I saw little that could be considered a good security trade-off, and a lot of draconian security measures and security theater.

Why the color-coded threat alert system fails Read More »

A big benefit of open source: better learning & teaching

business, tech in changing society, technology / /

From Jon Udell’s “Open source education” (InfoWorld: 7 June 2006):

Open source software development, to a degree unmatched by any other modern profession, offers apprentices the opportunity to watch journeymen and masters at work, to interact with them, and to learn how they think, work, succeed, and fail. Transparency and accountability govern not only the production of source code but also the companion processes of design, specification, testing, maintenance, and evaluation. …

It’s typical of many professions to cultivate an aura of infallibility and monopoly control of information. Open source doesn’t work that way. There are prima donnas, to be sure, but the culture requires practitioners to show their cards, and it erodes information monopolies. Shared code is just the tip of the iceberg. Below the waterline, there’s a vast body of shared knowledge and tradition, grounded in what Tim O’Reilly calls an architecture of participation.

We’ve come to see open source as an economic innovation. Cooperative production of commodity infrastructure paves the way for competitive production of high-value products and services. Perhaps we’ll someday see open source as an educational innovation, too. Cooperative production of shared knowledge isn’t just a by-product. When apprentices, journeymen, and masters engage in a continuous cycle of learning and teaching, an old approach to education is made new again.

A big benefit of open source: better learning & teaching Read More »

‘Thomas Crown Affair! Thomas Crown Affair!’

commonplace book, security, tech in changing society / /

From Improv Everywhere’s “Missions: Best Buy” (23 April 2006):

Agent Slavinsky wrote in to suggest I get either a large group of people in blue polo shirts and khakis to enter a Best Buy or a group in red polo shirts and khakis to enter a Target. Wearing clothing almost identical to the store’s uniform, the agents would not claim to work at the store but would be friendly and helpful if anyone had a question. There aren’t any Targets in Manhattan, so I decided to go with the two-story Best Buy on 23rd Street. …

We met at Union Square North at 3:30 PM. Around 80 agents showed up, most them looking like wonderful Best Buy employees. …

The reaction from the employees was pretty typical as far as our missions go. The lower level employees laughed and got a kick out of it while the managers and security guards freaked out. …

Security guards and managers started talking to each other frantically on their walkie-talkies and headsets. “Thomas Crown Affair! Thomas Crown Affair!,” one employee shouted. They were worried that were using our fake uniforms to stage some type of elaborate heist. “I want every available employee out on the floor RIGHT NOW!”

‘Thomas Crown Affair! Thomas Crown Affair!’ Read More »

The Piraha language of Brazil

cool stuff, language & literature, writing ideas / /

From Wikipedia’s “Pirahã language“:

The Pirahã language is a language spoken by the Pirahã – an indigenous people of Amazonas, Brazil, who live along the Maici river, a tributary of the Amazon.

Pirahã is believed to be the only surviving member of the Mura language family, all other members having become extinct in the last few centuries. It is therefore a language isolate, without any known connection to other languages. Despite having only ~150 speakers as of 2004, in eight villages along the Maici, it is not itself in immediate danger of extinction, as language use is vigorous and the Pirahã community is monolingual. …

Unusual features of Pirahã include:

  • One of the smallest phoneme inventories of any known language [13]…, and a correspondingly high degree of allophonic variation, including two very rare sounds …
  • The pronunciation of several phonemes depends on the speaker’s sex.
  • An extremely limited clause structure.
  • No grammatical numerals, not even “one” or “two”; the closest the language comes to numerals are general quantity words like [“a few”, “some”, and “many”].
  • No abstract color words other than terms for light and dark.
  • Few specific kin terms; one word covers both “father” and “mother” [and they appear not to keep track of relationships any more distant than biological siblings.]
  • The entire set of personal pronouns appears to have been borrowed from Nheengatu, the Tupi-based lingua franca. Although there is no documentation of a prior stage of Pirahã, the close resemblance of the Pirahã pronouns to those of Nheengatu makes any other hypothesis improbable.
  • Pirahã can be whistled, hummed, or encoded in music.

The occurrence of so many unusual linguistic features in a single language is remarkable.

The Piraha language of Brazil Read More »

Checking papers does no good if the papers are forged

security, tech in changing society / /

From Bruce Schneier’s “News” (Crypto-Gram Newsletter: 15 April 2006):

Undercover investigators were able to smuggle radioactive materials into the U.S. It set off alarms at border checkpoints, but the smugglers had forged import licenses from the Nuclear Regulatory Commission, based on an image of the real document they found on the Internet. Unfortunately, the border agents had no way to confirm the validity of import licenses. I’ve written about this problem before, and it’s one I think will get worse in the future. Verification systems are often the weakest link of authentication. Improving authentication tokens won’t improve security unless the verification systems improve as well.

Checking papers does no good if the papers are forged Read More »

America, the failed state

history, politics / /

From Noam Chomsky’s “Why It’s Over For America” (The Independent: 30 May 2006):

… the fear, which cannot casually be put aside, that, as Gar Alperowitz puts it in America Beyond Capitalism, “the American ‘system’ as a whole is in real trouble – that it is heading in a direction that spells the end of its historic values [of] equality, liberty, and meaningful democracy.”

The “system” is coming to have some of the features of failed states, to adopt a currently fashionable notion that is conventionally applied to states regarded as potential threats to our security (like Iraq) or as needing our intervention to rescue the population from severe internal threats (like Haiti). Though the concept is recognized to be, according to the journal Foreign Affairs, “frustratingly imprecise,” some of the primary characteristics of failed states can be identified. One is their inability or unwillingness to protect their citizens from violence and perhaps even destruction. Another is their tendency to regard themselves as beyond the reach of domestic or international law, and hence free to carry out aggression and violence. And if they have democratic forms, they suffer from a serious “democratic deficit” that deprives their formal democratic institutions of real substance. …

Declarations of noble intent by systems of power are rarely complete fabrication, and the same is true in this case. Under some conditions, forms of democracy are indeed acceptable. Abroad, as the leading scholar-advocate of “democracy promotion” concludes, we find a “strong line of continuity”: democracy is acceptable if and only if it is consistent with strategic and economic interests (Thomas Carothers). In modified form, the doctrine holds at home as well. …

The persistence of the strong line of continuity to the present again reveals that the United States is very much like other powerful states. It pursues the strategic and economic interests of dominant sectors of the domestic population, to the accompaniment of rhetorical flourishes about its dedication to the highest values. That is practically a historical universal, and the reason why sensible people pay scant attention to declarations of noble intent by leaders, or accolades by their followers.

America, the failed state Read More »

How doctors measure what percentage of your body is burned

commonplace book, science / /

From Daniel Engber’s “How Much of Me Is Burned?” (Slate: 11 July 2006):

rule-of-nines.gif In the 1950s, doctors developed an easy way to estimate the ratio of the area of a patient’s burns to the total area of his skin. The system works by assigning standard percentages to major body parts. (Most of these happen to be multiples of nine.) The skin on each arm, for example, covers 9 percent of a patient’s total surface area. Each leg comprises 18 percent, as do the front and back of the torso. The head and neck together make up another 9 percent, and the last bit (or 1 percent) covers the genitalia and perineum. This breakdown makes it easy for doctors to estimate the size of a burn in relation to a body—a burn that covered half the arm would add 4 or 5 percent to the total figure. …

Another method uses the size of a patient’s palm as a reference. As a general rule, the skin on the palm of your hand comprises 0.5 percent of your total surface area. (For children, it’s 1 percent.) A doctor can check the size of a patient’s hand and compare it with the size of a burn to make a quick guess about the percentage.

How doctors measure what percentage of your body is burned Read More »

Spy on no-good boss and lose your job

business, security, tech in changing society, technology / /

From Melissa Meagher’s “State Worker Spies on Boss, Loses His Job“:

For 22 years, [Vernon] Blake was a System Administrator for the Alabama Department of Transportation. It was a job he loved, with the exception of his supervisor. …

The running joke around the office? The boss blew off meetings and projects to play games on his computer. Cartoons secretly circled The Right of Way Bureau, jabbing at George Dobbs’ Solitaire habit. Dobbs is a 24-year veteran with the DOT and rakes in $67,000 a year. …

Without proof, Blake felt his accusations would get him nowhere. That’s when he turned to Win-Spy, a free version of spy ware, to tap his boss’s computer.

“My motive was to document well known behavior that already existed.”

For seven months, at random times of the day, the software captured pictures of Dobbs’ computer screen. …

Here’s what he found. Blake says less than 10% of his boss’s computer time, documented by Win-Spy, was spent working. Twenty-percent was spent checking the stock market. And 70% of what the spy ware recorded was the game of Solitaire. …

But DOT didn’t see it that way. When Blake showed them what he found, he was fired. His supervisor got a letter of reprimand, stating “It was brought to the Department’s attention you spent a significant amount of time playing video games… but your work ethic and production are above reproach.” …

It’s worth noting after Blake lost his job, DOT had all computer games, including Solitaire, removed from its system.

Spy on no-good boss and lose your job Read More »

FBI used OnStar for surveillance

business, law, security, tech in changing society, technology / /

From Charles R. Smith’s “Big Brother on Board: OnStar Bugging Your Car“:

GM cars equipped with OnStar are supposed to be the leading edge of safety and technology. …

However, buried deep inside the OnStar system is a feature few suspected – the ability to eavesdrop on unsuspecting motorists.

The FBI found out about this passive listening feature and promptly served OnStar with a court order forcing the company to give it access. The court order the FBI gave OnStar was not something out of the Patriot Act involving international terrorism or national security but a simple criminal case.

According to court records, OnStar complied with the order but filed a protest lawsuit against the FBI.

Yet the FBI was able to enforce the original legal order and completed its surveillance because OnStar’s lawsuit took nearly two years to pass through the court system.

The 9th Circuit Court of Appeals recently ruled in OnStar’s favor. The ruling was not based on invasion-of-privacy grounds or some other legitimate constitutional basis. The FBI lost because the OnStar passive listening feature disables the emergency signal, the very life-saving call for help that the advertisements tout as the main reason to purchase the system. …

The technical problem of blocking the emergency signal is clearly one that the FBI tech teams can overcome. Thus, under the current ruling, the FBI can resume using OnStar to monitor subject vehicles once it has solved the emergency issue.

FBI used OnStar for surveillance Read More »

PATRIOT Act greatly expands what a ‘financial institution’ is

business, politics, security, tech in changing society / /

From Bruce Schneier’s “News” (Crypto-Gram Newsletter: 15 January 2004):

Last month Bush snuck into law one of the provisions of the failed PATRIOT ACT 2. The FBI can now obtain records from financial institutions without requiring permission from a judge. The institution can’t tell the target person that his records were taken by the FBI. And the term “financial institution” has been expanded to include insurance companies, travel agencies, real estate agents, stockbrokers, the U.S. Postal Service, jewelry stores, casinos, and car dealerships.

PATRIOT Act greatly expands what a ‘financial institution’ is Read More »

Camouflaged weapons

cool stuff, security, tech in changing society / /

From Noah Shachtman’s “Chameleon Weapons Defy Detection” (Defense Tech: 27 March 2006):

Last week I talked to Anthony Taylor, managing partner of an outfit which makes weapons which can be hidden in plain sight. You can be looking right at one without realizing what it is.

One type is the exact size and shape of a credit card, except that two of the edges are lethally sharp. It’s made of G10 laminate, an ultra-hard material normally employed for circuit boards. You need a diamond file to get an edge on it.

Taylor suggests that the card could easily be camouflaged as an ID card or one of the many other bits of plastic that clutter up the average wallet. Each weapon is individually handmade so they can be tailored to the user’s requirements.

Another configuration is a stabbing weapon which is indistinguishable from a pen. This one is made from melamine fiber, and can sit snugly inside a Bic casing. You would only find out it was not the real thing if you tried to write with it. It’s sharpened with a blade edge at the tip which Defense Review describes as “scary sharp.” …

According to one gun magazine, the CIA has had a ceramic handgun firing caseless non-metallic ammo for years.

Camouflaged weapons Read More »

A new fraud: faking an entire company

business, security / /

From David Lague’s “Next step in pirating: Faking a company” (International Herald Tribune: 28 April 2006):

At first it seemed to be nothing more than a routine, if damaging, case of counterfeiting in a country where faking it has become an industry.

Reports filtering back to the Tokyo headquarters of the Japanese electronics giant NEC in mid-2004 alerted managers that pirated keyboards and recordable CD and DVD discs bearing the company’s brand were on sale in retail outlets in Beijing and Hong Kong.

Like hundreds, if not thousands, of manufacturers now locked in a war of attrition with intellectual property thieves in China, the company hired an investigator to track down the pirates.

After two years and thousands of hours of investigation in conjunction with law enforcement agencies in China, Taiwan and Japan, the company said it had uncovered something far more ambitious than clandestine workshops turning out inferior copies of NEC products. The pirates were faking the entire company.

Evidence seized in raids on 18 factories and warehouses in China and Taiwan over the past year showed that the counterfeiters had set up what amounted to a parallel NEC brand with links to a network of more than 50 electronics factories in China, Hong Kong and Taiwan.

In the name of NEC, the pirates copied NEC products, and went as far as developing their own range of consumer electronic products – everything from home entertainment centers to MP3 players. They also coordinated manufacturing and distribution, collecting all the proceeds.

The Japanese company even received complaints about products – which were of generally good quality – that they did not make or provide with warranties.

NEC said it was unable to estimate the total value of the pirated goods from these factories, but the company believed the organizers had “profited substantially” from the operation.

“These entities are part of a sophisticated ring, coordinated by two key entities based in Taiwan and Japan, which has attempted to completely assume the NEC brand,” said Fujio Okada, the NEC senior vice president and legal division general manager, in written answers to questions.

A new fraud: faking an entire company Read More »

Some surprising data isn’t encrypted in ATM transfers

business, security / /

From “Triple DES Upgrades May Introduce New ATM Vulnerabilities” (Payment News: 13 April 2006):

In a press release today, Redspin, an independent auditing firm based in Carpinteria, CA, suggests that the recent mandated upgrades of ATMs to support triple DES encryption of PINs has introduced new vulnerabilities into the ATM network environment – because of other changes that were typically made concurrently with the triple DES upgrades.

<begin press release>Redspin, Inc. has released a white paper detailing the problem. Essentially, unencrypted ATM transaction data is floating around bank networks, and bank managers are completely unaware of it. The only data from an ATM transaction that is encrypted is the PIN number.

“We were in the middle of an audit, looking at network traffic, when there it was, plain as day. We were surprised. The bank manager was surprised. Pretty much everyone we talk to is surprised. The card number, the expiration date, the account balances and withdrawal amounts, they all go across the networks in cleartext, which is exactly what it sounds like — text that anyone can read,” explained Abraham.

Ironically, the problem came about because of a mandated security improvement in ATMs. The original standard for ATM data encryption (DES) was becoming too easy to crack, so the standard was upgraded to Triple DES. Like any home improvement project, many ATM upgrades have snowballed to include a variety of other enhancements, including the use of transmission control protocol/Internet protocol (TCP/IP) — moving ATMs off their own dedicated lines, and on to the banks’ networks. …

A hacker tapping into a bank’s network would have complete access to every single ATM transaction going through the bank’s ATMs.<end press release>

Some surprising data isn’t encrypted in ATM transfers Read More »

It’s alright to fail at a startup when you’re young

business, tech in changing society, technology / /

From Paul Graham’s “Hiring is Obsolete” (May 2005):

The math is brutal. While perhaps 9 out of 10 startups fail, the one that succeeds will pay the founders more than 10 times what they would have made in an ordinary job. That’s the sense in which startups pay better “on average.”

Remember that. If you start a startup, you’ll probably fail. Most startups fail. It’s the nature of the business. But it’s not necessarily a mistake to try something that has a 90% chance of failing, if you can afford the risk. Failing at 40, when you have a family to support, could be serious. But if you fail at 22, so what? If you try to start a startup right out of college and it tanks, you’ll end up at 23 broke and a lot smarter. Which, if you think about it, is roughly what you hope to get from a graduate program.

It’s alright to fail at a startup when you’re young Read More »

Why big co’s are bad are creating new products

business, history, tech in changing society, technology / /

From Paul Graham’s “Hiring is Obsolete” (May 2005):

Buying startups also solves another problem afflicting big companies: they can’t do product development. Big companies are good at extracting the value from existing products, but bad at creating new ones.

Why? It’s worth studying this phenomenon in detail, because this is the raison d’etre of startups.

To start with, most big companies have some kind of turf to protect, and this tends to warp their development decisions. For example, Web-based applications are hot now, but within Microsoft there must be a lot of ambivalence about them, because the very idea of Web-based software threatens the desktop. So any Web-based application that Microsoft ends up with, will probably, like Hotmail, be something developed outside the company.

Another reason big companies are bad at developing new products is that the kind of people who do that tend not to have much power in big companies (unless they happen to be the CEO). Disruptive technologies are developed by disruptive people. And they either don’t work for the big company, or have been outmaneuvered by yes-men and have comparatively little influence.

Big companies also lose because they usually only build one of each thing. When you only have one Web browser, you can’t do anything really risky with it. If ten different startups design ten different Web browsers and you take the best, you’ll probably get something better.

The more general version of this problem is that there are too many new ideas for companies to explore them all. There might be 500 startups right now who think they’re making something Microsoft might buy. Even Microsoft probably couldn’t manage 500 development projects in-house.

Big companies also don’t pay people the right way. People developing a new product at a big company get paid roughly the same whether it succeeds or fails. People at a startup expect to get rich if the product succeeds, and get nothing if it fails. So naturally the people at the startup work a lot harder.

The mere bigness of big companies is an obstacle. In startups, developers are often forced to talk directly to users, whether they want to or not, because there is no one else to do sales and support. It’s painful doing sales, but you learn much more from trying to sell people something than reading what they said in focus groups.

And then of course, big companies are bad at product development because they’re bad at everything. Everything happens slower in big companies than small ones, and product development is something that has to happen fast, because you have to go through a lot of iterations to get something good.

Why big co’s are bad are creating new products Read More »

Jobs are unnecessary – just build something valuable

business, history, tech in changing society / /

From Paul Graham’s “Hiring is Obsolete” (May 2005):

I think most undergrads don’t realize yet that the economic cage is open. A lot have been told by their parents that the route to success is to get a good job. This was true when their parents were in college, but it’s less true now. The route to success is to build something valuable, and you don’t have to be working for an existing company to do that. Indeed, you can often do it better if you’re not.

Jobs are unnecessary – just build something valuable Read More »

It’s hard to judge the young, but the market can

business, tech in changing society, technology / /

From Paul Graham’s “Hiring is Obsolete” (May 2005):

It’s hard to judge the young because (a) they change rapidly, (b) there is great variation between them, and (c) they’re individually inconsistent. That last one is a big problem. When you’re young, you occasionally say and do stupid things even when you’re smart. So if the algorithm is to filter out people who say stupid things, as many investors and employers unconsciously do, you’re going to get a lot of false positives. …

The market is a lot more discerning than any employer. And it is completely non-discriminatory. On the Internet, nobody knows you’re a dog. And more to the point, nobody knows you’re 22. All users care about is whether your site or software gives them what they want. They don’t care if the person behind it is a high school kid.

It’s hard to judge the young, but the market can Read More »