Social Engineering is generally a practice that involves trying to manipulate conscious behavior. You can act like an authority, for example, by dropping names of importance or displaying something to suggest power and rank.

Act like you are carrying a heavy box and someone may feel like they should open the door for you. An article in Time suggests that this sort of manipulation can also occur at a much deeper level — Unconscious Will Sways Actions, Desires, Say Researchers:

There may be few things more fundamental to human identity than the belief that people are rational individuals whose behavior is determined by conscious choices. But recently psychologists have compiled an impressive body of research that shows how deeply our decisions and behavior are influenced by unconscious thought, and how greatly those thoughts are swayed by stimuli beyond our immediate comprehension.

This reminds me of the post I wrote some time ago on Risk Intuition and Helmets, where I suggested that feedback is a key factor in our decisions about risk. The engine, brakes and suspension give more feedback than a seatbelt or helmet. This says to me that those three things are more likely to be the reason drivers take risks and go at higher speeds, not because of a seatbelt or helmet. Note the findings reported in Time:

…people sitting in hard chairs are more likely to be more rigid in negotiating the sales price of a new car, they tend to judge others as more generous and caring after they hold a warm cup of coffee rather than a cold drink, and they evaluate job candidates as more serious when they review their résumés on a heavy clipboard rather than a light one.

Although it is tempting to think just about how we can modify behavior, the opposite approach is also interesting. How can we detect behavior that has been modified?

Consider the approach by WeCU Technologies, as reported in Fast Company.

1. WeCU’s system of sensors takes baseline measurements of the traveler’s heart rate, body temperature, and breathing rate.

2. The system then subjects the person to subtle stimuli. While WeCU is reluctant, for security reasons, to provide details, one prompt that it uses for demo purposes is a kiosk check-in screen that asks the traveler to “enter name,” but briefly flashes “enter real name.” According to WeCU CEO Ehud Givon, most travelers wouldn’t respond to the different prompts, but someone who is hiding a true identity would.

Eye movements are measured. Blood vessels are measured. It is all based on the idea that a trustworthy behavior baseline will be recorded on its first test and then threats can be detected by a secondary set of tests for unconscious behavior.

I can not help but put the following two stories together:

First, USA Today says near misses are on the rise, especially in Washington DC

According to the Post, the Washington-metro area has already had more near misses reported in the past six months than last year’s total of 18. The paper reported that air traffic controllers made 949 errors last year.

That is an amazing statistic. Something is clearly wrong, but not a surprise.

Second, the Washington Post says elected officials are trying to increase the number of passengers allowed to fly into the Washington-metro area from Western states.

A handful of federal lawmakers are seeking to vastly expand the number of long-distance flights at Reagan National Airport, easing long-standing restrictions designed to protect neighboring communities from noise and air pollution.

The report says the total number of flights would not change — shorter routes would be replaced with cross-country ones — but there is no guarantee.

When I put the two stories together I wonder if opponents to change for the DC airports should be rallying around the issue of control gaps and near misses.

The likelihood of major catastrophe from a collision of larger planes flying longer routes might resonate more than residential pollution. It also could help give the ATC issue greater visibility. Controls for air traffic are essential to safety. Strange how much emphasis is placed on things like throwing away toothpaste and taking off shoes when actual ATC errors continue to rise.

Computer world has an interesting review of a British company’s outsource strategy for IT. It has the provocative title of How the Cloud Changed World’s Oldest Newspaper.

It shifts IT from keeping the lights on to delivering customer-facing value. Wright presented a chart showing the changing makeup of IT headcount and how cloud computing supports delivering business value. Over a four year period (2008-2011), IT headcount shifts from 90% “Run the business skills”/10% “Change the business skills” to 20% “Run the business skills”/80% “Change the business skills.”

This sounds good but it’s hard to tell from the review whether there was a proper accounting of cost. Moving the IT headcount to just 20% run the business means the skills are not removed, they are elsewhere (outsourced). Thus it would more accurate to include the outsourced staff in a total cost of IT estimate, rather than say it’s a straight drop from 90% to 20%.

More to the point, the review is weak on security data and analysis.

[H]e feels that security has improved, in that the cloud providers implement a far higher set of security practices than the Telegraph had in place or could afford to implement.

He “feels” security?

I am not so quick to believe that high security practices are less expensive at a cloud or service provider than in-house. Perhaps it is true for the Telegraph but then where are the 90% to 20% numbers like those given for staff load? Suddenly data is missing when it comes to measuring security.

That is because validation alone becomes significantly more expensive when it has to be done in a cloud. An argument can certainly be made that a giant company will have the resources to spend on doing things the right way, as opposed to a small company focused on another business. The problem with this argument is that companies like BP, Ford, Enron, Worldcom…show that you can not simply assume that things will be done right. Show us the numbers.

Photo by Harriet Ottenheimer

The big spy news in America must have put a spell on some people. At least that is how I would like to account for the comment on The Register story

Maybe these findings were written by an American, for Americans have little to fear. It’s the rest us the world that stands to lose.

The comment centers around the idea that a UK company that hosts in the cloud may have their data end up in the US and that will expose it to the risk of spying.

World+kitten knows damn well that the EU->US bank account data suck has sod all to do with terrorism, and rather more to do with keeping an eye on the competition. It is also public knowledge that various British agencies were involved in snooping on Airbus, with the info gleaned being passed right on to Boeing. The American government is using tactics from spying to bullying to downright theft to prop up its ailing businesses.

Boeing is American. The British spied on Airbus for an American company? I don’t follow the logic but then again this is just a short comment on a story called “The cloud’s impact on security?”. I also don’t follow why the title of the story has a question mark. It could have been “The cloud’s impact on security.”

Anyway, while there is likely to be an international component to the risk of cloud it really is not at all different for companies like Airbus or Boeing. They already have data moving between nations and handled by third-parties and are well aware of the dangers of competition and spies. Take for example that Airbus has a page called “A truly global network” where they boast about their global reach for production and support facilities.