Entries Tagged "schools"

Page 7 of 9

Teaching Viruses and Worms

Over two years ago, George Ledin wrote an essay in Communications of the ACM, where he advocated teaching worms and viruses to computer science majors:

Computer science students should learn to recognize, analyze, disable, and remove malware. To do so, they must study currently circulating viruses and worms, and program their own. Programming is to computer science what field training is to police work and clinical experience is to surgery. Reading a book is not enough. Why does industry hire convicted hackers as security consultants? Because we have failed to educate our majors.

This spring semester, he taught the course at Sonoma State University. It got a lot of press coverage.

No one wrote a virus for a class project. No new malware got into the wild. No new breed of supervillian graduated.

Teaching this stuff is just plain smart.

Posted on June 12, 2007 at 2:30 PMView Comments

Rare Risk and Overreactions

Everyone had a reaction to the horrific events of the Virginia Tech shootings. Some of those reactions were rational. Others were not.

A high school student was suspended for customizing a first-person shooter game with a map of his school. A contractor was fired from his government job for talking about a gun, and then visited by the police when he created a comic about the incident. A dean at Yale banned realistic stage weapons from the university theaters—a policy that was reversed within a day. And some teachers terrorized a sixth-grade class by staging a fake gunman attack, without telling them that it was a drill.

These things all happened, even though shootings like this are incredibly rare; even though—for all the press—less than one percent (.pdf) of homicides and suicides of children ages 5 to 19 occur in schools. In fact, these overreactions occurred, not despite these facts, but because of them.

The Virginia Tech massacre is precisely the sort of event we humans tend to overreact to. Our brains aren’t very good at probability and risk analysis, especially when it comes to rare occurrences. We tend to exaggerate spectacular, strange and rare events, and downplay ordinary, familiar and common ones. There’s a lot of research in the psychological community about how the brain responds to risk—some of it I have already written about—but the gist is this: Our brains are much better at processing the simple risks we’ve had to deal with throughout most of our species’ existence, and much poorer at evaluating the complex risks society forces us to face today.

Novelty plus dread equals overreaction.

We can see the effects of this all the time. We fear being murdered, kidnapped, raped and assaulted by strangers, when it’s far more likely that the perpetrator of such offenses is a relative or a friend. We worry about airplane crashes and rampaging shooters instead of automobile crashes and domestic violence—both far more common.

In the United States, dogs, snakes, bees and pigs each kill more people per year (.pdf) than sharks. In fact, dogs kill more humans than any animal except for other humans. Sharks are more dangerous than dogs, yes, but we’re far more likely to encounter dogs than sharks.

Our greatest recent overreaction to a rare event was our response to the terrorist attacks of 9/11. I remember then-Attorney General John Ashcroft giving a speech in Minnesota—where I live—in 2003, and claiming that the fact there were no new terrorist attacks since 9/11 was proof that his policies were working. I thought: “There were no terrorist attacks in the two years preceding 9/11, and you didn’t have any policies. What does that prove?”

What it proves is that terrorist attacks are very rare, and maybe our reaction wasn’t worth the enormous expense, loss of liberty, attacks on our Constitution and damage to our credibility on the world stage. Still, overreacting was the natural thing for us to do. Yes, it’s security theater, but it makes us feel safer.

People tend to base risk analysis more on personal story than on data, despite the old joke that “the plural of anecdote is not data.” If a friend gets mugged in a foreign country, that story is more likely to affect how safe you feel traveling to that country than abstract crime statistics.

We give storytellers we have a relationship with more credibility than strangers, and stories that are close to us more weight than stories from foreign lands. In other words, proximity of relationship affects our risk assessment. And who is everyone’s major storyteller these days? Television. (Nassim Nicholas Taleb’s great book, The Black Swan: The Impact of the Highly Improbable, discusses this.)

Consider the reaction to another event from last month: professional baseball player Josh Hancock got drunk and died in a car crash. As a result, several baseball teams are banning alcohol in their clubhouses after games. Aside from this being a ridiculous reaction to an incredibly rare event (2,430 baseball games per season, 35 people per clubhouse, two clubhouses per game. And how often has this happened?), it makes no sense as a solution. Hancock didn’t get drunk in the clubhouse; he got drunk at a bar. But Major League Baseball needs to be seen as doing something, even if that something doesn’t make sense—even if that something actually increases risk by forcing players to drink at bars instead of at the clubhouse, where there’s more control over the practice.

I tell people that if it’s in the news, don’t worry about it. The very definition of “news” is “something that hardly ever happens.” It’s when something isn’t in the news, when it’s so common that it’s no longer news—car crashes, domestic violence—that you should start worrying.

But that’s not the way we think. Psychologist Scott Plous said it well in The Psychology of Judgment and Decision Making: “In very general terms: (1) The more available an event is, the more frequent or probable it will seem; (2) the more vivid a piece of information is, the more easily recalled and convincing it will be; and (3) the more salient something is, the more likely it will be to appear causal.”

So, when faced with a very available and highly vivid event like 9/11 or the Virginia Tech shootings, we overreact. And when faced with all the salient related events, we assume causality. We pass the Patriot Act. We think if we give guns out to students, or maybe make it harder for students to get guns, we’ll have solved the problem. We don’t let our children go to playgrounds unsupervised. We stay out of the ocean because we read about a shark attack somewhere.

It’s our brains again. We need to “do something,” even if that something doesn’t make sense; even if it is ineffective. And we need to do something directly related to the details of the actual event. So instead of implementing effective, but more general, security measures to reduce the risk of terrorism, we ban box cutters on airplanes. And we look back on the Virginia Tech massacre with 20-20 hindsight and recriminate ourselves about the things we should have done.

Lastly, our brains need to find someone or something to blame. (Jon Stewart has an excellent bit on the Virginia Tech scapegoat search, and media coverage in general.) But sometimes there is no scapegoat to be found; sometimes we did everything right, but just got unlucky. We simply can’t prevent a lone nutcase from shooting people at random; there’s no security measure that would work.

As circular as it sounds, rare events are rare primarily because they don’t occur very often, and not because of any preventive security measures. And implementing security measures to make these rare events even rarer is like the joke about the guy who stomps around his house to keep the elephants away.

“Elephants? There are no elephants in this neighborhood,” says a neighbor.

“See how well it works!”

If you want to do something that makes security sense, figure out what’s common among a bunch of rare events, and concentrate your countermeasures there. Focus on the general risk of terrorism, and not the specific threat of airplane bombings using liquid explosives. Focus on the general risk of troubled young adults, and not the specific threat of a lone gunman wandering around a college campus. Ignore the movie-plot threats, and concentrate on the real risks.

This essay originally appeared on Wired.com, my 42nd essay on that site.

EDITED TO ADD (6/5): Archiloque has translated this essay into French.

EDITED TO ADD (6/14): The British academic risk researcher Prof. John Adams wrote an insightful essay on this topic called “What Kills You Matters—Not Numbers.”

Posted on May 17, 2007 at 2:16 PMView Comments

English Professor Reported for Recycling Paper While Looking Middle Eastern

This is just awful:

Because of my recycling, the bomb squad came, then the state police. Because of my recycling, buildings were evacuated, classes were canceled, the campus was closed. No. Not because of my recycling. Because of my dark body. No. Not even that. Because of his fear. Because of the way he saw me. Because of the culture of fear, mistrust, hatred and suspicion that is carefully cultivated in the media, by the government, by people who claim to want to keep us “safe.”

[…]

What does that community mean to me, a person who has to walk by the ROTC offices every day on my way to my own office just down the hall—who was watched, noted and reported, all in a day’s work? Today, we gave in willingly and wholeheartedly to a culture of fear and blaming and profiling. It is deemed perfectly appropriate behavior to spy on one another and police one another and report on one another. Such behaviors exist most strongly in closed, undemocratic and fascist societies.

Posted on April 25, 2007 at 3:02 PMView Comments

Stage Weapons Banned

I wish I could make a joke about security theater at the theater, but this is just basic stupidity:

Dean of Student Affairs Betty Trachtenberg has limited the use of stage weapons in theatrical productions.

Students involved in this weekend’s production of “Red Noses” said they first learned of the new rules on Thursday morning, the same day the show was slated to open. They were subsequently forced to alter many of the scenes by swapping more realistic-looking stage swords for wooden ones, a change that many students said was neither a necessary nor a useful response to the tragedy at Virginia Tech.

According to students involved in the production, Trachtenberg has banned the use of some stage weapons in all of the University’s theatrical productions.

Not only does this not make anyone safer, it doesn’t even make anyone feel safer.

EDITED TO ADD (4/25): The order has been rescinded, without any demonstration of common sense:

“I think people should start thinking about other people rather than trying to feel sorry for themselves and thinking that the administration is trying to thwart their creativity,” Trachtenberg said. “They’re not using their own intelligence. … We have to think of the people who might be affected by seeing real-life weapons.”

Posted on April 25, 2007 at 7:32 AMView Comments

Terrorist Bus Drivers

I thought we were done with this scary-story-but-nothing-to-worry-about stuff:

The FBI has issued an “informational bulletin” to state and local officials saying to watch out for people tied to extremist groups trying to earn licenses to drive school buses.

The Associated Press reports that members of the unnamed extremist groups have succeeded in gaining the drivers licenses, but a Department of Homeland Security official told FOX News that “at this time there is no evidence that any of these individuals have got these jobs, or got hold of school buses.”

“There is no plot. There is no threat. And parents and children can feel perfectly safe,” FBI spokesman Richard Kolko told FOXNews.com.

Wacky.

EDITED TO ADD (3/20): Cory Doctorow has some more terrorist possibilities not to worry about.

Posted on March 19, 2007 at 1:51 PMView Comments

ID Cards to Stop Bullying

No, really:

“Introducing photo ID cards will help bring an end to bullying over use of ‘cash free’ cards for school meals, will assist with access to school bus services and, ultimately, can be used to add security to school examinations,” he said.

“SSTA members report frequently that young people are bullied into handing over their cards for school meals to others, thus leaving them without their meal entitlement.

“With non-identified cards this will remain a problem. If photo ID is introduced widely, then the problem will dramatically reduce.”

He said that introducing such a system would also help prepare young people for “the realities of identity management in the 21st Century”.

I agree with this:

However, Green MSP Patrick Harvie said the suggestion was troubling.

“We should be preparing young people for the reality of defending their privacy and civil liberties against ever-more intrusive government systems,” he argued.

“We’ve heard proposals for airport-style scanners and random drug testing in schools, fingerprinting is already in place in some schools. There’s a risk of creating environments which feel more like penal institutions than places of learning.

“These ID cards will do absolutely nothing to address the causes of bullying. Instead they will teach the next generation that an ID card culture is ‘normal’, and that they should have to prove their entitlement to services.”

It’s important that schools teach the right lessons, and “we’re all living in a surveillance society, and we should just get used to it” is not the right lesson.

Posted on January 4, 2007 at 6:17 AMView Comments

The Problem with "Hiring Hackers"

The Communications Director for Montana’s Congressman Denny Rehberg solicited “hackers” to break into the computer system at Texas Christian University and change his grades (so they would look better when he eventually ran for office, I presume). The hackers posted the email exchange instead. Very funny:

First, let’s be clear. You are soliciting me to break the law and hack into a computer across state lines. That is a federal offense and multiple felonies. Obviously I can’t trust anyone and everyone that mails such a request, you might be an FBI agent, right?

So, I need three things to make this happen:

1. A picture of a squirrel or pigeon on your campus. One close-up, one with background that shows buildings, a sign, or something to indicate you are standing on the campus.

2. The information I mentioned so I can find the records once I get into the database.

3. Some idea of what I get for all my trouble.

Posted on December 27, 2006 at 1:40 PMView Comments

Major Privacy Breach at UCLA

Hackers have gained access to a database containing personal information on 800,000 current and former UCLA students.

This is barely worth writing about: yet another database attack exposing personal information. My guess is that everyone in the U.S. has been the victim of at least one of these already. But there was a particular section of the article that caught my eye:

Jim Davis, UCLA’s associate vice chancellor for information technology, described the attack as sophisticated, saying it used a program designed to exploit a flaw in a single software application among the many hundreds used throughout the Westwood campus.

“An attacker found one small vulnerability and was able to exploit it, and then cover their tracks,” Davis said.

It worries me that the associate vice chancellor for information technology doesn’t understand that all attacks work like that.

Posted on December 13, 2006 at 6:43 AMView Comments

Bulletproof Textbooks

You can’t make this stuff up:

A retired veteran and candidate for Oklahoma State School Superintendent says he wants to make schools safer by creating bulletproof textbooks.

Bill Crozier says the books could give students and teachers a fighting chance if there’s a shooting at their school.

Can you just imagine the movie-plot scenarios going through his head? Does he really think this is a smart way to spend security dollars?

I just shake my head in wonder….

Posted on November 3, 2006 at 12:11 PMView Comments

University Networks and Data Security

In general, the problems of securing a university network are no different than those of securing any other large corporate network. But when it comes to data security, universities have their own unique problems. It’s easy to point fingers at students—a large number of potentially adversarial transient insiders. Yet that’s really no different from a corporation dealing with an assortment of employees and contractors—the difference is the culture.

Universities are edge-focused; central policies tend to be weak, by design, with maximum autonomy for the edges. This means they have natural tendencies against centralization of services. Departments and individual professors are used to being semiautonomous. Because these institutions were established long before the advent of computers, when networking did begin to infuse universities, it developed within existing administrative divisions. Some universities have academic departments with separate IT departments, budgets, and staff, with a central IT group providing bandwidth but little or no oversight. Unfortunately, these smaller IT groups don’t generally count policy development and enforcement as part of their core competencies.

The lack of central authority makes enforcing uniform standards challenging, to say the least. Most university CIOs have much less power than their corporate counterparts; university mandates can be a major obstacle in enforcing any security policy. This leads to an uneven security landscape.

There’s also a cultural tendency for faculty and staff to resist restrictions, especially in the area of research. Because most research is now done online—or, at least, involves online access—restricting the use of or deciding on appropriate uses for information technologies can be difficult. This resistance also leads to a lack of centralization and an absence of IT operational procedures such as change control, change management, patch management, and configuration control.

The result is that there’s rarely a uniform security policy. The centralized servers—the core where the database servers live—are generally more secure, whereas the periphery is a hodgepodge of security levels.

So, what to do? Unfortunately, solutions are easier to describe than implement. First, universities should take a top-down approach to securing their infrastructure. Rather than fighting an established culture, they should concentrate on the core infrastructure.

Then they should move personal, financial, and other comparable data into that core. Leave information important to departments and research groups to them, and centrally store information that’s important to the university as a whole. This can be done under the auspices of the CIO. Laws and regulations can help drive consolidation and standardization.

Next, enforce policies for departments that need to connect to the sensitive data in the core. This can be difficult with older legacy systems, but establishing a standard for best practices is better than giving up. All legacy technology is upgraded eventually.

Finally, create distinct segregated networks within the campus. Treat networks that aren’t under the IT department’s direct control as untrusted. Student networks, for example, should be firewalled to protect the internal core from them. The university can then establish levels of trust commensurate with the segregated networks’ adherence to policies. If a research network claims it can’t have any controls, then let the university create a separate virtual network for it, outside the university’s firewalls, and let it live there. Note, though, that if something or someone on that network wants to connect to sensitive data within the core, it’s going to have to agree to whatever security policies that level of data access requires.

Securing university networks is an excellent example of the social problems surrounding network security being harder than the technical ones. But harder doesn’t mean impossible, and there is a lot that can be done to improve security.

This essay originally appeared in the September/October issue of IEEE Security & Privacy.

Posted on September 20, 2006 at 7:37 AMView Comments

1 5 6 7 8 9

Sidebar photo of Bruce Schneier by Joe MacInnis.