Monthly Archives: September 2007

Sheep outsmart Britons

Posted on by

sheep.jpg

The BBC reports that in Yorkshire, crafty sheep conquer cattle grids:

Hungry sheep on the Yorkshire moors have taught themselves to roll 8ft (3m) across hoof-proof metal cattle grids – and raid villagers’ valley gardens.

A National Farmers’ Union spokeswoman in York said: “We have never seen anything like it. We have looked at ways of improving the situation but it is very difficult. The grids are substantial bits of kit.”

If these were Boston sheep, they’d be lucky to be alive after pulling a stunt like that.

Photo: “2005 05 Northumberland 019” by Marjia.

SmartHippo Launches

Posted on by

Have you ever wondered how banks make so much money in the mortgage business? If you stop to think about it, mortgages are the ultimate commodity product these days. The bank collects information from you, gives you a loan, outsources the customer service to a loan servicing company, and securitizes your loan.

So how do banks make money? It’s ‘easy.’ They sell you a loan at a higher rate than they’d be willing to settle for. A mortgage is a big, unpleasant, complex process that includes some stranger pawing through your financial life. Making a bad choice is worrisome. Most people apparently get very few quotes, and are told that their rate depends on their credit score.

There’s a strong imbalance in the information that each side has, and my friends at SmartHippo have just launched a site to help correct that imbalance.

If you’re getting a mortgage, or just want to compare, check these folks out. I really like what they’re doing and where they’re going.

What would it be like if buying lemonade was as complicated as shopping for mortgage rates? See what happens when little Jenna opens a lemonade stand and tries to maximize profit at the expense of her customers.

Making a Positive Impression With The Business

Posted on by

pogo.jpg
Larry Hughes has a great post over on Riskbloggers with tips on how to demonstrate that security is invested in the success of the business. There’s some really good stuff here. Especially these two:

Say “no” by saying “yes.” Somebody wants to uncork that remote access bottle, and let a thousand new contractors VPN into the corporate net from anywhere in the world with their own laptops? Of course you’d like to help them explore how they can meet their objectives in a way that’s neutral to the business’ security posture.

I can’t agree with this one more. The only thing I’ve seen that gets more traction and people playing nice with us is a major security event. All saying no does is to make things more confrontational and put everyone in a resistant mood. So you want to avoid that, unless of course you like being called “Dr. No”. By saying “How can I help?”, you are putting yourself in a position where you are making things happen, not being a roadblock.

Learn when to say “That’s good enough for now.” Scratching and clawing for every inch of ground this time, because you know how hard it’ll be next time, only leaves you with bloody fingernails. Nobody wants to buy things from people with bloody fingernails.

As Ken Van Wyck and Mark Graff remind us Secure Coding, it’s not about being secure. It’s about being secure enough. It’s never going to be perfect, so the question is whether there is enough protection from threats for the foreseeable future.
This is similar to how we need need to understand how businesses work. But we also need to understand how people work and learn how to interact with them better. As usual the people are indeed the weakest link, but in this case, it is us.

Bayesian battlefield

Posted on by

According to court papers referenced in this VOA report, U.S. sniper teams in Iraq are using an interesting tactic:

[A] so-called baiting program developed at the Pentagon by the Asymmetrical Warfare Group….the baiting was described as putting items, including plastic explosives, ammunition and detonation cords on the battlefield then killing suspected insurgents who picked up the objects.

These claims are being made by men accused of murder, so bear that in mind. If true, however, this technique would seem very likely to suffer from a large number of false positives. Assuming the process was designed by someone intelligent, that either means they do not care about false positives, or that (contrary to my prior belief as asserted above) the likelihood of a curious true bad guy happening by is so large that the false positive rate is tolerably low.
Scary either way, I’d say.

Once more into the Ameritrade Breach

Posted on by

Last week, I wrote:

It appears that Ameritrade is getting ahead of the story. Rather than have it dribble out by accident, they’re shaping the news by sending out a press release.

On further reading, both from readers commenting on that article, and things like Network World, “Ameritrade customers vent about data breach:”

The Ameritrade spokeswoman says the company believes no Social Security numbers have been taken because the only known illicit activity traceable to the breaches is spam, not identity theft.

Well, with a little more skepticism, words like “known” and “traceable” start to sound a lot less forthright. So perhaps my initial comment, that they’re shaping the news, was entirely on target, but in the wrong context.

There’s also this, from Information Week:

An attorney launching a class-action lawsuit against TD Ameritrade Holding alleges the online brokerage knew a hacker had access to a customer database as far back as a year ago.

As Rich Mogull says:

This is all Crisis Communications 101- as history has shown, the best way to defend your reputations in a major incident is to admit the failing, spare nothing to protect your customers, and act as openly and honestly as possible. Otherwise we wouldn’t have seen a bottle of Tylenol on a store shelf since the 1980’s.

It’s too bad Ameritrade won’t be the first company to really come clean in a major breach. Which means there’s still an opportunity for the CEO of another firm to get ahead of the problem and be remembered for their vision.

You’ll read about whoever it is here.

MIT, Logan, the Chilling Effect and Emergent Chaos

Posted on by

If you’re not hidden under a rock, you know about the latest bomb scare in Boston. Some MIT kid forgot that Boston cops think anything with an LED on it is a bomb.

mit-fashion.jpg

A lot of people are saying she got what she deserved, or that she’s lucky to be alive. These people probably think that Jean Charles de Menezes should have worn different clothing before getting on the London Metro, and that Andrew Meyer should have never asked a question of John Kerry.

I think this is a tremendously dangerous trend for society, and not just the creative or strange types. Should we give police such broad license to use force that everyone needs to consider, first and foremost, if their actions, their legal actions, might freak out a policeman?

If we do so, there are substantial costs. They’re not visible. A few moments of time every day, considering how the police feel about you. A little less bizarre or riqsue public art. A little less creativity and verve in life, as we all ask “what if a cop shoots me?”


What would have happened to the first people designing and testing cell phones, if homemade electronics with a battery had been cause for concern? How would we test keyless car entry systems, if a police officer had shot people walking up to cars without unlocking them? Even Dave Maynor would be in trouble. Just look at his art:

dave-maynor.jpg

When I was a kid, Radio Shack sold breadboards (like the one the student was wearing.) Tinkering with electronics was a key part of what launched the Homebrew computer club. Tinkering with dangerous chemicals was an important part of the development of modern photography.

Do we want everyone who tinkers, invents, hacks or makes projects to have to worry that cops with submachine guns are going to show up and ask agitated questions? Are those filters good for society?

Here at Emergent Chaos, we’re fans of, well, emergent chaos that happens when those filters go away.

Photos: Lisa Poole, AP, and Dave Maynor, Errata, respectively.

[Update: Chris Soghoian makes the useful point that lots of bombs have no visible wires at all, being hidden inside other things. And while protecting against dumb terrorists is useful, it's not worth giving up our ability to tinker, build or innovate.]

How unladylike

Posted on by

Like most EC readers, I have been following the story of the MIT student with the breadboard and Duracell fashion accessory who nearly got ventilated at Logan airport in the most LED-hostile city in the US, Boston.
The Associated Press was quick to repeat the claim that the student was wearing a “fake bomb”, when this is at best a very debatable point. Well, now they’ve outdone themselves with the latest headline on this story:

MIT Coed With Fake Bomb ‘Art’ Arrested

This is the greatest example of linguistic economy I have seen this year. It bundles three horrendously poor word choices into a seven-word sentence. The Bulwer-Lytton people need to make a special award.
1. We do not know that this was a “fake bomb”. That depends on the intent of the student, who says it was just art. Who the heck are the Associated Press to draw conclusions so early in the story?
2. “Art” or art? The AP “editors” need to read up on the different uses of quotation marks.
3. “Coed”? The appropriate term is “student”. I literally cannot find the words to express how….erm…’quaint’ this word choice is. I hope the AP editors are sitting down when they learn that the woman in question was not in a home economics, english literature, or library studies program.
Sheesh.
I have no idea what the motives (if any) this person had for her choice of attire. She may be a publicity-seeking ninny, some kind of art activist, an EE geek with poor situational awareness, or — like Miss Teen South Carolina or whatever — somebody who let off a rather noticeable brain fart which got caught in Panopticon 2.0. She could also be none of the above. One thing for sure is that the Associated Press isn’t helping us arrive at the truth by using loaded terms (no pun intended) and taking us on a painful trip down memory lane.