Category Archives: Security

This is Not a Step

Posted on by

Schneier on Security: Risk Intuition

“We have to make people understand the [security] risks,” he said.

It seems to me that his co-workers understand the risks better than he does. They know what the real risks are at work, and that they all revolve around not getting the job done. Those risks are real and tangible, and employees feel them all the time. The risks of not following security procedures are much less real. Maybe the employee will get caught, but probably not. And even if he does get caught, the penalties aren’t serious.

Doctor Obvious, Come Here … Slowly

Posted on by

Higher Speed Limits Cost Lives, Researchers Find

“This is a failed policy because it was, in essence, an experiment over 10 years. People assumed that increasing the speed limit would not have an impact,” said Friedman. “We’ve shown that something has happened and it’s quite dramatic.”

Umm, really? People assumed that if you drive faster, with its associated reduction in response times and increase in collision energy, that there would be no effect? I think people wanted the higher speed limit despite the higher risk it entailed, in part because of other safety advances.

Friedman uses the example of the 3,000 people who died in the September 11th terrorist attacks.

“That tragic event has led to a whole foreign policy,” he said. “We estimate that approximately 12,500 people died as a result of a policy to deregulate speed enforcement — four times what happened on September 11th — and yet changing the policy to reduce speed limits may be very difficult.”

What they don’t say is that despite the extra ~1250 deaths per year from the higher speed, overall deaths have fallen, and the rate per vehicle-mile has dropped dramatically over the years. Per mile traveled, you’re about half as likely to die as compared to 1980.

trafficstats

From this NHTSA PDF

The problem with simply presenting a number is that there is no basis for a valid comparison. The apples-to-oranges 9/11 fatalities number is given instead. The graph shows about 15,000 fatalities per year, currently, making this a 9% increase, which discounts the possibility of other influences such as more cars on the road and more miles being traveled, which the fatality rate statistic indicates. (Though that can be influenced by many things as well)

A more meaningful analysis might go something like this. My upcoming vacation will entail me driving perhaps 1,000 miles. I can drive slower if I choose, but I have to consider if saving a half-hour of travel is worth it. Since being on the road for ~8 hours means fatigue comes into play, it might actually be safer to cut down on the travel time. If the fatality rate is 2 per 100 million miles, this means a statistical chance of 0.002%, which is quite small. And we’re talking about increasing this by 10%, to 0.0022%. The sin-by-omission in the article has you focusing on the dramatic large number rather than the overall picture.

I Dare You to Steal this Story

Posted on by

Ralph Nader with a slim jim.

The Ultimate Lock Picker Hacks Pentagon, Beats Corporate Security for Fun and Profit

Thinking like a criminal is Tobias’ idea of fun. It makes him laugh. It has also made him money and earned him a reputation as something of the Rain Man of lock-breaking. Even if you’ve never heard of Tobias, you may know his work: He’s the guy who figured out how to steal your bike, unlock your front door, crack your gun lock, blow up your airplane, and hijack your mail. Marc Weber Tobias has a name for the headache he inflicts on his targets: the Marc Weber Tobias problem.

Lock-breaking is equal parts art and science. So is the ability to royally piss people off. Tobias is a veritable da Vinci at both endeavors. His Web site’s streaming video of prepubescent kids gleefully opening gun locks has won him no points with mothers or locksmiths, and his ideas about how to smuggle liquid explosive reagents onto commercial airlines spookily presaged the Transportation Security Administration’s prohibitions against carry-on liquids. Over the past 20 years, Tobias has been threatened by casinos, banned from hotel chains, and bullied by legions of corporate lawyers. And enjoyed every minute of it.

I don’t know which is worse: the ones who overplay the threat to make us afraid, or (as in the story) the ones who overplay the quality of security to make us feel safe.

Which One was 'Big X'?

Posted on by

Prairie dogs return to Md. Zoo. Keepers scramble as animals try to escape.

When the animals were let out of their crates into their new habitat Wednesday, not all sought to escape. More than a few seemed happy to take a noontime siesta. Others were more interested in a lunch of biscuits, kale, apples, carrots, alfalfa hay and mulberry leaves.

But a few intrepid prairie dogs tried to find their way out, sending keepers scrambling to plug escape routes.

The one that looked like Steve McQueen managed to steal a motorcycle, but didn’t make it out.

The American Way

Posted on by

Anti-Terrorist Fantasy Dream Team on the Case

“I believe a fictional threat is best met with decisive fictional force,” explained President Obama. “Jack Bauer and Wolverine are among the very best we have when in comes to combating fantasy foes.” Mr. Bauer said, “We’re quite certain that our prisons are secure. Osama bin Laden and his agents wouldn’t dare attempt a break-out, and would fail miserably if they tried. But I love this country. And should Lex Luthor, Magneto or the Loch Ness Monster attack, we’ll be there to stop them.”
[…]
Republican Newt Gingrich also condemned the president’s actions. “President Obama seems to think that crapping one’s pants is a bad thing somehow,” said the former Speaker of the House, “but crapping one’s pants is what this country was founded on. The Reagan Revolution wouldn’t have happened without fear of evil Soviets and welfare queens. And say what you will about President Bush, he kept this country crapping its pants for seven long years after 9/11.”

via

Security and Usability

Posted on by

Balancing Security and Usability in Authentication

In most cases, how an authentication system works when a legitimate user tries to log on is much more important than how it works when an impostor tries to log on. No security system is perfect, and there is some level of fraud associated with any of these authentication methods. But the instances of fraud are rare compared to the number of times someone tries to log on legitimately. If a given authentication system let the bad guys in one in a hundred times, a bank could decide to live with the problem—or try to solve it in some other way. But if the same authentication system prevented legitimate customers from logging on even one in a thousand times, the number of complaints would be enormous and the system wouldn’t survive one week.

Balancing security and usability is hard, and many organizations get it wrong. But it’s also evolving; organizations needing to tighten their security continue to push more involved authentication methods, and more savvy Internet users are willing to accept them. And certainly IT administrators need to be leading that evolutionary change.

In my experience, systems that have a captive audience, rather than a voluntary one (e.g. employee vs customer) are much less likely to care about usability in security but also in general, since they can go Nike on you and say, “Just do it.”

related:

Humans are incapable of securely storing high-quality cryptographic keys, and they have unacceptable speed and accuracy when performing cryptographic operations. (They are also large, expensive to maintain, difficult to manage, and they pollute the environment. It is astonishing that these devices continue to be manufactured and deployed. But they are sufficiently pervasive that we must design our protocols around their limitations.)

— Kaufman, Perlman, and Speciner

The DiHydrogen Monoxide Effect

Posted on by

If It’s Difficult to Pronounce, It Must Be Risky.

ABSTRACT- Low processing fluency fosters the impression that a stimulus is unfamiliar, which in turn results in perceptions of higher risk, independent of whether the risk is desirable or undesirable. In Studies 1 and 2, ostensible food additives were rated as more harmful when their names were difficult to pronounce than when their names were easy to pronounce; mediation analyses indicated that this effect was mediated by the perceived novelty of the substance. In Study 3, amusement-park rides were rated as more likely to make one sick (an undesirable risk) and also as more exciting and adventurous (a desirable risk) when their names were difficult to pronounce than when their names were easy to pronounce.

I assume this is a correlation to “the risk of the unknown is often overestimated” in that difficult-to-pronounce is deemed “more unknown” than something that’s easy to pronounce.

via Schneier

And some interesting comments there — would you rather drink water distilled from urine or taken from a mountain stream?