Category Archives: Security

Security

Test Surveillance and Cheating

Leave a comment

The New York Times has posted a story of how schools are implementing technology to try and fight high-tech cheating on tests.

Here is an example of how procedures and controls are put in place to make it difficult for students to cheat on a computer test without detection.

No gum is allowed during an exam: chewing could disguise a student’s speaking into a hands-free cellphone to an accomplice outside.

The 228 computers that students use are recessed into desk tops so that anyone trying to photograph the screen — using, say, a pen with a hidden camera, in order to help a friend who will take the test later — is easy to spot.

Those who run the system boast about its success, strictly from a measure of investigations.

Taylor Ellis, the associate dean who runs the testing center within the business school at Central Florida, the nation’s third-largest campus by enrollment, said that cheating had dropped significantly, to 14 suspected incidents out of 64,000 exams administered during the spring semester.

This all begs a giant question of what is really being accomplished.

Tests are setup in an automated fashion to reduce cost (e.g. standardized and multiple-choice), which naturally makes cheating easier and adds cost right back in — to implement anti-cheating measures.

What if the cost was shifted back? Move it from security controls and into a more dynamic test and instruction model that makes cheating irrelevant. Pay teachers to be more involved, in other words, and hire more of them.

An even more radical question on this issue is whether individualized standardized tests are outdated in a world where technology-based collaboration skills are essential. Solutions will come more from group and crowd approaches instead of sole contributor. Why not let students practice this on tests? Certain exams thus could be setup to allow technology collaboration on tests, an updated version of open-book.

Bruce has posted on his blog today a link to a philosophical review of surveillance in the context of morality. It evaluates the concept of surveillance as a form of guidance using Kantian reasoning. I replied to him in the comments section.

History, Security

SaaS is Dead, Long Live SaaS

2 Comments

The title of this post is based on a monarchial concept of succession. It seems very fitting to the situation I see unfolding in the debate about the future of software as a service (SaaS). The move to outsourcing led to offshoring, which then evolved to cloud and SaaS.

It does not have to be a direct progression, but each end created a new beginning.

Another way of looking at it is this: WordPress, Google and Salesforce recently reported major outages. The reason many companies hoped to put their applications into the hands of those companies was to avoid major outages. So what is new?

With this in mind I read an InfoWorld review of a report by Gartner on how to approach the risk in SaaS. The author asks Is the SaaS experiment finally over?

Gartner advises its clients to perform extensive diligence before signing with any SaaS vendor. That includes not just weighing the costs and benefits of a specific solution, but also developing an in-house SaaS governance policy to help gauge the solution’s real-world performance. Such a policy should be a collaborative effort between business and IT, Gartner says, and it should consider not just the business performance of a given SaaS vendor, but its technical and operational capabilities as well. That means SaaS vendors will need to be transparent enough in their operations to instill customer confidence in their offerings.

That is good advice no matter where your application lives. Moving software outside the company still leaves you with the responsibilities of managing software, and introduces new challenges (instead of eliminating) to control security concerns such as availability.

The answer to the author’s question is therefore yes, the SaaS experiment is finally over and now begins the SaaS experiment.

In other words the SaaS should deliver fair services, but if not then hopefully the next SaaS will be fair, and if not, then hopefully things will progress…long live SaaS. All is not over or lost when there is succession. Things really can change for the better. For example, analysts from Gartner and I will discuss soon how best to put forth a more discrete set of requirements for cloud security. Dragging out my tired analogy of political systems just a little longer, I hope I can help Gartner customers clearly see why they need a Magna Carta of cloud. Remember how that worked out for the monarchies?

Security

The Unconscious Threat

Leave a comment

Social Engineering is generally a practice that involves trying to manipulate conscious behavior. You can act like an authority, for example, by dropping names of importance or displaying something to suggest power and rank.

Act like you are carrying a heavy box and someone may feel like they should open the door for you. An article in Time suggests that this sort of manipulation can also occur at a much deeper level — Unconscious Will Sways Actions, Desires, Say Researchers:

There may be few things more fundamental to human identity than the belief that people are rational individuals whose behavior is determined by conscious choices. But recently psychologists have compiled an impressive body of research that shows how deeply our decisions and behavior are influenced by unconscious thought, and how greatly those thoughts are swayed by stimuli beyond our immediate comprehension.

This reminds me of the post I wrote some time ago on Risk Intuition and Helmets, where I suggested that feedback is a key factor in our decisions about risk. The engine, brakes and suspension give more feedback than a seatbelt or helmet. This says to me that those three things are more likely to be the reason drivers take risks and go at higher speeds, not because of a seatbelt or helmet. Note the findings reported in Time:

…people sitting in hard chairs are more likely to be more rigid in negotiating the sales price of a new car, they tend to judge others as more generous and caring after they hold a warm cup of coffee rather than a cold drink, and they evaluate job candidates as more serious when they review their résumés on a heavy clipboard rather than a light one.

Although it is tempting to think just about how we can modify behavior, the opposite approach is also interesting. How can we detect behavior that has been modified?

Consider the approach by WeCU Technologies, as reported in Fast Company.

1. WeCU’s system of sensors takes baseline measurements of the traveler’s heart rate, body temperature, and breathing rate.

2. The system then subjects the person to subtle stimuli. While WeCU is reluctant, for security reasons, to provide details, one prompt that it uses for demo purposes is a kiosk check-in screen that asks the traveler to “enter name,” but briefly flashes “enter real name.” According to WeCU CEO Ehud Givon, most travelers wouldn’t respond to the different prompts, but someone who is hiding a true identity would.

Eye movements are measured. Blood vessels are measured. It is all based on the idea that a trustworthy behavior baseline will be recorded on its first test and then threats can be detected by a secondary set of tests for unconscious behavior.

Security

Huge Rise in US Air Near Misses

Leave a comment

I can not help but put the following two stories together:

First, USA Today says near misses are on the rise, especially in Washington DC

According to the Post, the Washington-metro area has already had more near misses reported in the past six months than last year’s total of 18. The paper reported that air traffic controllers made 949 errors last year.

That is an amazing statistic. Something is clearly wrong, but not a surprise.

Second, the Washington Post says elected officials are trying to increase the number of passengers allowed to fly into the Washington-metro area from Western states.

A handful of federal lawmakers are seeking to vastly expand the number of long-distance flights at Reagan National Airport, easing long-standing restrictions designed to protect neighboring communities from noise and air pollution.

The report says the total number of flights would not change — shorter routes would be replaced with cross-country ones — but there is no guarantee.

When I put the two stories together I wonder if opponents to change for the DC airports should be rallying around the issue of control gaps and near misses.

The likelihood of major catastrophe from a collision of larger planes flying longer routes might resonate more than residential pollution. It also could help give the ATC issue greater visibility. Controls for air traffic are essential to safety. Strange how much emphasis is placed on things like throwing away toothpaste and taking off shoes when actual ATC errors continue to rise.