Monday, May 19, 2014

THHGTTG and Stream of Consciousness

I was listening to a podcast, Science Talk (Scientific American) and there was an interview with author David J. Hand on his book The Improbability Principle: Why Coincidences, Miracles and Rare Events Happen Every Day  and he started off on probabilities of a coin flip.,204,203,200_PIsitb-sticker-v3-big,TopRight,0,-55_SX278_SY278_PIkin4,BottomRight,1,22_AA300_SH20_OU01_.jpg

 It reminded me of math classes from high school where we had to calculate that exact thing.

Which is the most likely outcome of a coin flip 5 times in a row?

and on and on. The correct answer is all of them.

1/2 * 1/2 * 1/2 * 1/2 *1/2 for each answer you will have a 1/32 chance of that result.

The outcomes made me think of the abbreviation to the Hitchhiker's Guide to the Galaxy: THHGTTG. So close! What are the chances of a coin flip landing in that order 8 times? The G's will represent the coin landing on its side.

According to Daniel B. Murray and Scott W. Teare of Harvard, the odds of that happening are 1 in 6000. Source


Thursday, May 15, 2014

Just a Myth

I listen to a lot of comedy and science podcasts and sometimes I get a crossover of the two: Nerdist,
You Made it Weird, I love it. The comedian host talks to people for as long as they want to talk. He has some questions he asks everyone, their view of God, what happens when you die and when was the last time you laughed really hard and why. This time he talked to one of my top physicists, the order changes but:
Michio Kaku: always #1, his book Beyond Einstein made me love physics 
Phil Plait: the Bad Astronomer, I read his blog in the mid 90s
Neil deGrasse Tyson: one sexy mofo, could sell you science and make you grateful to pay
Brian Greene: The Elegant Universe, loved it so much
Paul Davies: About Time - how fast does time flow? one second per second.
David Deutch: The Quest for the Quantum Computer. Amazing.
Mike Brown: killed Pluto
Jane Luu: discovered the Kuiper Belt!
Jill Tarter: SETI all the way
... there's a lot -I keep adding to this list.
Ok so Pete Holmes is talking to Brian Greene and he says something that makes me incredibly sad. In 1998 it was discovered that the expansion of the universe is accelerating and one day there won't be any stars. They will be just a myth and beyond that no one will ever know they existed. I know on the evolutionary timescale that's still far away but these things that we gain so much understanding of the universe from will be completely unknown, they will be gone.
Crab Nebula a supernova remnant that was recorded by Chinese astronomers in 1054ace.

Wednesday, May 14, 2014

The hard working alligator

The Swamp House: more pics of the process and final project by John Henry
I am in love with automatons. I want to know how they work so I can make my own weird creations. I have books and kits and papercraft kits so it's going to happen. Soon....
Watching this one is kind of hypnotic so I started to wonder how much this alligator was making based on the apparent speed of the gif. It makes ~$.125/second or ~$450 an hour. Normally you are supposed to take an average of multiple measurements but I don't think the gif will speed up at all.
@10 seconds I counted 5 quarters or $1.25/10seconds = ~$.125/second
$.125/1 sec * 60 sec/ 1 min * 60 min/1 hour =~$450/hour.
Not bad.

Wednesday, January 22, 2014

Technical Communication

One of the main issues when speaking to users/customers/students/staff/etc. is a mismatch in communication styles, goals and levels of technical knowledge. They would like their problems solved in a way that does not affect their dignity when asking for help on things they might not understand. We, however, would like to resolve their issue and submit a ticket. This is where we experience a conflict.
Speakers: Campus Help Desk
Communication Style: Goals and Outcomes Oriented/Direct
                Level of Technical Knowledge/Awareness: Highly Skilled
                Goal: Answer Questions, Troubleshoot Problems, Submit Tickets
Audience: Callers into the Help Desk
Communication Style: Varied
                Goal: Solve Problems, Submit Tickets, Ask Questions
Level of Technical Knowledge/Awareness: Varied
Ideally we would like to offer some amount of technical instruction as we troubleshoot so that they might be able to understand the problem if it happens again. They might see our methods of this instruction as a negative reflection of their intelligence. So how do we bridge this gap?  
Communication accommodation theory (CAT) is a theory of communication developed by Howard Giles. It argues that “when people interact they adjust their speech, their vocal patterns and their gestures, to accommodate to others.
 When two speakers have a common goal -they like each other, both parties will adjust their communication styles towards each other. Each will use the others' vernacular (IT Support Person vs. LAN Manager). When their goals are opposite it diverges (correcting each other, interrupting).

Tuesday, January 14, 2014

Phishing: Why Are Some People More Affected?

This is from a really good ad campaign on security awareness from Southern Methodist University.
Scamming method used to elicit information from uninformed computer users through impersonation of trusted sources;  respelling of fishing used to evade scans and filters by mainstream servers policing the internet.
 Email messages will contain: 
2.Company Logo or Name
4.+/- misspelled words and typos
Why do some people seem to fall for phishing?
Are users:
On autopilot? Not engaged or passive in their online activities? Cowed by perceived authority? Lacking critical thinking abilities? Other? 
This is an example we get sent to the Campus Help Desk about once a month: 

And according to Educause we are the #2 most phished industry:
Early in 2013 the Syrian Electronic Army successfully phished several news media Twitter accounts. One of them was the Onion (which took some time to discover because their tweets are already strange).
The Onion was the only hacked account that later released information on exactly how it happened. Their staff were sent this email multiple times over the course of a week. Eventually a staff member clicked the link and entered the requested information (if a user clicks the link they are most likely going to continue on entering what is asked if given no warning from their browser or mail client).
Emotional Triggers Exploited by Phishing
There are certain personality types that are the most susceptible to phishing. 
  • Greed
  • Fear
  • Heroism
  • Desire to be Liked
  • Authority
Date: Mon, 5 Jan 2004 09:30:13
Subject: URGENT

Heroism/Desire to be Liked
Victim Personality Traits:
There are certain victim personality traits when combined with a cognitive bias that can result in a user who will fall for phishing attacks. Remember that each of these traits are completely normal in small amounts.
  • Neuroticism: causes people to be more upset when being lied to and prefer to believe people are more truthful.
  • Impulsivity: read,  decide and  click as fast as possible.
  • Introversion: prefer online communication.
Cognitive Bias:
We are bad at detecting deception in others but good at detecting honesty.
We tend to overestimate our abilities and underestimate risk.
We believe what we want to believe (cognitive dissonance).
Research Study #1: Unnamed University
An 8 week study was done on 446 undergrads in an Intro to Information Systems course. They were given a Super Secret Code (SSC) and told to never give it out to anyone. The SSC was printed on official university letterhead with the title disclaimer “Do Not Disclose This Code.” It was used to access grades, quizzes, professor/ta email info communicating that the SSC is important and private. Giving it out would affect grades and violate the student conduct code. A nondisclosure agreement was signed.
For the 8 Weeks of the class they were instructed on internet security,phishing, hacking, etc.,  all lectures began with reminder displayed on PowerPoint:
Week 6: The unexpected, but not really. A real, unplanned phishing attack occurred with IT warning students. It was written up in the student paper.
Week 8 they were emailed the following message. Notice that there is no link or logo present.
From: Jason Roth Database Administrator
 This e‑mail is to inform you of a problem we are having with the information technology database. Due to a data collision we have lost some information and are unable to recover it. In order to get the database back up and working we need you to forward us your “super-secure code.” Please respond to this e‑mail with your code. Sorry for the inconvenience.
Out of 299  [final] participants*:
•57% ignored (170)
•32% replied with SSC (97)
•9% alerted IT (26)
•1% responded with a question/comment (4)
•<1% responded with incorrect info (2)
*147 students were excluded because they dropped class, didn’t receive the email/couldn’t find it, didn’t take the post instruction test, didn’t complete all items on final survey.
What were the responses?
  • here is my SSC xxxxxx. I hope that the database will get fixed very soon. Best of luck to you on fixing the database.
  •  My Network ID is xxxxx, My Student Number is xxxxx, my super secure Code is xxxxx, my home number is xxxxx.
  • I think this is my code: xxxx, but I’m not sure. you can call my mom at xxx- xxxx if this isn’t it as she will have it for you.
  •  I was told to never give out my super secrete (sic) code. . . . So how do I know this isn’t a scam?
  •  I’m sorry to hear about your problems, but I will not be able to assist you.
What happened?!
Research Study #2: West Point 2004
 A random sampling of 512 cadets were phished. West Point is unique in that the students have an average SAT score in the top 25%. The school was the first to be certified by the Center of Academic Excellence in Information Assurance Education (NSA), have a Security Emergency Response Team and security awareness training at the beginning of each semester. 
 (note: the article mainly focused on the intelligence of the cadets and the issues that would arise from betraying their trust with this study)
There was no discussion on ongoing IT security training. The following email was sent to the cadets with a link, replying email address and physical location of the sender. When the link was clicked on it returned a 404 error so there is no data on how many entered in their personal information.
The name is not found in the global address book, Washington Hall does not have a 7th floor and the building is used by all cadets on a regular basis. This is all information that is easily independently verified.
Out of 512 cadets, 80% clicked the link   (~400). And their reasons: 
  • ‘The email looked suspicious but it was from an Army colonel so I figured it must be legitimate.’ 
  • ‘Any e-mail that contains the word ‘grade’ in it gets my immediate attention and action!’
What happened?!
Data Analysis
Experience Factors:
•Lack of Computer self confidence
•Lack of  Web experience
•Lack of  Security policy knowledge
Personality Factors
•Victim personality traits (neurotic, impulsive, introverted)
Phishing and Social Engineering works better on naive and vulnerable users. 
What Made the Difference?
  • Reinforced  and Ongoing Training
  • Security Awareness
  • Communication from IT on Actual Phishing Attacks
Back to the original questions.Are users:
  • On autopilot? no
  • Not engaged or passive in their online activities? no
  • Cowed by perceived authority? A bit
  • Lacking critical thinking abilities? No
  • Other? yes :Of the personality type that phishing exploits? yes!
They are engaging in these emails critically but do not have the experience, security knowledge and confidence to correctly asses the threat.
IT Managers
Be aware of potential victim users:
•Oversharing on Facebook (content and quality)
•New to the web
•Victim Personality Traits
Talk about it (think of a personal story that relates):  my mom once told me she replies to spam asking them to take her off their mailing list. Yes I told her to stop doing that and why.
Journal of management information systems [0742-1222] Wright, Ryan yr:2010 vol:27  iss:1 pg:273 -303
2007 IEEE Intelligence and Security Informatics Tiantian Qi, Tiantian yr:2007 pg:152 -159
EDUCAUSE quarterly [1528-5324] Ferguson, Aaron yr:2005 vol:28 iss:1 pg:54 -57
Communications of the ACM [0001-0782] Hong, Jason yr:2012 vol:55 iss:1 pg:74 -81
Halevi, Tzipora yr:2013
Telling Lies: Clues to Deceit in the Marketplace, Politics, and Marriage
Paul Ekman; c1985 New York : Norton

Monday, January 6, 2014

The Most Human Human

More and more often I've been contacting users to inform them that they have an infected machine and to clean it or they will be disabled from our network. It is almost impossible to send this information in an email that does not sound like a scam so I have to get creative. Lately I've had some success and offer it to you.
You will need to pass the Turing Test.
There is one method that seems to get a response:
  • The subject of the message needs to be specific to the University
  • Introduction and purpose of message.
  • Identifying information: mac address, unid, ticket number.
  • What they need to do now: virus scan, refer to a repair service.
  • What will happen if the computer isn't cleaned
  • Contact information (the most important part)
    • Give no phone numbers or links for more information
    • Tell them to contact the Campus Help Desk for more information.
    • Ask the user to find a contact number from the main Utah website. 
    • Add your name and title (no phone number).
In the interest of fighting phishing attacks you really want to avoid all of the features listed in previous modules: logos, links, threats. 
For more information: The Most Human Human or Mind vs. Machine