Bruce at INFOSec Europe

I was lucky enough to listen to Bruce Schneier speaking at INFOSec Europe on Wednesday last week. He spoke about the mismatch between ‘security’ and ‘feelings’. In that often how we feel does not equate to the reality. For example at the airports they remove liquids during the security check, it makes us feel more secure, but in reality doesn’t make much -if any- difference to how secure we actually are. In effect we make security trade-offs based upon how safe we feel. The ability to make this trade-off accurately is can be distorted by media hype. The fact is the ‘feeling’ comes from the instinctive part of our brain, and the ability to be able to rationalize distinguishes us from animals as human beings.

This brings us onto ‘models’. You know society models that we have grown up with and accepted as fact. Models are created by human beings and are based on facts. These facts can actually become an integrital part of how we feel. For example one model created by the tobacco companies in former times was that smoking was healthy, this model has changed over the last 30 years to the converse. Changing this model took time, and was painful for many, especially the tobacco companies 🙂

The unknown is scarey, and it seems to be we have a tendency to overestimate the impact of involuntary risks (e.g. earthquakes, airplane crashes), and to the converse, underestimate voluntary risks (e.g. smoking that is a choice).

Security Theatre (snake oil) is the name given to those products that make you feel more secure, even though in reality they don’t do anything. Although we need these sometimes. One example in the US was the introduction of the safety cap on over-the-counter drugs. There was an incident whereby one bottle became contaminated by some (mentally sick) person. The consequence was a death. This type of incident happening is extremely rare, however over-the-counter drugs would have never made it further without the introduction of the safety cap as consumer confidence had been lost.

So to summerise: the most successful security products manipulate ‘models’ and ‘feelings’ even though they may not necessarily match ‘reality’.

All for a bar of chocolate…..

Having just got back from INFOSec Europe myself, I was intrigued to find this bogus survey carried out again, it was just an exercise of social engineering. So here we are a chocolate bar in exchange for your password, and just for good measure we shared our personal details, you know there was a draw, enticement was the chance of a big prize. The ladies came out quite badly in this survey, seems that we value chocolate more then our passwords. We -the fairer sex- really need to do better next year…..

Are you a patient at the University of Miami?

Just look at what popped up in my mailbox this morning!

An article stating that computer tapes containing confidential information of 2.1 million University of Miami patients was stolen last month when thieves took a case out of a van used by a private off-site storage company…

” Anyone who has been a patient of a University of Miami physician or visited a UM facility since Jan. 1, 1999, is likely included on the tapes,” the university said in a news release. “The data included names, addresses, Social Security numbers or health information. The university will be notifying by mail the 47,000 patients whose data may have included credit card or other financial information regarding bill payment.”

I wonder what sort of sensitive data disclosures will be in the news once databases of these hospitals are connected up?

Herman Junior arrives

Well for those of you following the ‘Herman saga‘ you will be pleased to hear the latest. Herman Junior has arrived. Whilst Herman has been waiting for his food source (you know the replacement power supply). My husband decided that it was time to purchase Herman Junior. After all we have 2 floors in our house and our intention was to have Herman upstairs and the latest version of the iRobot (Roomba 560) downstairs.

How wonderful it has been since Herman Junior arrived yesterday. He has a much better ‘anti-tangle’ system. What is so wonderful about these robots is that they love to clean, they truly look and sound happy as they whiz around. It makes me happy too. When he does have a problem he says “oh oh”, sounds so funny and so damn cool!

Google and behavioural marketing

I just love this….

An ad hoc coalition of companies with a stake in online advertising have signed on to a letter addressed to New York State Assemblyman Richard Brodsky outlining their opposition to a bill Brodsky has authored that would impose restrictions on data collection for use in online advertising. Google, Yahoo, AOL, Facebook, Comcast, eBay, EDS, Monster and Reed Elsevier are among the signees of a letter that says the proposed law “would have profound implications for the future of Internet advertising and the availability of free content on the Internet.”

And then there’s what is in this letter. The first advantage of online advertising -according to Google- is that it connects consumers with information, products and services that they seek. I would almost buy this if it wasn’t for the fact that they also use the argument that it helps bloggers and small businesses to prosper. OK, by placing those ads on their sites that you click on so they generate revenue, and this is their justification? Then they proceed by stating that “they believe that users’ trust is essential to build the best possible products”. Interesting… I don’t (and I guess I’m not alone here) trust Google in the slightest with my personal information, although I’m intrigued by the company itself, their practices are not to be trusted. They claim that their privacy practices are based upon 3 fundamentals:

1. Transparency – yes sure… transparency means you have no idea what personal information is being gathered on you

2. Choice – ok this is getting very interesting… they claim that MANY of their products do not REQUIRE users to provide any PII. In fact is it not in the nature of the services that they offer that choice is NOT provided. In fact without realising it their services are making the choice for us. Think about that.

3. Security, yes they are serious about this. Well I guess it’s not their problem that they index everything. Some of the responsibility must be laid on those responsible for making information public. I think this is fair.

Well the letter goes on…you can read for yourself.

New passport RFID hack

Security researchers say they’ve found a way to crack the encryption used to protect a widely-used smartcard in a matter of minutes, making it possible for them to quickly and cheaply clone the cards that are used to secure office buildings and automate the collection of mass transportation fares.

The attack works against the Mifare Classic, a wireless card made by Netherlands-based NXP Semiconductors. It is used by transit operators in London, Boston and the Netherlands and by organizations in the public and private sectors to control access to sensitive areas, according to Karsten Nohl, a PhD candidate at the University of Virginia and one of the cryptographers who discovered the weakness. NXP says it’s sold 1 billion to 2 billion of the cards.

Schneier has a post on this. Here is the research paper that describes this flaw.

Thanks to Jakob Peter for sending me this paper!

Do you trust your government?

A very interesting article concerning the use of the government as a ‘trusted third-party’ in private sector transactions, e.g. proving that you are 18 or 18+ online. Vikram Kumar works for New Zealand’s State Services Commission on the All-of-government Authentication Programme. As he puts it, “… that means my working and blog lives intersect….” In this discussion of the Third Law of Identity, he argues that in New Zealand, where the population of the whole country is smaller than that of many international cities, people may consider the government to be a “justifiable party” in private sector transactions.

You know I wonder if the same could be said of Sweden with just a population of 9 million? I find -after living here just 5 years- that the trust that the Swedish individual has in the government is amazing when compared with countries such as the UK and the US. For example Swedes really can’t understand the fuss being made about the British ID scheme, In Sweden children are born with a personal ID number -you know, in addition to 5 fingers/toes and the bare necessities for survival ;-). In Sweden I believe that Vikram’s arguments are almost plausible, almost possible to work……Although as a Brit myself I find this a bit scarey…