The Daily Parker

Politics, Weather, Photography, and the Dog

Two must-see posts

First, Bruce Schneier warns about living in a Code Yellow world:

The psychological term for this is hypervigilance. Hypervigilance in the face of imagined danger causes stress and anxiety. This, in turn, alters how your hippocampus functions, and causes an excess of cortisol in your body. Now cortisol is great in small and infrequent doses, and helps you run away from tigers. But it destroys your brain and body if you marinate in it for extended periods of time.

Most of us...are complete amateurs at knowing the difference between something benign and something that's actually dangerous. Combine this with the rarity of attacks, and you end up with an overwhelming number of false alarms. This is the ultimate problem with programs like "see something, say something." They waste an enormous amount of time and money.

You also need to see these satellite photos.

And I need to do more work.

Computer security like a boss

Via Schneier, a new paper by researchers at Google discussed the differences between the ways security experts and non-experts treat online security. Not surprising, experts have better habits.

When asked about the security practices that most matter to them, experts talked about multi-factor authentication, password safes, and getting the latest software patches, while non-experts worried about anti-virus software and changing passwords frequently:

The most common things-you-do responses from each group varied, with only one practice, using strong passwords, in common within each group’s top 5 responses. While most experts said they install software updates (35%), use unique passwords (25%), use two-factor authentication (20%), use strong passwords (19%), and use a password manager (12%), nonexperts mentioned using antivirus software (42%), using strong passwords (31%), changing passwords frequently (21%), visiting only known websites (21%), and not sharing personal information (17%).

The security practices mentioned by experts are consistent with experts’ rating of different pieces of advice, when we asked them to rank how good these are on a 5-point Likert scale. ...[M]ost experts considered installing OS (65%) and application (55%) updates, using unique (49%) and strong (48%) passwords, using a password manager (48%), and using two-factor authentication (47%) very good advice (the highest Likert-scale rating). Other advice that was not frequently mentioned by experts in the top three things they do, but ranked high in this multiple choice question of the advice they’d consider good, included turning on automatic updates (72%), being suspicious of links (60%), not entering passwords on links in emails (60%), and not opening email attachments from unknown people (55%).

Generally, non-experts favor convenience over security—which is consistent with human behavior in just about every situation in life. Just look at cash, for example: it's demonstrably the least-secure way of transmitting wealth generally available, but people still use it frequently because it's a lot more convenient (and—no small irony—private) than using more-secure methods like credit cards.

The authors suggest that making good security more convenient may be the answer. But until average users get burned enough, they'll still use the same dictionary-word password for OKCupid that they use for their bank's website, just as they'll still hand their credit card to the waiter rather than demanding table-side chip-and-pin readers like Europeans use. Defense in depth? Maybe later.

Today is the longest day of the year

No, really. Today will have 86,401 seconds in it, as opposed to the usual 86,400 seconds that every day for the last 18 years has had.

Because the earth interacts with lots of other gravity sources in the universe—most notably the moon—its rotation sometimes speeds up and sometimes slows down. Over the last 18 years or so, the planet has lost an entire second because of these perturbations, requiring us to update our most accurate clocks to compensate. Of course, when those clocks get updated, there's a trickle-down effect, because so much of what we do in the 21st Century requires really, really accurate timekeeping.

So, this evening in Chicago, the 6pm hour will have 3,601 seconds in it as the master clocks all over the planet add their leap second at 23:59:60 UTC.

Enjoy your extra second.

Seven billion dollars for nothing

Security guru Bruce Schneier, writing for CNN, is not surprised that TSA screeners missed 95% of guns in a recent drill:

For those of us who have been watching the TSA, the 95% number wasn't that much of a surprise. The TSA has been failing these sorts of tests since its inception: failures in 2003, a 91% failure rate at Newark Liberty International in 2006, a 75% failure rate at Los Angeles International in 2007, more failures in 2008. And those are just the public test results; I'm sure there are many more similarly damning reports the TSA has kept secret out of embarrassment.

The TSA is failing to defend us against the threat of terrorism. The only reason they've been able to get away with the scam for so long is that there isn't much of a threat of terrorism to defend against.

Even with all these actual and potential failures, there have been no successful terrorist attacks against airplanes since 9/11. If there were lots of terrorists just waiting for us to let our guard down to destroy American planes, we would have seen attacks -- attempted or successful -- after all these years of screening failures. No one has hijacked a plane with a knife or a gun since 9/11. Not a single plane has blown up due to terrorism.

Of course, what American politician would ever vote to reduce security spending? The incentives on the individual representatives are too strongly skewed in favor of an ever-ratcheting security state. This is one of the things that did in Rome.

That said, Italy is a lovely country these days...

User Self-Blame

Microsoft's Scott Hanselman blames us computer professionals for users thinking they don't know computers:

In my recent podcast with UX expert and psychologist Dr. Danielle Smith the topic of "user self-blame" came up. This is that feeling when a person is interacting with a computer and something goes wrong and they blame themselves. I'd encourage you to listen to the show, she was a great guest and brought up a lot of these points.

Self-blame when using technology has gotten so bad that when ANYTHING goes wrong, regular folks just assume it was their fault.

This harkens back to the middle ages when the average person couldn't read. Only the monks cloistered away had this magical ability. What have we done as techies to make regular folks feel so isolated and afraid of all these transformative devices? We MAKE them feel bad.

This on the same day that Jeff Atwood tells us our passwords suck (and he's right):

The easiest way to build a safe password is to make it long. All other things being equal, the law of exponential growth means a longer password is a better password. That's why I was always a fan of passphrases, though they are exceptionally painful to enter via touchscreen in our brave new world of mobile – and that is an increasingly critical flaw. But how short is too short?

...[Y]ou can't really feel safe until the 12 character mark even with a full complement of uppercase, lowercase, numbers, and special characters.

This is also a UX failure, but of a different kind. Until two-factor authentication becomes ubiquitous—and until users start accepting the need for it—passwords are going to be the chink in Smaug's armor.

Of course, it doesn't help that users typically don't have accurate conceptual models for things. The number of times I have explained the difference between authentication and authorization (which is a necessary conceptual model for understanding why you should never, ever give your passwords to anyone)

Chase enters the 2000s

Chip-and-PIN cards have ruled Europe for almost 10 years, because (a) they reduce fraud that (b) customers are liable for over there. In the U.S., where banks are liable, consumers haven't pushed as hard for the security measure, so it's rare. I've had a chipped card for two years now but even my bank hasn't gone the whole way to requiring PINs for purchases with it.

Chase, however, has had enough, and has decided to issue them to everyone:

Chip cards have significantly cut into fraud globally. For example, in the United Kingdom, card fraud in stores dropped by 75 percent from 2004 — when a large-scale rollout began — to 2012, said Zilvinas Bareisis, a senior analyst for Celent, a consulting firm to the financial services industry.

A December 2014 report by the Payments Security Task Force, whose members include Visa, Bank of America and Riverwoods-based Discover, estimates that 47 percent of U.S. terminals will accept chip cards by the end of 2015.

Chase, which holds almost 25 percent of deposits in the Chicago area, said its rollout here will be followed nationally.

Other banks are slowly introducing chip cards. BMO Harris Bank, which holds 12 percent of deposits in the Chicago area, said it recently began issuing chip debit cards. Any new or replacement debit cards include chips, spokesman Patrick O'Herlihy said.

It's sometimes amusing and sometimes sad that the U.S. lags the rest of the OECD in technology. This one is sad. I'm glad Chase is making this push. We could finally have chip-and-PIN cards in time for Europe to roll out whatever comes next.

Internet memes live forever

NPR takes a look at how the Internet never forgets and what that means to people who find themselves going viral:

Some unwitting meme celebrities embrace their fame. Earlier this year the Washington Post profiled Kyle Craven, more popularly known as "Bad Luck Brian," a meme about a boy with hilariously and often very dark bad luck. Craven, who was always a class clown, capitalized on his fame. The Post reports that between licensing deals and T-shirts, he has made between $15,000 and $20,000 in the past three years.

Others have tried to use their Internet fame as a catapult for an entertainment career. Laina Morris' picture is easily recognizable — the bulging, crazy-looking eyes and loopy smile made her best known as the Overly Attached Girlfriend who makes ridiculous demands and accusations. Morris has tried to create a comedic career out of her online celebrity. She has a YouTube channel where she posts skits, and a Twitter account.

But for others, it's a nightmare. Perhaps one of the most notable cases is Ghyslain Raza, "Star Wars Kid," who in 2003 became one of the first viral memes. This was before YouTube launched, and Raza did not even post the video. He simply taped himself doing Star Wars-style fighting for a school video club. His classmates secretly posted the video online, and it spread like wildfire. By the end of 2006, it had been clicked on more than 900 million times. It has more than 27 million views on YouTube and was parodied on Family Guy, The Colbert Report and South Park.

Oh, poor "Star Wars Kid."

My question is, how long until people adapt and wonder what was this "privacy" thing the old people keep babbling about?

Hello, GCHQ

A joint US-UK operation has obtained the master encryption keys to billions of mobile phones:

The hack was perpetrated by a joint unit consisting of operatives from the NSA and its British counterpart Government Communications Headquarters, or GCHQ. The breach, detailed in a secret 2010 GCHQ document, gave the surveillance agencies the potential to secretly monitor a large portion of the world’s cellular communications, including both voice and data.

With these stolen encryption keys, intelligence agencies can monitor mobile communications without seeking or receiving approval from telecom companies and foreign governments. Possessing the keys also sidesteps the need to get a warrant or a wiretap, while leaving no trace on the wireless provider’s network that the communications were intercepted. Bulk key theft additionally enables the intelligence agencies to unlock any previously encrypted communications they had already intercepted, but did not yet have the ability to decrypt.

Oh, goody. Essentially, if you have a phone with a SIM card (in the U.S., that means you have AT&T or T-Mobile), the NSA and Britain's GCHQ can listen in to your conversation in real time. (The article goes into some good technical depth about the exploits and how they did it.)

Of course, they would have to be looking for you in order to do that, but still. This is the kind of revelation that (a) makes me think Edward Snowden may not have been such a bad guy after all, and (b) that because so few people care, the world is a scarier place.

By the way, I'm right now reading The Honourable Schoolboy, having finished Tinker Tailor Soldier Spy in London last weekend. I'm rooting for Smiley and Westerby just the same. But you know, the USSR had 15,000 nuclear bombs pointed at us, and Western spying back then was aimed at the USSR, not at its own citizens.

Take the Orange Line to King's Landing

While we're getting ready to celebrate the birth of Baby X this Xmas, links are once again stacking up in my inbox. Like these:

That might be it for The Daily Parker today.