Friday Squid Blogging: Disney's Minigame Squid Wars
It looks like a Nintendo game.
As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.
Anti-Alien Security
You can wrap your house in tinfoil, but when you start shining bright lights to defend yourself against alien attack, you've gone too far.
In general, society puts limits on what types of security you are allowed to use, especially when that use can affect others. You can't place landmines on your lawn or shoot down drones hovering over your property.
People Who Need to Pee Are Better at Lying
No, really.
Abstract: The Inhibitory-Spillover-Effect (ISE) on a deception task was investigated. The ISE occurs when performance in one self-control task facilitates performance in another (simultaneously conducted) self-control task. Deceiving requires increased access to inhibitory control. We hypothesized that inducing liars to control urination urgency (physical inhibition) would facilitate control during deceptive interviews (cognitive inhibition). Participants drank small (low-control) or large (high-control) amounts of water. Next, they lied or told the truth to an interviewer. Third-party observers assessed the presence of behavioral cues and made true/lie judgments. In the high-control, but not the low-control condition, liars displayed significantly fewer behavioral cues to deception, more behavioral cues signaling truth, and provided longer and more complex accounts than truth-tellers. Accuracy detecting liars in the high-control condition was significantly impaired; observers revealed bias toward perceiving liars as truth-tellers. The ISE can operate in complex behaviors. Acts of deception can be facilitated by covert manipulations of self-control.
News article.
Living in a Code Yellow World
In the 1980s, handgun expert Jeff Cooper invented something called the Color Code to describe what he called the "combat mind-set." Here is his summary:
In White you are unprepared and unready to take lethal action. If you are attacked in White you will probably die unless your adversary is totally inept.
In Yellow you bring yourself to the understanding that your life may be in danger and that you may have to do something about it.
In Orange you have determined upon a specific adversary and are prepared to take action which may result in his death, but you are not in a lethal mode.
In Red you are in a lethal mode and will shoot if circumstances warrant.
Cooper talked about remaining in Code Yellow over time, but he didn't write about its psychological toll. It's significant. Our brains can't be on that alert level constantly. We need downtime. We need to relax. This is why we have friends around whom we can let our guard down and homes where we can close our doors to outsiders. We only want to visit Yellowland occasionally.
Since 9/11, the US has increasingly become Yellowland, a place where we assume danger is imminent. It's damaging to us individually and as a society.
I don't mean to minimize actual danger. Some people really do live in a Code Yellow world, due to the failures of government in their home countries. Even there, we know how hard it is for them to maintain a constant level of alertness in the face of constant danger. Psychologist Abraham Maslow wrote about this, making safety a basic level in his hierarchy of needs. A lack of safety makes people anxious and tense, and the long term effects are debilitating.
The same effects occur when we believe we're living in an unsafe situation even if we're not. The psychological term for this is hypervigilance. Hypervigilance in the face of imagined danger causes stress and anxiety. This, in turn, alters how your hippocampus functions, and causes an excess of cortisol in your body. Now cortisol is great in small and infrequent doses, and helps you run away from tigers. But it destroys your brain and body if you marinate in it for extended periods of time.
Not only does trying to live in Yellowland harm you physically, it changes how you interact with your environment and it impairs your judgment. You forget what's normal and start seeing the enemy everywhere. Terrorism actually relies on this kind of reaction to succeed.
Here's an example from The Washington Post last year: "I was taking pictures of my daughters. A stranger thought I was exploiting them." A father wrote about his run-in with an off-duty DHS agent, who interpreted an innocent family photoshoot as something nefarious and proceeded to harass and lecture the family. That the parents were white and the daughters Asian added a racist element to the encounter.
At the time, people wrote about this as an example of worst-case thinking, saying that as a DHS agent, "he's paid to suspect the worst at all times and butt in." While, yes, it was a "disturbing reminder of how the mantra of 'see something, say something' has muddied the waters of what constitutes suspicious activity," I think there's a deeper story here. The agent is trying to live his life in Yellowland, and it caused him to see predators where there weren't any.
I call these "movie-plot threats," scenarios that would make great action movies but that are implausible in real life. Yellowland is filled with them.
Last December former DHS director Tom Ridge wrote about the security risks of building a NFL stadium near the Los Angeles Airport. His report is full of movie-plot threats, including terrorists shooting down a plane and crashing it into a stadium. His conclusion, that it is simply too dangerous to build a sports stadium within a few miles of the airport, is absurd. He's been living too long in Yellowland.
That our brains aren't built to live in Yellowland makes sense, because actual attacks are rare. The person walking towards you on the street isn't an attacker. The person doing something unexpected over there isn't a terrorist. Crashing an airplane into a sports stadium is more suitable to a Die Hard movie than real life. And the white man taking pictures of two Asian teenagers on a ferry isn't a sex slaver. (I mean, really?)
Most of us, that DHS agent included, are complete amateurs at knowing the difference between something benign and something that's actually dangerous. Combine this with the rarity of attacks, and you end up with an overwhelming number of false alarms. This is the ultimate problem with programs like "see something, say something." They waste an enormous amount of time and money.
Those of us fortunate enough to live in a Code White society are much better served acting like we do. This is something we need to learn at all levels, from our personal interactions to our national policy. Since the terrorist attacks of 9/11, many of our counterterrorism policies have helped convince people they're not safe, and that they need to be in a constant state of readiness. We need our leaders to lead us out of Yellowland, not to perpetuate it.
This essay previously appeared on Fusion.net.
EDITED TO ADD (9/25): UK student reading book on terrorism is accused of being a terrorist. He was reading the book for a class he was taking. I'll let you guess his ethnicity.
Hacking the Game Show "Press Your Luck"
Fascinating story about a man who figured out how to hack the game show "Press Your Luck" in 1984.
Buying an Online Reputation
The story of a reporter who set up a fake business and then bought Facebook fans, Twitter followers, and online reviews. It was surprisingly easy and cheap.
Bringing Frozen Liquids through Airport Security
Gizmodo reports that UK airport security confiscates frozen liquids:
"He told me that it wasn't allowed so I asked under what grounds, given it is not a liquid. When he said I couldn't take it I asked if he knew that for sure or just assumed. He grabbed his supervisor and the supervisor told me that 'the government does not classify that as a solid'. I decided to leave it at that point. I expect they're probably wrong to take it from me. They'd probably not seen it before, didn't know the rules, and being a bit of an eccentric request, decided to act on the side of caution. They didn't spend the time to look it up."
As it happens, I have a comparable recent experience. Last week, I tried to bring through a small cooler containing, among other things, a bag of ice. I expected to have to dump the ice at the security checkpoint and refill it inside the airport, but the TSA official looked at it and let it through. Turns out that frozen liquids are fine. I confirmed this with TSA officials at two other airports this week.
One of the TSA officials even told me that what he was officially told is that liquid explosives don't freeze.
So there you go. The US policy is more sensible. And anyone landing in the UK from the US will have to go through security before any onward flight, so there's no chance at flouting the UK rules that way.
And while we're on the general subject, I am continually amazed by how lax the liquid rules are here in the US. Yesterday I went through airport security at SFO with an opened 5-ounce bottle of hot sauce in my carry-on. The screener flagged it; it was obvious on the x-ray. Another screener searched my bag, found it and looked at it, and then let me keep it.
And, in general, I never bother taking my liquids out of my suitcase anymore. I don't have to when I am in the PreCheck lane, but no one seems to care in the regular lane either. It is different in the UK.
SYNful Knock Attack Against Cisco Routers
FireEye is reporting the discovery of persistent malware that compromises Cisco routers:
While this attack could be possible on any router technology, in this case, the targeted victims were Cisco routers. The Mandiant team found 14 instances of this router implant, dubbed SYNful Knock, across four countries: Ukraine, Philippines, Mexico, and India.
[...]
The implant uses techniques that make it very difficult to detect. A clandestine modification of the router's firmware image can be utilized to maintain perpetual presence to an environment. However, it mainly surpasses detection because very few, if any, are monitoring these devices for compromise.
I don't know if the attack is related to this attack against Cisco routers discovered in August.
As I wrote then, this is very much the sort of attack you'd expect from a government eavesdropping agency. We know, for example, that the NSA likes to attack routers. If I had to guess, I would guess that this is an NSA exploit. (Note the lack of Five Eyes countries in the target list.)
History of Hacktivism
Nice article by Dorothy Denning.
Hacktivism emerged in the late 1980s at a time when hacking for fun and profit were becoming noticeable threats. Initially it took the form of computer viruses and worms that spread messages of protest. A good example of early hacktivism is "Worms Against Nuclear Killers (WANK)," a computer worm that anti-nuclear activists in Australia unleashed into the networks of the National Aeronautics and Space Administration and the US Department of Energy in 1989 to protest the launch of a shuttle which carried radioactive plutonium.
By the mid-1990s, denial of service (DoS) attacks had been added to the hacktivist's toolbox, usually taking the form of message or traffic floods. In 1994, journalist Joshua Quittner lost access to his e-mail after thousands of messages slamming "capitalistic pig" corporations swamped his inbox, and a group called itself "The Zippies" flooded e-mail accounts in the United Kingdom with traffic to protest a bill that would have outlawed outdoor dance festivals. Then in 1995, an international group called Strano Network organized a one-hour "Net'strike" against French government websites to protest nuclear and social policies. At the designated time, participants visited the target websites and hit the "reload" button over and over in an attempt to tie up traffic to the sites.
Her conclusion comes as no surprise:
Hacktivism, including state-sponsored or conducted hacktivism, is likely to become an increasingly common method for voicing dissent and taking direct action against adversaries. It offers an easy and inexpensive means to make a statement and inflict harm without seriously risking prosecution under criminal law or a response under international law. Hacking gives non-state actors an attractive alternative to street protests and state actors an appealing substitute for armed attacks. It has become not only a popular means of activism, but also an instrument of national power that is challenging international relations and international law.
Friday Squid Blogging: Giant Squid Sculpture at Burning Man
It looks impressive, maybe 20-30 feet long:
"I think this might be the coolest thing I have ever built," said Barry Crawford about his giant, metal squid that was installed at Burning Man.
The sculpture is entirely made of found objects including half of a dropped airplane tank and a metal vegetable strainer. The eyeball opens and closes and the tentacles can be moved by participating viewers.
As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.
Photo of Bruce Schneier by Per Ervland.
Schneier on Security is a personal website. Opinions expressed are not necessarily those of Resilient Systems, Inc.