Bicycle advocates keep coming up with creative ways to show the virtues of two wheeled transportation. Here’s a nice video from Africa:

As I’ve mentioned before here, here and here the concept is inexpensive, resilient, convenient, efficient…what’s not to like? My only complaint with the video is how little it emphasizes the opportunity for innovation in safety for the riders. I had a similar issue with the South Sudan study of two-wheeled ambulances.

I guess highlighting safety features on two-wheels in Africa is about as likely as mentioning seat belts in a video about the uber-functional and fun Fiat Panda. I’ve driven a Panda under water in rivers and up the steepest slippery slopes with no problem. No wonder the police in the Alps are known to use a Panda to chase suspects. Hmm, somehow that sounds wrong… It is a brilliant design that has been proven in Africa but you just know a video of it wouldn’t highlight the safety features.

Incidentally, speaking of Fiat did you know the new Jeep will be based on the Panda? I never thought I’d see the day when 4×4 products in the U.S. would be designed by Europeans based on a market study of Africa. Then again, I didn’t expect Americans in 4×4 to adopt piercings, tattoos and scarification as beautification. Are bicycles the next rural adaptation in America to follow African trends? Stranger things have already happened.

On June 14th a comment on Github asked Basho about validation in their API

The riak http api for map reduce doesn’t check if the content-type is application/json. The javascript http api also lets the user execute arbitrary code on the server. These two coupled together allow a malicious web page to execute arbitrary code on a users machine if they are running the riak http api. I’m not sure if this is a bug or not but there should be a warning that if you are running riak http api then you should be very careful about the sites you visit.

About a week later on June 20th Basho announced a security alert

We are releasing both a security patch (for Riak versions 1.0.3 and 1.1.2) and a full 1.1.4 security release. We advise all users of Riak to either apply the appropriate patch or upgrade to 1.1.4. If you are running a version of Riak other than 1.0.3 or 1.1.2, it will be necessary to upgrade to 1.1.4.

[…]

Additional information about the exploit will be released in the next few weeks.

A few people have mentioned that my title on the prior post is causing confusion for those trying to find the original report. Here’s a brief summary to help save time, and then a link to the PDF if they really want to read the whole thing.

Summary: Microsoft researchers say they are from Microsoft because people believe they are from Microsoft (known at Microsoft Research as being gullible). Since being gullible means people believe Microsoft researchers actually are from Microsoft, therefore Microsoft researchers say they are from Microsoft.

Not convinced by Microsoft’s logic (PDF link)? You could read our long-standing hypothesis instead.

A few days ago I started a blog post with this:

At the RSA SF Conference in 2010 my mother and I presented a talk called “There’s No Patch for Social Engineering”.

One of the key findings revealed in the talk (also explained in other blog posts and our 2006 paper) is that intelligence is not a reliable defense for social engineering.

The social engineering I was talking about is known as the Advance Fee Fraud or Nigerian 419 Scam. And then I included a quote from the press-release:

For seven years, Harriet Ottenheimer, a K-State professor emeritus of anthropology and a Fulbright scholar to the Czech Republic, and her son, Davi Ottenheimer, president of security consultancy flyingpenguin, collected and analyzed Nigerian 419 e-mails for clues that could be used to block these messages. These spam e-mails are called Nigerian 419 messages, or 419 for short. The number “419” refers to an article of the Nigerian Criminal Code concerning fraud.

[…]

Ottenheimer used her linguistic skills to decode the discourse of the scam e-mails and how they work on their victims. Primarily, she said, the victims have been well-educated westerners, such as such university professors, doctors, lawyers, financial planners and bankers.

Now I feel like I have to mention it again.

Before, I brought it up in response to a New Yorker story on “new” research that came to concusions that supported our findings. We showed how and why vulnerabilities form within even very intelligent and well-respected professionals. Then someone else did the same.

We also explained why scammers say they are from Nigeria. With that in mind, a Microsoft Research paper by Cormac Herley has been released called “Why do Nigerian scammers say that they are from Nigeria?”

Unfortunately, it not only ignores our findings but also makes some strange errors in logic.

Who are the most likely targets for a Nigerian scammer? Since the scam is entirely one of manipulation he would like to attack (i.e., enter into correspondence with) only those who are most gullible. They also need, of course, to have money and an absence of any factors that would prevent them from following through all the way to sending money.

Since gullibility is unobservable, the best strategy is to get those who possess this quality to self-identify. An email with tales of fabulous amounts of money and West African corruption will strike all but the most gullible as bizarre. It will be recognized and ignored by anyone who has been using the Internet long enough to have seen it several times. It will be figured out by anyone savvy enough to use a search engine and follow up on the auto-complete suggestions such as shown in Figure 8. It won’t be pursued by anyone who consults sensible family or fiends, or who reads any of the advice banks and money transfer agencies make available. Those who remain are the scammers ideal targets. They represent a tiny subset of the overall population.

Wrong.

First of all, the victims do not “need, of course, to have money”. They need access to money. Very different; they have borrowed or stolen rather than had it themselves. In many cases a person trusted with other people’s money secretly gave it away with the hope of returning it after the big windfall. In other cases a person convinces others to pool money.

Second, “factors that would prevent them from following through” is a very vague qualification. We have to assume Herley clarifies this with the next paragraph, which centers on gullibility and verification. It turns out that the victims are not the “most gullible”. They are confident about their ability because they have a track-record of being successful. In fact, we have proven that the victims are very savvy with risk and actually not gullible under most people’s definition. A former agent for intelligence? A banker? It is by leveraging a specific bias attack vector that they lose their normal defenses and do not know how to see “factors that would prevent them from following through”.

That is why Herley’s next point on verification is also wrong. Victims have confidence in their ability to handle the situation despite warnings and advice from friends, family and financial institutions. Unless this threat is explained in the terms of bias, a victim can be unwilling or even unable to process the danger they are facing.

In the end, it seems that Herley’s paper tries to argue a tautology as a premise:

Since his attack has a low density of victims the Nigerian scammer has an over-riding need to reduce false positives. By sending an email that repels all but the most gullible the scammer gets the most promising marks to self-select, and tilts the true to false positive ratio in his favor.

That is like saying some fish will bite a worm, therefore by using a worm you can catch some fish.

In other words, some scams based on Nigeria have victims, therefore by using a scam based on Nigeria you can get some victims. File that under “Pardon me but no shit, Sherlock”. Definitely not a satisfactory answer.

The answer we have presented, as confirmed by other “new” research, is that Nigeria, or more generally Africa, triggers a bias reflex in some recipients of the message. The more unfamiliar a topic or tactic the fewer defenses a victim may have. Their confidence in ability to handle risk, combined with a unrealistic view of Nigeria, becomes a dangerous shortcut to disaster.

One might jump to the conclusion that general fraud education would be a simple response, but it turns out that the education has to be tailored specificially towards reducing bias to be effective. The people that gamble will continue to gamble but if you make them less confident then they will not fall for this particular bet. You can’t just call confident, intelligent, successful risk-takers gullible because they fall for AFF.

It’s a particular method of social engineering, if you want to put it in terms of thinking like the attacker. So the paper is correct in some sense; attackers want to find victims at a low cost-per-target and a percentage of targets are vulnerable. Those should have been obvious. However, the paper fails to identify why Nigeria. It therefore also fails to explain why there still are victims and how to prevent attack.

---

Updated to add: PDF of our presentation deck