Archive for the 'security' Category


Security holes

Today, Jeff Atwood posted about social engineering as the ur-vulnerability in computer systems.  The crackers he profiles, Kevin Mitnick and “Max”, aren’t emotionally-stunted keyboard jockeys but rather masterful (or at least highly effective) manipulators.  Atwood writes:

One of the most striking things about Ghost In The Wires is not how skilled a computer hacker Kevin Mitnick is (although he is undeniably great), but how devastatingly effective he is at tricking people into revealing critical information in casual conversations. Over and over again, in hundreds of subtle and clever ways. Whether it’s 1985 or 2005, the amount of military-grade security you have on your computer systems matters not at all when someone using those computers clicks on the dancing bunny. Social engineering is the most reliable and evergreen hacking technique ever devised. It will outlive us all.

(Emphasis in the original.)


Bruce Schneier has written about bomb threats as a social denial-of-service attack.  Sometimes this happens inadvertently, as with this “suspicious package” left on a bus in Victoria.  False threats and accusations are nothing new, of course: It costs very little to conjure up a threat, and the more extensive the response the more appealing the cost:benefit ratio.  Commenter Mark on the Schneier post points out that the IRA did this in Britain in 1997.


Yesterday, news that an American-Israeli real-estate magnate named Sam Bacile was filming a five million-dollar  “documentary” based mostly around the principle of insulting Mohammed (possibly in cahoots with noted American asshat and pain in the ass to civil libertarians everywhere Terry Jones) brought about attacks on the American embassy in Egypt and consulate in Benghazi.  People were killed, more people were hurt, shit was broken, and even otherwise-reasonable commentators were driven to bay for blood.

Now it turns out that “Sam Bacile” is at best a pseudonym and quite likely, along with the movie itself, a complete fabrication.  Care to wager on whether this was a false-flag operation?  Spend a few thousand dollars on a shitty movie trailer, do a shitty overdub to make it offensive to Muslims, release it on September 11th, and hope someone gets stupid.  At the very least you can expect to keep this particular culture war simmering right along, and there’s a nonzero chance that you can incite some serious violence and a major international incident.  No poker player in the world would fail to bet at those odds.


Can someone explain to me why this isn’t asinine?

Radley Balko finds a headline-of-the-day contender:

WATERLOO, Iowa — A Waterloo teenager accused of setting fire to some bags of beef jerky at a Walgreen’s store faces a first-degree arson charge.

Police say a clerk found the smoking packages on the shelves Tuesday afternoon and put out the fire by blowing on it. The fire didn’t spread and there was no damage to the store.

Of all the things you can light on fire in a Walgreen’s, beef jerky seems like the least likely to actually catch.  It’s not like they make it with FOOF or something.  But leaving aside the deficiencies in our little pyromaniac’s education — first degree arson?  Really?  Read that second paragraph again.

Now, my first thought was that Iowa, out of an entertainingly gruesome sense of metaphor, might classify arson the same way as burns: from first degree as a subclinical ouchie to third- and fourth-degree as devastating structural damage.  But a quick google search uncovers a few other cases of first-degree arson charges in Waterloo, all of which are of the “burn your house down for the insurance money” level of severity.  Compare and contrast.

Srsly, Waterloo?


PotD: Schneier on the sociology of security

Bruce Schneier explains the big idea behind his new bookLiars and Outliers.

It’s all about trust, really. Not the intimate trust we have in our close friends and relatives, but the more impersonal trust we have in the various people and systems we interact with in society. I trust airline pilots, hotel clerks, ATMs, restaurant kitchens, and the company that built the computer I’m writing this short essay on. I trust that they have acted and will act in the ways I expect them to. This type of trust is more a matter of consistency or predictability than of intimacy.

Of course, all of these systems contain parasites. Most people are naturally trustworthy, but some are not. There are hotel clerks who will steal your credit card information. There are ATMs that have been hacked by criminals. Some restaurant kitchens serve tainted food. There was even an airline pilot who deliberately crashed his Boeing 767 into the Atlantic Ocean in 1999.



Rules of engagement and the force continuum

There’s this thing called the force continuum, which is useful for a number of reasons but in this case has a lot to do with proportionate response.  It starts at harsh language and ends somewhere in the realm of nuking the site from orbit.  This comes up in things like self-defence and police work: Generally speaking, lawful actors are only entitled to defend themselves with force commensurate to what their assailant is using.  If you’re yelling at me, I’m not entitled to hit you.  If you throw a punch at me, I might be entitled to hit you with an elbow, but not with a kukri — unless, perhaps, you have some friends along who are also throwing punches at me.

Force levels aren’t just based on weapons, either: They’re based on capabilities.  If a 97lb octogenarian swings a cane at me, it’s unlikely to count as a serious assault, and my reasonable options are walking away, harsh language, or — if for some reason I have to stick around — maybe some sort of “soft-hands” disarm.  If I swing a cane at a 97lb octogenarian, that’s well within the realm of lethal force to a reasonable-man standard, and he (or she) is perfectly justified in pulling out a snubbie and introducing my insides to my outsides.

None of this has any bearing on the presence of violence.  If that 97lb octogenarian is waving his cane at me and I’m yelling at him from a safe distance, there’s still force being brought to bear by both of us.  Not very much force, mind you, but we’re each trying to coerce the other into some unwanted course of action.  The force continuum is about how much violence is appropriate, not whether violence is appropriate.

Which makes the discussion surrounding stories like these, reported by Orin Kerr:

and this, from Radley Balko:

so frustrating.

In the first case, according to Kerr:

A protester in a red shirt proceeded to tear down the notices after the police left them, and he is heard screaming at the police: “Let them clean up the trash in the fucking parkway! It was your fucking trash, you fucking pigs!” The police then walked after the protester, who ran away from the police. A bunch of officers then surrounded the man, who started repeating that he had done nothing wrong. Two officers then went to grab him, but he resisted; after he continued to resist, a third officer tased him.

If you click through and watch the video, you can see a fairly slow-boil escalation.  The protester starts off as the aggressor (using the term in a very mild sense), tearing down notices and yelling insults.  The park police escalate by pursuing, surrounding, and attempting to detain him; he counters by evading and struggling to break the grasp of the officers trying to hold him.

The interesting question here is whether the third officer was justified in shooting him with a Taser when two other officers had him by the arms and he was more or less surrounded by LEOs (who were themselves more or less surrounded by other protesters).  I can see arguments on both sides of the question: On the one hand, I think Tasers are a lot more dangerous (read: higher up the force continuum) than a lot of official-type people care to admit, so this looks like unjustified escalation.  On the other hand, I can see how bringing a very quick end to a confrontation when surrounded by other Occupy protesters is a prudent move on behalf of the park police, so perhaps escalating from grabs to Tasers was justified.  This is all Monday-morning quarterbacking, sure, but it’s important for setting down standards of force escalation that are predictable from both sides of the thin blue line.

That’s not what Orin wants to discuss, though.  He wants to justify (or not) the use of force at all —

My pet hypothesis is that most people recognize two competing narratives when it comes to police-citizen interaction. The first narrative is what you might call the equality narrative. The equality narrative posits that the police are just citizens who happen to wear uniforms, and they have no more right to get their way than anyone else. If an officer asks a person questions, for example, he doesn’t have to respond. Unless the officer orders him to stay put, he can walk away.

The second narrative is what I’ll call the inequality narrative. The inequality narrative posits that the police have special authority by virtue of being police officers, and that people interacting with the police have to recognize that special authority and should expect trouble if they don’t. If an officer decides to make an arrest, for example, the subject of the arrest can’t just decide he would rather not be arrested and try to resist the officer’s efforts.

I don’t see a contradiction here.  Police officers have special authority and special obligations — they can make We The People do what they say (within the confines of the law, at least — and that part’s important), but they’re obliged to march to the sound of the guns.  Given the choice between responding to violence with commensurate force and responding to violence by running the fuck away, I’m thrilled to be able to take the sensible second option, but police officers can’t do that.  The “inequality narrative” holds: Those park police had the authority to stop the red-shirted protester from tearing down notices.  The question is: When faced with what looks on video like rather low levels of violence, did they have any right to escalate to the Taser?  Unless the crowd was looking particularly riotous — and bear in mind that I wasn’t there, all I know is what I saw on YouTube — my guess is “no”.

The second story, well….

A Montara man walking two lapdogs off leash was hit with an electric-shock gun by a National Park Service ranger after allegedly giving a false name and trying to walk away, authorities said Monday.

The park ranger encountered Gary Hesterberg with his two small dogs Sunday afternoon at Rancho Corral de Tierra, which was recently incorporated into the Golden Gate National Recreation Area, said Howard Levitt, a spokesman for the park service.

Hesterberg, who said he didn’t have identification with him, allegedly gave the ranger a false name, Levitt said.

The ranger, who wasn’t identified, asked Hesterberg to remain at the scene, Levitt said. He tried several times to leave, and finally the ranger “pursued him a little bit and she did deploy her” electric-shock weapon, Levitt said. “That did stop him.” . . .

(Aside: There is a special place in hell for people who insert “did” into perfectly valid clauses that way.  Grr.)

You have to really stretch to see how Hesterberg even used force in this case.  (Technically, he fled from lawful detainment.  Maybe; it’s unclear whether park rangers have the authority to detain people for walking their dogs without a leash.)  The ranger escalated reasonably to harsh language… and then jumped right up to less-lethal force.  (Here, “less-lethal” means “probably won’t kill you, if you’re healthy and not impaired”.  Tasers have caused an awful lot of deaths, although I’m not convinced that the other options available at the not-quite-firearms slot on the force continuum are any better.)

Again, the more interesting question here is not whether the ranger had the authority to use violence against Hesterberg, but how much.  Harsh language?  Plausible.  Physical restraint?  Maybe.  At some point, I’d hope that a sense of proportion (“I’m risking a violent confrontation for a leash law violation”) would prevail: “Protect and Serve” does not mean “you have to win every argument ever”.


All linky, no thinky

Let’s start with some iconoclasm.  Here’s Aaron Carroll bringing the data-driven smackdown on the NTSB’s proposed in-car cellphone ban:

Looking at the NTSB’s own data, he finds that:

The first thing to note is that the vast majority of accidents (77%) don’t involve distractions. An additional 8% are categorized as “unknown if distracted”. Further large categories include “not reported” at 7% and “Distraction/Inattention, Details Unknown” at 3%. So that’s a total of 95% where there was no distraction, where it’s unknown if there was a distraction, or details of a distraction are unknown.


Are [cellphone-related distracted-driving incidents] there? Yes. But even combined together, they aren’t close to as risky as being “lost in thought”. Altogether, in 2010, 373 vehicles/drivers were linked to cell phone related distractions. That’s less than 1% of all of them.

Click through for graphs and sources.


More iconoclasm.  Here’s Mike Munger on the laptops-in-class issue:

Look, profs:  If you seriously find that most of your students are daydreaming, facebooking, or cruising porn sites (not that that’s a bad thing…), you might want to try an old and honorable solution.   Two words.




The fact is that laptops don’t waste students’ time; professors do.  Laptops are neutral tools.  If the professor brings up an interesting topic, the student can Google it, go to Wikipedia, or look up some extensions.  They can take notes with links to things that are useful.  Or, the student can get bored and go to her friend’s Facebook page and get distracted, thinking “That’s not a real puppy.  That’s too small to be a real puppy.”

Munger leaves unaddressed the argument that one distracted student with a laptop might distract other nearby students who’d prefer to pay attention rather than listen to low-volume porn, but in my experience that problem is independent of laptops.


Here’s Steve Landsburg on which majors make people assholes:

This just in: The study of physics makes people less compassionate. Data show that when cornered at a party by the inventor of a perpetual motion machine, physics majors are particularly unlikely to offer positive encouragement.

Also, the study of history leads to closed-mindedness. After taking an American history course, students become considerably less open to the idea that Millard Fillmore might have been Abraham Lincoln’s vice president.

That’s just the first half of the setup.  Click through for the punchline.


Next we discover that (surprise, surprise) being young and black in New York means constant harassment from the NYPD:

and also that (surprise, surprise) Kids These Days are still getting fucked by their parents’ generation:

Please take a moment to click through the “anarchocapitalist agitprop” links at the top of the sidebar, because obviously they’re not seeing enough use.


Finally, Frances Woolley dissects an exam question on Pigovian taxation:

Creepy thought:

Finally, it seems that some students really don’t believe that people are rational decision-makers, fully taking into account the long-term effects of their consumption choices. Even when people are only harming themselves, they support Pigouvian taxes on paternalistic grounds, to stop people from harming themselves.

Update: Eric Crampton comments.


We now return you to your regularly-scheduled schadenfreude: please enjoy the fact that Kim Jong-Il fucking died.


Thanks, Jack

2011 November 11 — Rememberance Day

93 years ago the guns fell silent… for a while.


When the Waters were dried an’ the Earth did appear,
(“It’s all one,” says the Sapper),
The Lord He created the Engineer,
Her Majesty’s Royal Engineer,
With the rank and pay of a Sapper!

When the Flood come along for an extra monsoon,
‘Twas Noah constructed the first pontoon
To the plans of Her Majesty’s, etc.

But after fatigue in the wet an’ the sun,
Old Noah got drunk, which he wouldn’t ha’ done
If he’d trained with, etc.

When the Tower o’ Babel had mixed up men’s bat,
Some clever civilian was managing that,
An’ none of, etc.

When the Jews had a fight at the foot of a hill,
Young Joshua ordered the sun to stand still,
For he was a Captain of Engineers, etc.

When the Children of Israel made bricks without straw,
They were learnin’ the regular work of our Corps,
The work of, etc.

For ever since then, if a war they would wage,
Behold us a-shinin’ on history’s page —
First page for, etc.

We lay down their sidings an’ help ’em entrain,
An’ we sweep up their mess through the bloomin’ campaign,
In the style of, etc.

They send us in front with a fuse an’ a mine
To blow up the gates that are rushed by the Line,
But bent by, etc.

They send us behind with a pick an’ a spade,
To dig for the guns of a bullock-brigade
Which has asked for, etc.

We work under escort in trousers and shirt,
An’ the heathen they plug us tail-up in the dirt,
Annoying, etc.

We blast out the rock an’ we shovel the mud,
We make ’em good roads an’ — they roll down the khud,
Reporting, etc.

We make ’em their bridges, their wells, an’ their huts,
An’ the telegraph-wire the enemy cuts,
An’ it’s blamed on, etc.

An’ when we return, an’ from war we would cease,
They grudge us adornin’ the billets of peace,
Which are kept for, etc.

We build ’em nice barracks — they swear they are bad,
That our Colonels are Methodist, married or mad,
Insultin’, etc.

They haven’t no manners nor gratitude too,
For the more that we help ’em, the less will they do,
But mock at, etc.

Now the Line’s but a man with a gun in his hand,
An’ Cavalry’s only what horses can stand,
When helped by, etc.

Artillery moves by the leave o’ the ground,
But we are the men that do something all round,
For we are, etc.

I have stated it plain, an’ my argument’s thus
(“It’s all one,” says the Sapper),
There’s only one Corps which is perfect — that’s us;
An’ they call us Her Majesty’s Engineers,
Her Majesty’s Royal Engineers,
With the rank and pay of a Sapper!

— Rudyard Kipling


A wild statistical distribution appears!

So here’s another dreary example of a style of argument that sets me off:

One of Andrew’s readers pontificates about averages:

Despite the amazing progress that women have made in many fronts on equality, they are still physically smaller, slower, and weaker than men. At the very least, one can look at the world records for just about any athletic event, and see how much faster men are. While this does not matter for pilots, or intelligence analysts, or ships captains, it matters very strongly to certain combat arms, such as the infantry. Carrying an 80-pound pack for miles is something where strength does matter. […] This, I think, is the fundamental stumbling block of putting women in the Infantry, or some of the other combat arms.

Oh, okay!  Let’s look at the world records for an athletic event.  I’m going to pick… Olympic weightlifting.  The world record clean and jerk in the 69kg weight class — for men — is 195kg, set by Bulgaria’s Galabin Boevski at Sydney in 2000.  The world record C&J for 69kg women is 158kg, set by the PRC’s Liu Chunhong at Beijing in 2008.  From this we can conclude two things: First, like Andrew’s reader, we can deduce that men are (surprise, surprise) capable of greater strength and power development then women.

Second, holy fuck there are women out there who can pick up over twice their bodyweight and put it overhead!

You see what’s going on here?  Our innumerate friend has taken a true statement (“At the mean, women tend to be smaller, slower, and weaker than men”), stated it obtusely (“Women are physically smaller, slower, and weaker than men”), and used a different interpretation of the obtuse restatement to derive a false conclusion (“There are no women big, strong, and fast enough to serve in the Infantry”).  But s/h/its own source of justification — “world records for just about any athletic event” — indicates that there are a bunch of big/strong/fast enough women out there… though perhaps not as many of them as there are men.

While we’re on the subject: there are a lot of men out there who are not physically qualified to serve as light infantrymen — perhaps even a majority.  This doesn’t seem to bother anyone.

(And as with DADT, no-one seems to have bothered to check on what the Israelis are doing.  I don’t think those rifles are for show.)


TSA: Let’s apply some common sense to airport screening


For years, Schneier, the well-known security gadfly, has blasted the TSA for its brain dead approach to passenger screening: the “security theater” of naked scanners and slipped-off shoes; the focus on terrorist weapons instead of the terrorists themselves; the one-size-fits-all security protocols, instead of measures driven by the latest intelligence. For years, the TSA ignored his critiques.

But late last month, at the Aspen Security Forum, TSA chief John Pistole opened his mouth — and Schneier’s words came tumbling out. Pistole said it was high time to “recognize that the vast majority of people traveling every day are not terrorists.” To “try to apply some more common sense to the process,” even.

Forget patting down kids and telling people with top secret security clearances to take off their shoes. “I think we can do a different way of screening children that recognizes that, in the very high likelihood, they do not have a bomb on them,” he said.

Besides, he added, “the best layer of security we have … is intelligence.”

I’ll believe it when I see it.  On the other hand, I didn’t expect Duke Nukem Forever to ship, so there’s room in this best of all possible worlds for some pleasant surprises now and again.

anarchocapitalist agitprop

Be advised

I say fuck a lot



Statistics FTW