a-cubed.info

David Livingstone-Smith, New England
Ideology

The camera obscura description of ideology as an accidental inversion of reality. The Conspiracy Model of ideology as a purposive distortion of reality in pursuit of some goal.

There is a perfectly good model of non-intentional purposiveness available: the notion of biological purpose, e.g. the orhid that simulates a wasp for the “purpose” of seducing male wasps to use them as a pollenation vector.

Millikan’s theory of proper function provides analysis of non-intentional purposes. The thing that caused a reproduction of an item is the proper function of the item.

Ideologies are collective misrepresentations of the social world that:

perpetuate the power of dominant groups, creating the circumstances allowing their reproduction and the reproduction of that power.

Rachel Greenstadt, Drexel
Anonymouth: How to make machine learning for security usable

Long term anonymity is challenging, as shown in the case of “A Gay Girl in Damascus”. It’s particularly difficult to re-write an existing document in a new style.

Anonymouth provides a suggestion set of ideas for how to make your documents less recognisable as your own.

Luke Church, Cambridge
“tracking” for societal benefit

Users don’t understand derived sales models.

Asking programmers to allow the researchers to record and analyse their every keystroke and mouse click leads to refusal because they are afraid of the usage of that data.

Please can we slow down the process of restricting scientists access to data.

Bruce Schneier, BT
Profiling and Airports

Why profiling makes no sense in security, even if you have a differential threat. Arguing against intuition, “common sense” and “obviousness” with clear (security) engineering principles is hard.

Public policy has important characteristics which divorce it from individual common sense about security.

Political rhetoric focusses on folk belief, common sense and intuition, rather than solid engineering principles. Non-security issues are driving security decisions (including corporate interest, law enforcement interests, military interests).

The four horsemen of the cyber apocalypse used for two decades to justify intrusion.

Persuasion and security questions. How to teach people not to have their security fear buttons pushed.

Matt Blaze, University of Pennsylvania
Folklore

Why (Special Agent) Johnny (Still) Can’t Encrypt (redux)

APCO Project 25 (P25) cryptographic system for first responders.

Serious vulnerabilities in multiple ways, in theory. How often do they cause problems in practice?

Rule #1 of cryptanalysis – look for cleartext.

Ridiculous amount and high security content of cleartext. About 30 minutes of cleartext per day per city.

The problem exists because radio encryption is harder than we think.

After discussions with various agencies there was often a short term drop in cleartext but then a reversion and even an increase.

The act of paying attention to problems like this can lead to a reduction of security because of misunderstanding.

Institutional memory of the previous generation of analogue radios (encryption reduces quality) is still maintained even though it is completely incorrect for the current systems.

Pam Briggs, Northumbria
A “Family and Friends” Perspective on Privacy and Security

Prevailing rhetoric is that privacy and security operate at a personal level – with individual decisions.

Too little attention paid to inadvertent disclosure in social or family networks.

Location-based services – one of the potentially most disruptive applications for privacy in the next few years.

Ubicomp in a family setting.

Facebook account hacked – three facebook friends to provide re-authentication.

Jaeyon Jung, Microsoft
Tools to Analyse Personal Data Exposure Through Apps & Developing UIs for Control

Problem is that access to information by Apps is often “all or nothing” for classes and without certain classes the app cannot be used at all – even if the app does not need it, depending on how it is programmed.

Some participants in a study of smartphone app data transfer were unsurprised – this is the price you pay for “free” apps. Others were surprised at things like the collection and transfer of location data when the app did not need it. Others felt they were not bothered by the collection per se, but wanted to know who had the data.

Some participants planned to uninstall particular apps (e.g. Angry Birds) because of their data collection. Some felt that the option of disclose or don’t use was not a good situation.

We need better user experiences for users in knowing about and controlling the information their smartphones give out.

Rob Reeder, Microsoft
NEAT guidance for usable software security

RSA data release started with a spear phishing attack based on an XL.

Security guidance to users in MS products should now follow NEAT: Necessary, Explained, Actionable, Tested.

Christoph Paar, Ruhr University
Real World Hacks

How do attackers learn their trade? With better information about how attackers develop their approaches, then we can potentially improve the defences. Obfuscation may be more use than its reputation (security by obscurity) gives it credit for.

Frank Stajano, Cambridge
The quest to replace passwords

Passwords have really poor usability. Does this mean we get good security? No.

Predictions of the demise of the password have ben greatly exaggereated. We use more and more passwords every year.

Make sense of what has been done – those who fail to study history are doomed to repeat it.

Evaluation framework for authentication systems.

Passwords are not going to die any time soon. Many schemes are better than passwords on security. Some schemes are better on usability than passwords, but most are worse. All are worse on deployability.

Jeff Yan, Newcastle University
Does psychological profiling predict MMORPG cheaters

There are many technical solutions to analysing in-game behaviour to identify cheating. Is it possible to identify likely cheaters with a psychological test. What about the issue of potential cheaters cheating on the questionnaire.

Sandy Clark, University of Pennsylvania
The Honeymoon Period and Secuity Development

Bug identification models don’t work for vulnerability identification.

Casinos have developed good approaches to patching exploits in their systems (general systems, not just computer-based systems).

Scams are the “buffer overflow errors” of human consciousness.

Attackers adapt, so defenders must adapt.

Evolutionary Biology model for Parasite/Host competing evolution (the Red Queen Hypothesis everyone must run in place to maintain the best outcome, which is not a perfect system).

Modelling the defender is not enough. We need to model the attacker. More importantly, we need to model the interaction and the violation of assumptions is one of the key eleents of this.

Richard Clayton, Cambridge
Devo estar falando Portugues? (Should I speak Portugese)

IM Worms.

Portuguese-specific short IMs for infection have significanly higher numbers of click at peak than “language-independent” ones.

Cormac Herley, Microsoft
Fraud

Anything I do with a password can be repudiable.

We should be teaching check(cheque)-clearing rules instead of Byzantine security tips.

Markus Jacobsson, PayPal
What are password strength checkers actually doing?

Strength checker? Fast Runner? Has Tail, Has Black marks, Has Yellow surface, Has Dots? Result is a budgie not a leopard.

Determine the user’s mental process for creating (strong) passwords.

Comment by Richard Clayton: passwords for porn sites need to be enterable with only one hand.

Eric Johnson, Dartmouth College
Fraud in Healthcare

US healthcare costs are $2.5T. Farud is estimated at some hundreds of billions of dollars.

Medical Identity Theft?
The US medical system is setup to provide opportunities for fraud. Particularly dueto the pay-and-chase model.
Very easy to join medicare/medicaid as a payee, just a bureaucratic process.

Geting hold of identity ius not hard. The monetisation model is the keydevelopment.

Grainne Kirwin, Inst of Tech, Ireland
Psychology of Cybercrime

Interrested in victims of cybercrime. Why are they targetted, how do they react?

Trait anxiety, rather than state anxiety (Big-5?): how does it compare to susceptibility to fraud?

Victim facilitation and precipitation. Insult someone and they hit you (precipitation). Leave your keys on the bar (facilitation).

Considering how facilitation relates to liability. Most people will indicate that faciltative victims should be more liable.

David Modic, Exeter
Risk and Internet Scams

Ego-depletion, materlialism, marketing (susceptibility to being scammed).

Ego-depletion has no effect on falling for a scam.

No materialism measure has ay impact.

Appeal is very limited effect.

Scammers offer money not goods and intangibles.

Jeff Hancock, Cornell
Detecting Deceptive Language and Promoting (more) Honest Behaviour

Detection of the difference between purchased reviews of hotels by people who had not stayed there and real reviews by those who had. Automatic detection could identify 90% of the fake reviews – only works for differentiating between those who had stayed there and those who had not.

Lab studies on identifying lying: psychological distancing leads to verbal immediacy, cognitive complexity leads to a different discourse structure, anxiety and guilt lead to emotional leakage. However, various types of situation lead to differences in how the models can be applied.

How to promote more honest behaviour.

Promoting honest behaviour. Triggering a feeling of a face triggers social constraints on lying.

Current research will include graphics to see what can improve honesty.

Tyler Moor, Wellesley College
Why user intent affects how we combat online wickedness

Online crime is mainly fought by private actors rather than state agencies.

Sometimes crime is difficult to distinguish from undesirable behaviour.

What is the distinction between bad behaviour and criminal behaviour?

Distinguishing between phishing and malware installation (which can lead to keylogging and loss of authentication details). Phishing is attacked by the banks. Malware installers are attacked by the search engine.

Transparent redirection by cracked sites depending on the referrer information from Google search pages.

Need to identify the intent of the user.

Robert Trivers, Rutgers
The Folly of Fools: the logic of self-deception.

Lying to others is indivisible from self-deception.

Psychologists tend to study only deception. Philosophers worry too much about self-deception. You need both to understand deception.

Choice of language as well as physiological reactions give clues to deliberate deception. Self-deception could be deliberately practised in order to avoid deception clues.

Interesting data on self-deception: we do believe our deceptive positive self-image.

Self-deception is offensive (aimed at deceiving others), rather than what the psychologists claim: that self-deception is defensive, aimed at making ourselves happier.

We need more evidence on detecting deception in real situations.

80% of accidentsd happen with the pilot instead of the co-pilot in actual charge. Co-pilots are hesitant to correct errors from their more senior colleagues, particularly if they do not have a pre-existing strong relationship.

When considering deception, you must always keep self-deception in mind.

Joseph Bonneau, Cambridge
Guessing human-chosen secrets

What’s easier to guess? Older or younger users’ passwords? Passwords or random 9-digit numbers. PIN or Mother’s Maiden Name?

Showed the cartoon of Jesus having 2512 as his PIN to his father, whose birthday is Christmas Day, and his father promptly went and changed his PIN.

Released files of stolen passwords allowed statistical analysis of password choices.

Gathering data within Yahoo via an encrypted hash to allow for statistical analysis without knowledge of the actual passwords.

Changing user behaviour (such as changing passwords occasionally) is better than just stressing the risk.

Language makes something of a difference, but at most a factor of two in difficulty.

Stuart Schecter, Microsoft
Better Passwords

P@ssword was a “strong” password accroding to Yahoo’s algorithm. P@$$word1 was a “strong password according to Google’s algorithm.

Ban popular passwords!

Important internal passwords for high value propositions (MS, Google) need better approaches.

Catching up on a bunch of blogging here. Sorry for the post-spam in your friend filters on LJ or your RSS feeds.

I seem to have levelled up in my swimming the last couple of weeks. I’ve hit a personal best three times in a fortnight and come pretty close to it a couple more. Unless there’s a problem (usually getting into the pool late during the 55 minute slot and having to stop at n:55 and either splitting my set or giving up partway through) I do 50 lengths (of a 25m pool). Mostly since I moved to 50 lengths I manage to do it in under 30 mintues, though sometimes if I’m tired (not enough sleep) or have done a lot of other moving around that day I’ve been over the 30 minutes or feel bloated because of swimming too soon after eating (anything less than 90 minutes and I’ll be a bit slow). Lately I’ve been hitting under 28 minutes even when I feel a bit slow and my personal best is no 26:38. I’m usually one of the fastest in the pool, though there are people slightly faster around sometimes. Some of them are faster on individual lengths but they take breaks whereas I just keep going through unless there’s a problem (either with overtaking or when a pair of goggles are losing their seal). The other day, though, there was a young chap who was almost twice as fast as me over one length. He was probably doing 5:3 or better. He was taking some breaks and when doing crawl was using a float between his thighs but even so he was impressively fast and it looked effortless. I was so envious. I may look like I’m putting in less effort that I am doing, to others who are slower than I am, I suppose, but this guy was just impressive. Still, I think 50 lengths in 26:38 isn’t bad going for a middle-aged guy.

This is four linked novellas (maybe some of them are novelettes) rather than a true novel. It’s written in the first person, with the first tale starting with a first person narrative letter read by the viewpoint character. One of the novellas features another of the main characters as the storyteller. The premise is that the legends of Nepal and Tibet (the Yeti, Shamballa, tunnels, reincarnated lamas) are true. It’s one of the best pieces of humorous fantasy I’ve ever read and all the more wonderful because it’s from an author who is so straight in most of the rest of his work (which is also brilliant but in a completely different way). Much as I like Robinson’s other stuff, I wish he’d occasionally write something along these lines again because he does it so well. Humour is hard but this is up there with Walter Jon Williams (Drake Maijstral) and Terry Practhett in my list of laugh out loud books. If you need a laugh, I heartily recommend it. The encounter between a mythical creature and a former US president is wonderfully told and Robinson’s descriptive powers make the movie in my head so crystal clear that I’m smiling as I remember the images now to write this.

Pure brilliance, that’s weathered the years with no diminution. Read it and weep with laughter!

The third Johannes Cabal novel takes us into yet another genre. This time Howard plunges into Lovecraftian territory and Cabal enters the Dreamlands and encounters Nyarlothotep. There’s a subplot including ghouls which is supposed to be a twisty ending type of thing but fell quite flat to me. In fact, the whole thing fell rather flat. There’s much better work out there in the Cthulhu Mythos, and indeed I felt moves to dive back into re-reading one of the better ones after this. Howard may well continue with this series, but I don’t think I’ll bother. I may even get rid of these as they weren’t dreadful but I don’t think I’ll really ever want to read them again. I don’t object to having spent the time to read them, but there’s better stuff out there for the future.

On a final note, I also don’t like the way the title works. The first two are descriptive phrases for Johannes Cabal, whereas this one is formatted with Johannes Cabal as the series name and the Fear Institute as the book title. Inconsistency. Ugh.

The second Johannes Cabal novel (the author’s note in the third gives the title of at least one published short story and implies the existence of others). This looks almost like a fix-up of a novel originally written with a different protagonaist re-worked to include the main character. Almost. It differs radically from the first one in a number of ways. For a start there’s a map showing how the action moves around the fictional geography of Ruritania-esque (Ruritania is mentioned though the action does not go there) places. It establishes Cabal as a German immigrant to the UK as a youngster (or maybe born there but with parents who gave him German as a first language and German-accented English) and with the somewhat forced appearence of a characte from the first novel clears up the setting of that as the UK. The setting here is now also clearly steampunk with airhips not raised by lighter than air gas but suspended from aetheric currents. It’s a reasonable murder mystery plot but Cabal is still not likeable enough as a main character and indeed does some things which don’t quite fit the character as set up to date in order to further the plot. Passable but not brilliant.

The second Aaronovich book about a police constable inducted into the Met police’s now very limited (him and an inspector, plus their vampire maid) magical services division. It neatly follows on from the first without missing a beat and sets up a brilliant serial killer piece which gives the magical police procedural a great workout. The main character is further developed, as is the background to the world and the other major characters (including his boss and his family). The musical link is nicely played through in multiple interlocking themes, while no punches are pulled in the human capacity for screwing up and around and, well, just plain screwing, too. I’m really looking forward to the third book which I have on my “order when available” reminder list (I think it’s in hardback now but I’ve got the TPBs of the first two so will wait for that edition).

This is the first of three (so far) “dark comic fantasy” novels by someone better known for his interactive fiction work (Jonathan L Howard, designer of games such as Broken Sword). It’s the story of a necromancer who gave up his soul years before in order to learn the secrets of necromancy but now makes a bet with Satan to get his soul back. It’s intended to be a black comedy wth a likeable antihero. I think it just about succeeds but has some significant flaws. The biggest flaw is its lack of a sense of time or place. The individual settings of scenes are not badly done, but the overall geography is missing barring a description which could equally apply to the Fens in the UK, the Forida Everglades or the Netherlands. From the author’s nationality and residence and little bits and pieces one eventually gathers that this is supposed to be some version of England, though the characters are a little mid-Atlantic ad the one clear linguistic clue to setting is one character’s use of “Mom”. The question of time period is even more difficult. At times it looks like the 1920s or 30s. At others it’s reminiscent of the 70s and still others place it in the sempiternal now. It’s not clear whether this is supposed to be our world with hidden dark forces or a parallel one where dark forces are known and understood, at first. The occurrence of a zombie army and the fame of the eponymous character for single-handedly stopping them implies the open world, but it’s sho shadily drawn that t rather distracts from the main plot. This plot is OK, but nothing to write home about (though I’m doing that now, I suppose).

An OK book, but there are better examples of the genre out there, such as Ben Aaronovich’s Rivers of London.