Sheep outsmart Britons


The BBC reports that in Yorkshire, crafty sheep conquer cattle grids:

Hungry sheep on the Yorkshire moors have taught themselves to roll 8ft (3m) across hoof-proof metal cattle grids – and raid villagers’ valley gardens.

A National Farmers’ Union spokeswoman in York said: “We have never seen anything like it. We have looked at ways of improving the situation but it is very difficult. The grids are substantial bits of kit.”

If these were Boston sheep, they’d be lucky to be alive after pulling a stunt like that.

Photo: “2005 05 Northumberland 019” by Marjia.

SmartHippo Launches

Have you ever wondered how banks make so much money in the mortgage business? If you stop to think about it, mortgages are the ultimate commodity product these days. The bank collects information from you, gives you a loan, outsources the customer service to a loan servicing company, and securitizes your loan.

So how do banks make money? It’s ‘easy.’ They sell you a loan at a higher rate than they’d be willing to settle for. A mortgage is a big, unpleasant, complex process that includes some stranger pawing through your financial life. Making a bad choice is worrisome. Most people apparently get very few quotes, and are told that their rate depends on their credit score.

There’s a strong imbalance in the information that each side has, and my friends at SmartHippo have just launched a site to help correct that imbalance.

If you’re getting a mortgage, or just want to compare, check these folks out. I really like what they’re doing and where they’re going.

What would it be like if buying lemonade was as complicated as shopping for mortgage rates? See what happens when little Jenna opens a lemonade stand and tries to maximize profit at the expense of her customers.

Making a Positive Impression With The Business

Larry Hughes has a great post over on Riskbloggers with tips on how to demonstrate that security is invested in the success of the business. There’s some really good stuff here. Especially these two:

Say “no” by saying “yes.” Somebody wants to uncork that remote access bottle, and let a thousand new contractors VPN into the corporate net from anywhere in the world with their own laptops? Of course you’d like to help them explore how they can meet their objectives in a way that’s neutral to the business’ security posture.

I can’t agree with this one more. The only thing I’ve seen that gets more traction and people playing nice with us is a major security event. All saying no does is to make things more confrontational and put everyone in a resistant mood. So you want to avoid that, unless of course you like being called “Dr. No”. By saying “How can I help?”, you are putting yourself in a position where you are making things happen, not being a roadblock.

Learn when to say “That’s good enough for now.” Scratching and clawing for every inch of ground this time, because you know how hard it’ll be next time, only leaves you with bloody fingernails. Nobody wants to buy things from people with bloody fingernails.

As Ken Van Wyck and Mark Graff remind us Secure Coding, it’s not about being secure. It’s about being secure enough. It’s never going to be perfect, so the question is whether there is enough protection from threats for the foreseeable future.
This is similar to how we need need to understand how businesses work. But we also need to understand how people work and learn how to interact with them better. As usual the people are indeed the weakest link, but in this case, it is us.

Bayesian battlefield

According to court papers referenced in this VOA report, U.S. sniper teams in Iraq are using an interesting tactic:

[A] so-called baiting program developed at the Pentagon by the Asymmetrical Warfare Group….the baiting was described as putting items, including plastic explosives, ammunition and detonation cords on the battlefield then killing suspected insurgents who picked up the objects.

These claims are being made by men accused of murder, so bear that in mind. If true, however, this technique would seem very likely to suffer from a large number of false positives. Assuming the process was designed by someone intelligent, that either means they do not care about false positives, or that (contrary to my prior belief as asserted above) the likelihood of a curious true bad guy happening by is so large that the false positive rate is tolerably low.
Scary either way, I’d say.

Once more into the Ameritrade Breach

Last week, I wrote:

It appears that Ameritrade is getting ahead of the story. Rather than have it dribble out by accident, they’re shaping the news by sending out a press release.

On further reading, both from readers commenting on that article, and things like Network World, “Ameritrade customers vent about data breach:”

The Ameritrade spokeswoman says the company believes no Social Security numbers have been taken because the only known illicit activity traceable to the breaches is spam, not identity theft.

Well, with a little more skepticism, words like “known” and “traceable” start to sound a lot less forthright. So perhaps my initial comment, that they’re shaping the news, was entirely on target, but in the wrong context.

There’s also this, from Information Week:

An attorney launching a class-action lawsuit against TD Ameritrade Holding alleges the online brokerage knew a hacker had access to a customer database as far back as a year ago.

As Rich Mogull says:

This is all Crisis Communications 101- as history has shown, the best way to defend your reputations in a major incident is to admit the failing, spare nothing to protect your customers, and act as openly and honestly as possible. Otherwise we wouldn’t have seen a bottle of Tylenol on a store shelf since the 1980’s.

It’s too bad Ameritrade won’t be the first company to really come clean in a major breach. Which means there’s still an opportunity for the CEO of another firm to get ahead of the problem and be remembered for their vision.

You’ll read about whoever it is here.

MIT, Logan, the Chilling Effect and Emergent Chaos

If you’re not hidden under a rock, you know about the latest bomb scare in Boston. Some MIT kid forgot that Boston cops think anything with an LED on it is a bomb.


A lot of people are saying she got what she deserved, or that she’s lucky to be alive. These people probably think that Jean Charles de Menezes should have worn different clothing before getting on the London Metro, and that Andrew Meyer should have never asked a question of John Kerry.

I think this is a tremendously dangerous trend for society, and not just the creative or strange types. Should we give police such broad license to use force that everyone needs to consider, first and foremost, if their actions, their legal actions, might freak out a policeman?

If we do so, there are substantial costs. They’re not visible. A few moments of time every day, considering how the police feel about you. A little less bizarre or riqsue public art. A little less creativity and verve in life, as we all ask “what if a cop shoots me?”

What would have happened to the first people designing and testing cell phones, if homemade electronics with a battery had been cause for concern? How would we test keyless car entry systems, if a police officer had shot people walking up to cars without unlocking them? Even Dave Maynor would be in trouble. Just look at his art:


When I was a kid, Radio Shack sold breadboards (like the one the student was wearing.) Tinkering with electronics was a key part of what launched the Homebrew computer club. Tinkering with dangerous chemicals was an important part of the development of modern photography.

Do we want everyone who tinkers, invents, hacks or makes projects to have to worry that cops with submachine guns are going to show up and ask agitated questions? Are those filters good for society?

Here at Emergent Chaos, we’re fans of, well, emergent chaos that happens when those filters go away.

Photos: Lisa Poole, AP, and Dave Maynor, Errata, respectively.

[Update: Chris Soghoian makes the useful point that lots of bombs have no visible wires at all, being hidden inside other things. And while protecting against dumb terrorists is useful, it’s not worth giving up our ability to tinker, build or innovate.]

How unladylike

Like most EC readers, I have been following the story of the MIT student with the breadboard and Duracell fashion accessory who nearly got ventilated at Logan airport in the most LED-hostile city in the US, Boston.
The Associated Press was quick to repeat the claim that the student was wearing a “fake bomb”, when this is at best a very debatable point. Well, now they’ve outdone themselves with the latest headline on this story:

MIT Coed With Fake Bomb ‘Art’ Arrested

This is the greatest example of linguistic economy I have seen this year. It bundles three horrendously poor word choices into a seven-word sentence. The Bulwer-Lytton people need to make a special award.
1. We do not know that this was a “fake bomb”. That depends on the intent of the student, who says it was just art. Who the heck are the Associated Press to draw conclusions so early in the story?
2. “Art” or art? The AP “editors” need to read up on the different uses of quotation marks.
3. “Coed”? The appropriate term is “student”. I literally cannot find the words to express how….erm…’quaint’ this word choice is. I hope the AP editors are sitting down when they learn that the woman in question was not in a home economics, english literature, or library studies program.
I have no idea what the motives (if any) this person had for her choice of attire. She may be a publicity-seeking ninny, some kind of art activist, an EE geek with poor situational awareness, or — like Miss Teen South Carolina or whatever — somebody who let off a rather noticeable brain fart which got caught in Panopticon 2.0. She could also be none of the above. One thing for sure is that the Associated Press isn’t helping us arrive at the truth by using loaded terms (no pun intended) and taking us on a painful trip down memory lane.

TSA knows what you read


Privacy advocates obtained database records showing that the government routinely records the race of people pulled aside for extra screening as they enter the country, along with cursory answers given to U.S. border inspectors about their purpose in traveling. In one case, the records note Electronic Frontier Foundation co-founder John Gilmore’s choice of reading material, and worry over the number of small flashlights he’d packed for the trip.

The breadth of the information obtained by the Gilmore-funded Identity Project (using a Privacy Act request) shows the government’s screening program at the border is actually a “surveillance dragnet,” according to the group’s spokesman Bill Scannell.

“There is so much sensitive information in the documents that it is clear that Homeland Security is not playing straight with the American people,” Scannell said. (Wired News, “U.S. Airport Screeners Are Watching What You Read.”)

In related lying news, last week it came out that Director of National Intelligence McConnell lied to the Senate about wiretaps.

If this was a political blog, we’d analyze the trend. Since we’re all about information security, and pirates I’ll just say that in an environment where the security measures are unclear and scary, you can expect users to behave in strange ways.

Free, as in milk

What the hell are the idiots at Facebook thinking?
If there’s anything stupider than banning a woman from breastfeeding in public, it is banning a picture of a woman breastfeeding on the grounds that it is “obscene”, which is what the morons at Facebook have done, as reported (for example) by the Toronto Star.
Attention Facebook idiots:
“Obscene” is a legal term. If your lawyers tell you that something like this is obscene, you need lawyers who didn’t go the Springfield Upstairs School of Law. It sure as hell looks like it has redeeming social value to me.
Much is being made about the hypocrisy of Facebook allowing umpteen pro-anorexia groups, when anorexia is itself demonstrably damaging to women and when such web content (according to recently-published research) is as well. I think this is a foolish argument.
Facebook’s position isn’t wrong because it does more harm than good, or because it is inconsistent. It is bad because being able to advocate controversial things is an essential element of freedom.

Those scurvy dogs!


The scurvy dogs at TD Ameritrade may have tricked us!

Well, maybe. The comments on “Analyzing the TD Ameritrade Disclosure” and articles like “Lawsuit Raises Questions on TD Ameritrade Breach” and “Ameritrade Customers’ contact information hacked” have been demanding a re-think of what I want to think on the subject. But less importantly, today is International Talk Like a Pirate Day!. We at Emergent Chaos love pirates far more than we love ninjas. No one has any fun on talk like a ninja day.

We celebrated in 2005 by reminding you that more pirates, less global warming.

We stand by that a lot more than we stand by me Ameritrade post. If there be any justice, I’d be scraping the bottom o’ barnacles. But there’s no justice this side of the Atlantic, thanks be.

Image plundered from amphion27.

Motley Fool on SIAC

Case in point: SAIC confessed in July that “information … stored on a single, SAIC-owned, non-secure server at a small SAIC location, and in some cases … transmitted over the Internet in an unencrypted form … was placed at risk for potential compromise.” In the context of other firms having actual knowledge of miscreants accessing their data, and in some cases using it in actual identity theft schemes, SAIC’s warning of “risk for potential compromise” sounds pretty tame. Still, the company has hired Marsh & McLennan (NYSE: MMC) subsidiary Kroll to help patch its security, and it would take at least $7 million to $9 million in charges in its second fiscal quarter to fix the breach.

What management does:
That won’t do any good for the trend of declining gross, operating, and net margins at SAIC. But to put things in perspective, the midpoint of the range SAIC posited, $8 million, represents just one-tenth of one percent of the firm’s cost of goods sold over the last 12 months. For a company this big, the financial cost of the breach isn’t a tragedy, folks. It’s a rounding error. (Motley Fool, “Foolish Forecast: SAIC’s Chance to Shine“)

I’ve been predicting this sort of response from the market for a long time. It’s nice to see it arrive at a respected consumer-oriented site.


Adam mentioned the recently-announced Ameritrade incident. One thing I found interesting is their decision to hire ID Analytics to determine whether ID theft follows this data breach.
According to an ID Analytics press release, the US Veterans’ Administration did something similar when several million veterans’ information was revealed. At a cost of $25,000 (according to in the VA case, this sort of approach would almost certainly be much less costly than services like Equifax’s CreditWatch, which are often offered to those whose information has been revealed by a breach.
I think what we’re seeing here is the leading edge of a trend. Firms are applying (what they think is a) risk-based approach to determining what level of post-breach response they provide (if any) to individuals whose information is involved. This is similar to the risk-based notification triggers which some think wise. I would look for more of this, as firms become more knowledgeable about their options, they will become more discriminating in their responses.