Behavior-ling

Rafi Ron, former Israeli airports security chief, has some interesting things to say in the latest CSO magazine about the failure of profiling in security. He refers to a better system as behavior pattern recognition (BPR):

My experience at Ben Gurion Airport in Tel Aviv has led me to the conclusion that racial profiling is not effective. The major attacks at Ben Gurion Airport were carried out by Japanese terrorists in 1972 and Germans in the 1980s. [They] did not belong to any expected ethnic group. Richard Reid [known as the shoe bomber] did not fit a racial profile. Professionally as well as legally, I oppose the idea of racial profiling. So we are left with behavior, because behavior is probably the Achilles’ heel of the terrorist.

Excellent insights from someone with extensive experience on the subject. It’s just too bad he didn’t use the term “behavior-ling”. :)

Browser Wars and Statistics

I think it was Groucho Marx who quipped “Statistics are like a bikini. What they reveal is interesting, but what they conceal…that is vital!”

Techweb has posted a news story that Symantec is changing the way they calculate vulnerabilities per year per browser. They have adopted the rather obvious position that they will now count all the publically known vulnerabilities for a browser, not just the ones published after a delay by a vendor (who might also bunch separate vulnerabilities together into a single confirmation, etc.):

But the new counting methodology, which Friedrichs said was the “more accurate” of the two, combines all vulnerabilities, including those made public but not necessarily confirmed by the vendor.

In that count, IE comes out second-best: In the same six months, Firefox suffered from 17 total vulnerabilities, while IE had 24.

“The vendor- and non-vendor-confirmed numbers are the ones I’d recommend using,” said Friedrichs. “For one thing, it removes the delay that can effect numbers because of long patch times by commercial vendors.”

Symantec, said Friedrichs, won’t make claims that one of the two leading browsers is more secure than the other. “We just stick to the facts,” he said. “But the number of vulnerabilities are legitimate, so we can say that Firefox has fewer vulnerabilities.”

Microsoft Fingerprint Reader Exposed

BlackHat had a fairly technical presentation on weaknesses of the Microsoft fingerprint reader, but it boils down to the old problem that someone can potentially capture the fingerprint data and replay it instead of needing a finger.

Techweb has a nice write-up of the different perspectives on the BlackHat presentation.

I have been testing one of the readers myself for some time now and just stopped using it because of a number of inconveniences (ironically it’s billed a “convenience only” device). This news puts the nail in the coffin, at least until a new revision comes out.

16

by Jim Harrison in The Shape of the Journey

    I went to Tucson and it gave
    me a headache. I don’t know how.
    Everyone’s a cousin in this world.
    I drove down a road of enormous houses
    that encompass many toilets. Down hallways,
    leaping left or right, you can crap at will.
    A mile away a dead Mexican child slept
    out in the desert on the wrong side of a mattress.

Jim Harrison is sometimes a satisfying source of insight. He has some clever quips that show he’s trying to avoid resting on the surface of things…

So I was fiddling around with some of the new online home valuation services, like Zillow, and found them disappointingly superficial. Who thinks up these algorithms? Can they be a real reflection of our society? For example, I noticed I could just keep adding bathrooms to increase an estimate of a home’s value. It does not matter how many bedrooms, kitchens etc. are in the house; configure a single-story 1 bedroom, 5 bathroom house and it is worth far more than a two-story 3 bedroom, 3 bathroom house.

Clearly, the more toilets, the better off you are.