Homo Economicus?

Researchers have identified brain cells involved in economic choice behavior:

The scientists, who reported the findings in the journal Nature, located the neurons in an area of the brain known as the orbitofrontal cortex (OFC) while studying macaque monkeys which had to choose between different flavours and quantities of juices.
They correlated the animals’ choices with the activity of neurons in the OFC with the valued assigned to the different types of juices. Some neurons would be highly active when the monkeys selected three drops of grape juice, for example, or 10 drops of apple juice.

This is cool on a couple of levels. First is that there’s a cross-disciplinary synthesis under way between biology, psychology, and economics that is yielding some pretty nifty results. Maybe the days of treating preferences as fixed and exogenous are numbered :^). Second, apparently it’s totally cool to do experimental economics with non-human primates. There are implications aplenty there, but perhaps I am reading too much into this.
Update: An early draft of the paper is available on-line.

Have the Terrorists Won?

On Wednesday, officials closed down all security checkpoints at the Hartsfield-Jackson Atlanta International Aiport when a “suspicious device” was detected in a screening machine.

All departing flights were stopped, and arriving flights were delayed 90 minutes, affecting 120 flights during the day’s peak travel time, according to the Associated Press. However, after two hours, the gates were reopened shortly before 4 p.m. EST.

It may well make sense to kick in more aggressive procedures if you find an actual gun or bomb (although my understanding is that they find guns fairly regularly). But a ‘suspicious device?’

After writing the above, both Bruce Schneier and Ryan Singel have pointed out that it was a software failure. See “Software Failure Causes Airport Evacuation” and “Software Failure Shuts Down Nation’s Busiest Airport.”

So, a suspicious device shows up, but they can’t figure out why. Being risk-averse, the TSA closes the airport, causing huge economic and personal costs to thousands of travelers. Is that rational?


In the latest in the ongoing saga of debit cards being reissued after a breach at an unnamed merchant, 3rd-party, or card processor, we learn that unless a crook stands a chance of getting caught, he’ll keep on stealing:

These crooks get away with it, and that’s why they keep doing it. They’ve got about a one in a thousand chance of getting arrested

The quotation is from Gartner analyst Avivah Levitan. I’d love to know where that 1 in 1,000 number comes from. I found a decent report [pdf] from the folks that run the Star ATM network, but couldn’t derive anything about arrest rates from it. Other than that, all my intrepid research assistant Google could find was that arrest rates are “under 5%, according to law enforcement” in about 25 different places — which is probably a factoid run amok, rather than a real number. Besides, there’s a big difference between 1 in 20 and 1 in 1000.
Anybody have any idea how such a number could be determined? Seems to me it’s rather challenging to compile for a crime likely not to be reported, and where one criminal’s arrest could clear hundreds of crimes.

The law is an ass

Nevada is one of a small number of states that actually defines the term ‘encryption’ as used in its breach disclosure law.
To wit:

NRS 205.4742 “Encryption” defined. “Encryption” means the use of any protective or disruptive measure, including, without limitation, cryptography, enciphering, encoding or a computer contaminant, to:
1. Prevent, impede, delay or disrupt access to any data, information, image, program, signal or sound;
2. Cause or make any data, information, image, program, signal or sound unintelligible or unusable; or
3. Prevent, impede, delay or disrupt the normal operation or use of any component, device, equipment, system or network.
(Added to NRS by 1999, 2704)

Initially, I read this as basically saying that any control used to prevent or hinder unauthorized access to data counts as encryption. After all, why would a data owner want to hinder or obstruct legitimate access? But what the heck is a “computer contaminant”? I thought maybe it meant some kind of electronic taggant — after all, this is financial stuff. I figured it might be the digital equivalent of an exploding dye packet in a cash drawer.
Nope. Basically, it means “evilware” — virii, worms, spyware, etc. So, what we have here is a law designed to protect data from being accessed by malefactors that defines one of its key controls (encryption) as (in part) the use of malware to deprive legitimate data owner access to his data!
Basically, Nevada seems to have passed their law defining encryption back when encryption was thought (by the ignorant) to be something pornographers, drug dealers, Communists, and mafiosi used. Accordingly, it is defined by statute in negative terms. Now, when it is rightly seen as a critical means of protecting “good” information and keeping it from some of the very bad guys listed above, Nevada remains saddled with their earlier definition, and IMO they look all the more foolish for it.

State disclosure laws

I’ve written up a comparison of what I believe to be all existing US state disclosure laws with regard to three loopholes that have been discussed by, among others, Rob Lemos and Bruce Schneier recently.
I’m experimenting with Blosxom, so I posted this over here.
The executive summary is all the state laws could use improvement, but if you care most about these three loopholes, Maine looks pretty good. If you expand your evaluation criteria to include central reporting or tighter protection of personal information, New York is the top of the heap.

How Low The Bar

The 2nd Circuit Court of Appeals upheld a ruling against a Ms. Cassano, who feared that providing her SSN placed her “in dire jeopardy of having her identity stolen,” refused to provide it, and was terminated.

The decision states that “There is no doubt that laws requiring employers to collect SSNs of employees have a rational basis.”

Is that the only requirement for a law these days?

Via Davi Ottenheimer, “Employee terminated for refusing to give SSN,” and the case is Cassano v. Carb, No. 04-6712 (2d Cir. 1/24/06).

[Update: For clarity’s sake, I’m not objecting here to the requirement for an SSN for tax purposes. I was trying to comment that I’d hope laws not only have a rational basis, but are constitutional, minimally intrusive to achieve their purpose, and perhaps there are other broad criteria which they ought to meet.

US Travel ID to have RFID Readable at 25 feet

Declan McCullagh and Anne Broache have the story in “New RFID travel cards could pose privacy threat:”

Homeland Security has said, in a government procurement notice posted in September, that “read ranges shall extend to a minimum of 25 feet” in RFID-equipped identification cards used for border crossings. For people crossing on a bus, the proposal says, “the solution must sense up to 55 tokens.”

The notice, unearthed by an anti-RFID advocacy group, also specifies: “The government requires that IDs be read under circumstances that include the device being carried in a pocket, purse, wallet, in traveler’s clothes or elsewhere on the person of the traveler….The traveler should not have to do anything to prepare the device to be read, or to present the device for reading–i.e., passive and automatic use.”

Metricon 1.0 Call For Papers

MetricCon 1.0 – Announcement and Call for Participation

First Workshop on Security Metrics (MetriCon 1.0)
August 1, 2006 Vancouver,B.C., Canada


Ever feel like Chicken Little? Wonder if letter grades, color codes, and/or duct tape are even a tiny bit useful? Cringe at the subjectivity applied to security in every manner? If so, MetriCon 1.0 may be your antidote to change security from an artistic “matter of opinion” into an objective, quantifiable science. The time for adjectives and adverbs has gone; the time for numbers has come.

MetriCon 1.0 is intended as a forum for lively, practical discussion in the area of security metrics. It is a forum for quantifiable approaches and results to problems afflicting information security today, with a bias towards practical, specific implementations. Topics and presentations will be selected for their potential to stimulate discussion in the Workshop.

You can click the picture of the CFP to get a Metricon CFP in PDF, or continue reading.

Continue reading

“The Far Enemy”

far-enemy.jpgI’ve been meaning to blog about “The Far Enemy: Why Jihad Went Global ” by Fawaz Georges for quite some time.

The book is a fascinating look at the internal debates of the various Jihadist sub-groups, and takes its title from an argument over targeting the “near enemy,” or local government, or the “far enemy,” the United States. Georges is clearly deeply immersed in Jihadist debate, and traces much of the history and character of those debates.

It was a deeply challenging read, on several levels. First, Georges orientation is so close to the Jihadists that he offers up distinctions which seem like the splitting of the thinnest hairs. He also seems to express sympathies for the jihadist movement in sentences like “At this stage, it is difficult to see how and if jihadis will ever be able to rescue their movement from terminal decline and decay.” In other places, he refers to the murder of civilians as “military operations.” Yet others, he made important assertions that I would have liked to see explored, and simply followed them with “suffice it to say.”

However, understanding the orientation of the enemy is important. It allows you to select actions to constrain the enemy’s responses. The Far Enemy expanded my understanding of Jihadist orientation.

Before digging into of of those arguments, I’ll be clear that I’m not an expert on this, and am restating Georges’ argument. There is assertion, put forth by a set of Jihadists in the 50s and 60s that jihad is not only a collective responsibility, but an individual one. There is also the assertion that anyone witnessing great injustice may call for Jihad, without the full support of the clergy. This is (apparently) at odds with more traditional jurisprudence, which requires the clergy to call for jihad.

Thus when reading Jonathan Rauch’s article “A War on Jihadism,” I was surprised to see this:

“I think defining who the enemy is is a real problem in this war,” says Mary Habeck, a military historian at the Johns Hopkins University School of Advanced International Studies. “If you can’t define who’s a real threat and who’s just exercising free speech, it’s a problem.” As it happens, Habeck is the author of one of three new books that, taken together, suggest the time is right to name the battle. It is a war on jihadism.

If it is actually the case that an individual, such as Osama bin Ladin, or Zawaqari, can not declare jihad on his own, then that seems part of a reasonable basis on which to decide who is a threat, and who is exercising free speech.

This test is not so bright-line as I would like. What to do with those who claim that jihad is a personal responsibility, that an individual may call for it, and that whatever provocations exist are not enough to justify such a call?

One of the basic precepts of the nation state system, which distinguishes it from predecessor systems, is that the state has a monopoly on violence, and uses that violence in furtherance of policy, not personal, aims.

Such a distinction also fails to address (say) the Iranian death sentence on Salman Rushdie, or their President’s call to wipe Israel off the map. But it seems essential, as part of preserving the nation-state system, to assert that individuals may not invoke armed struggle, and this is an enemy which nation states can rally to fight.

Of course, actually bothering to fight an individual lowers the state to a smaller, less grandiose level, but that seems unavoidable.

[Update: Don’t miss the closely related “Area Islamic Militant All Talk,” at The Onion Radio News.]

Infocard, Demystified

infocard-movie.jpgFor every product, there are thousands of sentences which result in the reply “well, why didn’t you just say that?” The answer, of course, is that there are thousands, and often its not clear which is the right one. For me, the useful sentence is that ‘Infocard is software that packages up identity assertions, gets them signed by a identity authority and sends them off to a relying party in an XML format. The identity authority can be itself, and the XML is SAML, or an extension thereof, and the XML is signed and encrypted.’

Why didn’t you just say that? (Actually, Kim Cameron says just about that in the video linked to in “The Infocards For PHP Tutorial.”)

More seriously, I’m unsure if Infocard is the software, the protocol, or some combination thereof. But I do have a much better understanding of how it works, so I’m glad to have watched the short movie demo.

A couple of thoughts:

  • First, Stephan Brands of Credentica has comprehensively analyzed the privacy issues in this sort of scheme in his book, “Rethinking Public Key Infrastructures and Digital Certificates; Building in Privacy.” The essential point to be aware of is that the certifying authority can track every site you visit. Infocard includes a self-signing authority, so you’re aware of every site you visit. If web sites start demanding certificates from other organizations, they have a deep view into your web activities.
  • The demo code relies on Javascript. Is there anything other than the “onClick” that requires it? Javascript dramatically expands the browser’s attack surface, helps phishers confuse users, etc. It would be good for Infocard to work without relying on it.
  • Finally, there’s a card which is greyed out, which Kim helpfully explains is greyed out because it doesn’t include an email address. I’m expecting there’s an easy way for the user to discover this?

Anyway, I’m glad that Kim produced the video, and if you’ve been like me, watching and not having time to dig in, go watch it.
[Update: Kim has a response, “ADAM ON DEMYSTIFYING INFOCARDS,” that I won’t be able to respond to until tonight or perhaps tomorrow. Since trackbacks are off (spam), I figured I’d link.]

What Would Jesus Compile?

Generally, when I talk about religion, it’s in the Emacs vs. vi sense. One of my RSS bookmarks contained a somewhat thought-provoking article about the similarities between the philosophy advanced by Free Software Foundation, and certain aspects of Catholic doctrine, and ‘Christian charity’ more broadly. It’s an interesting take on Open Source, and perhaps appropriate for Easter.
Of course, this is coming from a guy whose favorite OSes have an Apple and a devil as their logos. :^)

Animal Farm


Animal Farm is a 30-acre family farm in Orwell, Vermont.
We are certified organic for milk, butter, eggs, and hay and pasture.

Some things you just can’t make up, because someone else already has.