Category Archives: Security

Security

Have You Ever Been Studied for Naming Your Machines?

Leave a comment

As a little child I once got a ride to school from a neighbor who had a Subaru 4×4 that could go where school buses were failing (another time our bus was rescued from a ditch by a Korean-war 6×6 but that’s a story for another day).

Her tiny white car slowly crawled in low range over big prairie snow drifts and up the icy dirt hills. She softly patted the dash with her heavily bundled hand and yelled “COME ON BESSIE” above the roar of a little EA82 boxer engine that could.

It has been so many years, I wonder did she put her Bessie down and was it cruel when she did it? That’s the kind of question being asked by MIT in a new article asking if pressing an “off” button is equivalent to a machine murder. Maybe that’s the wrong question entirely, since they can be turned on again? Are you god if you can switch a robot on?

Here’s a particularly funny part where a “roboticist” notices that humans in high-risk/controlled environments like to name things and minimize changes.

Julie Carpenter, a roboticist in San Francisco has written about bomb disposal soldiers who form strong attachments to their robots, naming them and even sleeping curled up next to them in their Humvees. “I know soldiers have written to military robot manufacturers requesting they fix and return the same robot because it’s part of their team,” she says.

Should we accept this as some kind of exception as opposed to a norm? Who doesn’t name things or keep them close, even ones we don’t mind turning off?

The General Grant. Naming our automation machines is a long tradition.

Here’s a thought. Sleeping with a machine preserves integrity and reduces cost of trust. Returning the same one helps maintain integrity too, as every machine tends to have particulars.

I’d challenge this roboticist to put such behavior in historic context of soldiers and their machines for the past 100 years. And despite my “Bessie” experience, I’d say we trend more towards machines as extensions of our bodies, and not really companion-like.

Recently I wrote about the Aboriginal soldiers who defeated Ottoman forces in 1917, and how they were ordered to shoot their healthy horses after victory.

In fact the old Japanese theory suggests we are less likely to anthropomorphize robots that appear the most human-like. We might be most comfortable turning them off due to what they called the “uncanny valley“.

Attachment seems to come more from extension of our functional needs, which makes sense especially for bomb disposal risks, and helps explain the reasoning behind shooting victorious horses after battle has ended.

Of all the times I held my named laptop (because of course it has a name) in my arms, even sleeping next to it, nobody ever wrote about this as some kind of attachment. And I’d say they probably didn’t need to.

In fact I’d guess the percentage of security pros who keep their systems close and avoid rotations is near 100% but why call that a study subject?

Security

US Court Rules Passwords are Protected Because Testimonial

Leave a comment

There’s a part of a new decision that I keep re-rereading, just to make sure I read it right:

As a passcode is necessarily memorized, one cannot reveal a passcode without revealing the contents of one’s mind.

I mean that’s just not true. The old joke about people putting sticky-notes with passcodes on their monitor is because sometimes they are too hard to memorize. The reason NIST backed off complexity requirements and rotations is because passcodes turned out to be too hard to memorize and people were storing them unsafely.

We all recommend password managers and using unique passwords for every site, which is all too hard to memorize. The entire password market doesn’t believe passwords are necessarily memorized.

And then there’s the simple fact that passcode sharing often uses communication channels that rely on storage other than the human mind.

Also beyond being wrong that sentence seems unnecessary to the decision. If this case didn’t have a password written down, despite an accused saying he use one 64 characters long, then it becomes an exception. The fact remains passcodes very often are stored outside the human mind.

The rest of the decision is not terribly surprising

…the compelled production of the computer’s password demands the recall of the contents of Appellant’s mind, and the act of production carries with it the implied factual assertions that will be used to incriminate him. Thus, we hold that compelling Appellant to reveal a password to a computer is testimonial in nature.

Food, History, Security

Fullenkamp: We Use the Past to Better Understand our Present

Leave a comment

Trips to relive famous tactical events sounds in this podcast like something we could do a lot more of for information security.

…military historian Len Fullenkamp reflects on the importance of immersing oneself in the minds of strategic leaders facing dynamic and complex situations. One tool is the staff ride, an opportunity to walk a battlefield and understand the strategic perspective of the leaders…

I’ve walked countless battlefields and tried to relive the decisions of the time. One of the most unforgettable was a trench line perfectly preserved even to this day on a ridge that held off waves of attacks for several sleepless days.

On another long-gone battle ground I stumbled upon three live bullets that had been abandoned for decades, slowly rusting into the ground atop a lookout. I held them in my hand and stared across the dusty exposed road below for what seemed like hours.

Yet I rarely if ever have seen a similar opportunity in the field of security I practice most today. Has anyone developed a “staff ride” for some of the most notorious disasters in security leadership such as Equifax, Target, Facebook…? That seems useful.

In this podcast the speaker covers the disastrous Pickett’s charge by pro-slaveholder forces in America. After two-days investment the bumbling General Lee miscalculated and ordered thousands of men to their death in what he afterwards described plainly as “had I known…I would have tried something different”.

Fullenkamp then goes from this into a long exploration of risk management until he describes leadership training on how to make good decisions under pressure:

What is hard is making decisions in the absence of facts.

Who could be the Fullenkamp of information security, taking corporate groups to our battlefields for leadership training?

Also I have to point out Fullenkamp repeats some false history, as he strangely pulls in a tangent about how General Grant felt about alcohol. Such false claims about Grant have been widely discredited, yet it sounds like Fullenkamp is making poor decisions with an absence of facts.

Accusations of alcoholism were a smear and propaganda campaign, as historians today have been trying to explain. For example:

Grant never drank when it might imperil his army. […] Grant, in a letter to his wife, Julia, swore that at Shiloh, he was “sober as a deacon no matter what was said to the contrary.”

We know today what actually happened was a concerted group of white supremacist historians of a defeated pro-slavery war machine began a campaign to posthumously destroy the character of Grant, to undermine his widespread popularity and programs of civil rights.

After Grant’s death, exaggerated stories about his drinking became ingrained in American culture.

First, the truth of charges against Grant are related to America’s pre-Civil War political and military patronage system (corruption basically) being unkind to him. He succeeded in spite of them and he was living proof of someone using the past to better understand the present.

After extensive experience fighting in all major battles of the Mexican-American War he didn’t sit well being idle and under-utilized. He was introverted and critical of low performing peers. A superior officer in California used minor charges of alcohol as a means to exercise blunt authority over the brilliant Grant.

Second, it was KKK propaganda campaigns of prohibition that pushed the false idea that Grant’s dispute with his superior was some kind of wild and exaggerated issue relevant to prohibition.

In fact history tells us how pro-slavery Generals literally became so drunk during battles they disappeared and were useless, every single time they fought. The KKK projected those real alcoholic events from pro-slavery leadership onto Grant to obscure their own failed history and try to destroy his name.

Apparently it worked because it’s 2019 and far past time for people to stop repeating shallow KKK propaganda about America’s greatest General and one of the greatest Presidents.

Security

The 5 Computer Vision Classes of a Building After Disaster

Leave a comment

The US Department of Defense has issued a challenge for computer vision to correctly classify the state of a building after disasters:

Your model must predict an output PNG image with height and width of 1024 pixels, where each pixel value corresponds to the predicted class at that place in the input image:

0: no building
1: undamaged building
2: building with minor damage
3: building with major damage
4: destroyed building

This makes for very interesting games played at the superficial level with paint or loose objects.

For example could computer vision distinguish easily the sort of building under perpetual construction (as often is the case in developing nations) from one that has been damaged? Or in a similar vein, if buildings are maintained poorly in markets that lack readily available materials, what constitutes minor damage?