Vincent Gable’s Blog

April 27, 2009

Don’t Trust TIME

Filed under: Announcement,Security | , , ,
― Vincent Gable on April 27, 2009

Technical problems can be remediated. A dishonest corporate culture is much harder to fix.

Bruce Schneier

UPDATE 2009-06-12: See also, The Top 10 Most Absurd Time Covers of The Past 40 Years.

BREAKING NEWS 2010-08-26: The Onion: TIME Magazine Announces New Version of Magazine for Adults.

Recently The 2009 TIME 100 Finalists online-poll was manipulated with hither-to unheard of sophistication. Not only did hackers vote their choice into the #1 spot, but they stuffed the ballot so that the runners up spelled out a message!

kg9kl.jpg

Jeff Atwood called TIME’s web developers clowns, but that seems too harsh to me, since online polls are so inherently untrustworthy that spending resources trying to secure them is almost always a waste. Even if all the technical problems could be solved, the results still wouldn’t be meaningful, because they wouldn’t be a census or a random sampling. An online poll is a way to engage readers, and let them do more than passively consume. TIME’s poll succeeded there, even if it was gamed. (Arguably it was more engaging because it was gamed).

But today, April 27th, TIME’s writers disingenuously denied the hack

TIME.com’s technical team did detect and extinguish several
attempts to hack the vote.

When I first heard news of the attacks, it was already a week old, TIME’s whitewashing came two weeks after the results of the hack were published. Portraying the hack as an “attempt” that was “extinguished” is just blatantly wrong.

I’m a big believer in Hanlon’s razor: “never attribute to malice that which can be adequately explained by stupidity.” But it’s very hard to give TIME’s staff the benefit of the doubt here, since by their own admission they were aware of the hack, and the poll results were “surprising”. It takes a staggering amount of stupidity not to connect the dots, or be aware of what was being written about you for weeks.

Consequently, TIME has lost my trust. If their denial was written in stupidity, it shows an unforgivably incompetent journalistic ethic. If it was a deliberate whitewashing of the poll results, then it’s an even more egregious failure. Also, what kind of an article announcing the winner of a poll only has pictures of people who are not the winner? (Hint: something by the hacks at TIME)

February 19, 2009

Security vs? Usability

Filed under: Design,Programming,Quotes,Security,Usability |
― Vincent Gable on February 19, 2009

In most cases, how an authentication system works when a legitimate user tries to log on is much more important than how it works when an impostor tries to log on. No security system is perfect, and there is some level of fraud associated with any (authentication method). But the instances of fraud are rare compared to the number of times someone tries to log on legitimately.

Bruce Schneier on balancing security and usability

I like thinking about security. But, inspite of all the dramatic headlines, I believe bad usability causes far more damage then the bad security.

A more usable system should make recovering from a security breech easier. It’s easier to make things right, when it’s easier to make things.

Usability limits what people can do with something. Is it just coincidence, or does that sound like a partial definition of security?

January 24, 2009

Schneier on Security for Designers

Filed under: Accessibility,Announcement,Design,Security | , ,
― Vincent Gable on January 24, 2009

I highly recommend Bruce Schneier’s blog. Security involves thinking about what how things can go wrong, and that’s an excellent skill for any designer to have. Psychologically people are biased to remember catastrophically bad experiences, and can develop an adversarial relationship to something from just one bad experience, if it’s unpleasant enough. Minimizing unpleasantness can be more important then optimizing goodness, when trying to cultivate a good relationship with users.

January 23, 2009

New Police Computer System Impeding Arrests

Filed under: Security,Usability | , ,
― Vincent Gable on January 23, 2009

In Queensland, Australia, policemen are arresting fewer people because their new data-entry system is too annoying:

He said police were growing reluctant to make arrests following the latest phased roll-out of QPRIME, or Queensland Police Records Information Management Exchange.
“They are reluctant to make arrests and they’re showing a lot more discretion in the arrests they make because QPRIME is so convoluted to navigate,” Mr Leavers said. He said minor street offences, some traffic offences and minor property matters were going unchallenged, but not serious offences.

However, Mr Leavers said there had been occasions where offenders were released rather than kept in custody because of the length of time it now took to prepare court summaries.

“There was an occasion where two people were arrested on multiple charges. It took six detectives more than six hours to enter the details into QPRIME,” he said. “It would have taken even longer to do the summary to go to court the next morning, so basically the suspects were released on bail, rather than kept in custody.”

He said jobs could now take up to seven hours to process because of the amount of data entry involved.

(Via Schneier on Security.)

January 20, 2009

Control Screen Saver Security With Automator

Filed under: Announcement,Security | , , ,
― Vincent Gable on January 20, 2009

Set Screen Saver Security sets the time until the screen saver activates, and whether a password is required to unlock the screen saver.

Preview.png

Every company I’ve worked for that had an office also had a rule that any computer in the office had to be password-protected with a screensaver that kicked in pretty quickly. But at home it’s annoying to have to unlock your own laptop when you get up to make a sandwich.

If you use the same computer at home and in the office, IMLocation can use this action to lock down your computer at work, but leave it easy-to-use at home.

I recommend trying IMLocation (which includes the Set Screen Saver Security action) for best results.

January 14, 2009

People Do NOT Want to Register

Filed under: Design,Security,Usability | , , ,
― Vincent Gable on January 14, 2009

Jared M. Spool writes about how removing compulsory registration from a website translated into a $300,000,000 increase in sales. (Via UI and us). The intentions behind the registration were good: make things easier for repeat customers by remembering their information. This would reward the most loyal customers, and for first-time customers registration would only be a small one-time step. But in practice, the registration was universally hated.

We were wrong about the first-time shoppers. They did mind registering. They resented having to register when they encountered the page. As one shopper told us, “I’m not here to enter into a relationship. I just want to buy something.

…Without even knowing what was involved in registration, all the users that clicked on the button did so with a sense of despair. Many vocalized how the retailer only wanted their information to pester them with marketing messages they didn’t want. Some imagined other nefarious purposes of the obvious attempt to invade privacy. (In reality, the site asked nothing during registration that it didn’t need to complete the purchase: name, shipping address, billing address, and payment information.)

Repeat customers weren’t any happier. Except for a very few who remembered their login information, most stumbled on the form. They couldn’t remember the email address or password they used. Remembering which email address they registered with was problematic – many had multiple email addresses or had changed them over the years.

When a shopper couldn’t remember the email address and password, they’d attempt at guessing what it could be multiple times. These guesses rarely succeeded. Some would eventually ask the site to send the password to their email address, which is a problem if you can’t remember which email address you initially registered with.

(Later, we did an analysis of the retailer’s database, only to discover 45% of all customers had multiple registrations in the system, some as many as 10. We also analyzed how many people requested passwords, to find out it reached about 160,000 per day. 75% of these people never tried to complete the purchase once requested.)

The form, intended to make shopping easier … just prevented sales – a lot of sales.

The $300,000,000 Fix

The designers fixed the problem simply. They took away the Register button. In its place, they put a Continue button with a simple message: “You do not need to create an account to make purchases on our site. Simply click Continue to proceed to checkout. To make your future purchases even faster, you can create an account during checkout.”

The results: The number of customers purchasing went up by 45%. The extra purchases resulted in an extra $15 million the first month. For the first year, the site saw an additional $300,000,000.

Personally, I am in complete sympathy with the test’s participants. I don’t want to have to register to do something. In fact, I’ve re-registered for ADC a few times, because I lost my login information. (I really wish I could reclaim my first ADC membership from highschool, now tied to a defunct AOL address, because the member # is one digit shorter!)

Security Implications

Unfortunately, people have good reason to be wary of registration — it puts their credit card information at risk. And we’ve all been burned by spam and junk-mail from someone who abused registration information.

The Future is Here

Modern web browsers all have some kind of auto-fill that can remember and enter shipping/billing information. This technology obsoletes the benefits of registration in the story.

There’s more that could be done to be smarter about registration. For example, not exposing it in any way unless a person has made several orders.

Of course, the smartest thing is to avoid registration, because your users hate it. Services like BugMeNot prove this.

January 9, 2009

Biometrics

Filed under: Design,Quotes,Research,Security | , , , ,
― Vincent Gable on January 9, 2009

Summary of an article by Bruce Schneier for The Guardian,

Biometrics can vastly improve security, especially when paired with another form of authentication such as passwords. But it’s important to understand their limitations as well as their strengths. On the strength side, biometrics are hard to forge. It’s hard to affix a fake fingerprint to your finger or make your retina look like someone else’s. Some people can mimic voices, and make-up artists can change people’s faces, but these are specialized skills.

On the other hand, biometrics are easy to steal. You leave your fingerprints everywhere you touch, your retinal scan everywhere you look. Regularly, hackers have copied the prints of officials from objects they’ve touched, and posted them on the Internet. …

Biometrics are unique identifiers, but they’re not secrets.

biometrics work best if the system can verify that the biometric came from the person at the time of verification. The biometric identification system at the gates of the CIA headquarters works because there’s a guard with a large gun making sure no one is trying to fool the system.

One more problem with biometrics: they don’t fail well. Passwords can be changed, but if someone copies your thumbprint, you’re out of luck: you can’t update your thumb. Passwords can be backed up, but if you alter your thumbprint in an accident, you’re stuck. The failures don’t have to be this spectacular: a voice print reader might not recognize someone with a sore throat…

In Why Identity and Authentication Must Remain Distinct, Steve Riley cautions,

Proper biometrics are identity only and will be accompanied, like all good identifiers, by a secret of some kind — a PIN, a private key on a smart card, or, yes, even a password.

December 31, 2008

Ellison’s Law

Filed under: Quotes,Security,Usability | , ,
― Vincent Gable on December 31, 2008

Carl Ellison (a cryptographer at Intel, a great guy) formulated what I call Ellison’s Law, which states that the userbase for strong cryptography declines by half with every additional keystroke or mouseclick required to make it work. Think about that when you’re designing tools.

–Cult of the Dead Cow

November 3, 2008

Voting Done Right: Wait For It

Filed under: Design,Security,Usability | , , , , , ,
― Vincent Gable on November 3, 2008

Everyone wants to know the results of an election as soon as possible, including me. I will be spending tomorrow evening with friends, watching election results on live TV. I’ll be unhappy if a battle-ground state is slow to report, and I expect to know who the next president will be before I go to bed. But quick reporting of election results is in no way necessary, and in fact undermines our electoral system. We should put trustworthiness ahead of entertainment, and count votes deliberately.

According to the project triangle, you can do something quickly, you can do something cheaply, and you can do something well, but you can only do two out of three.

I propose that official tallies should not be released for 72 hours after polls close, by law. This gives us time to do voting right, and affordably.

A Hard Problem

Engineering a good voting system is a much harder problem then most people realize.

The system must be resistant to fraud by voters, and election officials, and the politicians on the ballot.

Voters must vote only once. But nobody can tie a particular vote to someone (that would allow voter intimidation and buying). But their vote must still be counted for the right candidate.

Tallies must be auditable (in case of a dispute a third party can re-count the votes). The whole system must be perceived as trustworthy and transparent by everyone.

Oh, and it has to scale to use by hundreds of millions of people on election day.

And all of this has to be built, and maintained, with very limited public funds.

This is a very hard problem already. Adding the extra requirement, “and final results must be ready two hours after polls close (so results can make prime-time TV)” would, in my opinion, make it an impossibly hard problem. Unfortunately, that is the direction we are moving.

No Need to Rush

Our electoral system was designed in an era when, cliché as it sounds, the pony express was the fastest way to communicate intra-nationally. Officials do not take office for several weeks after they have been voted-in. Delaying the certification of a successor until Friday would not incapacitate government. It’s always clear who the current officials are until new ones take office.

Of course, today we live in a faster, more connected, world. It could be argued that this means we have a modern need for instant results. Fortunately, this does not appear to be the case. The fallout of the Bush v Gore election in 2000 proved that society and government can function just fine for several weeks without knowing who won an election.

The Fear

Confidence in modern voting machines is rightly low. For the first time in nearly three decades, there will be a decline in the number of people casting their ballots electronically. Nobody (lobbyists aside) seems to really think that these voting machines are a working out for us, except that they do give “tallies” faster.

Personally, I am terrified of an all-electronic election. The reason is simple: it can’t be audited. Digital forensics just aren’t real enough. If someone stuffs a ballot box, they leave a trail of clues, down to the chemical composition of the paper. But there’s no record when bits are flipped to a crooked candidate. Any digital footprint can be faked. “Recounting” an electronic election would be pointless — asking the same program to run the same calculation, with the same data.

Of course, there are exotic solutions. It might be possible to develop a digital storage media that can only be written to once, and would record forensic information, like the time of each write. Unfortunately, none of these ideas sound remotely cost-effective. Which leaves….

Good old physical paper ballots. Slow, but sure, they are a proven technology that has earned our trust.

… then the Opposite of Progress is…

So why not simply mandate that paper ballots must be used for an election? Personally, I think that would give us a better election system then we have today. And it’s probably got a much better chance of happening then my idea of sitting on election results for three days.

But I don’t think it’s the best long-term solution. Historically, laws just don’t keep up with technology. And we have every indication that the pace of technological change is increasing. A little over seventy years ago, the Social Security Number was born. Today, we are stuck with them. I’m not convinced that paper will be the best medium for recording votes in 70 years.

Rather then dictating anachronistic implementations, it seems better to codify the right trade offs to make when designing a voting system. Then we can organically reap the benefits of advances in voting-technology, as we have historically.

The real problem is that we, as a voting public, are favoring quick results over reliable ones. This is a social problem, it is not a technological problem. It is best to directly address the social expectations, not the technological details.

But honestly… it will never happen. We like our prime-time TV and instant gratification too much. Withholding election results, even temporarily, feels too dictatorial. We can expect to get our votes counted faster every year. I just hope it’s not at the expense of counting them correctly.

October 26, 2008

Early Voting Machines

Filed under: Security,Usability | ,
― Vincent Gable on October 26, 2008

A fascinating article from 1936 on voting machines. They are not some new invention,

Inventors of the voting machine undertook to eliminate (improperly marked ballots). First man to give the problem attention appears to have been Jan Josef Baranowski in Paris, France, in 1849. He suggested that adding machine principles be applied to voting and that a closet be provided in which the voter could make his choice by turning handles or pushing buttons opposite the names of candidates. De Brettes in that year and Werner von Siemens in 1859 in Germany constructed primitive legislative voting machines, operated mechanically to cast either white or black balls. Thomas Edison patented a crude machine in 1869. At about the same time, Vassie, Chamberlain, Sydserff and Davy produced devices in England.

The exuberant article really puts the utter failure that is modern “electronic voting machines” in stark perspective. As security guru Bruce Schneier points out, “Complexity is the worst enemy of security; as systems become more complex, they get less secure.”

« Newer PostsOlder Posts »

Powered by WordPress