Skip to main content

The WiKID Blog

Viewing posts from January, 2009


I read an interesting post about risk strategies and selection bias that made me think about some short term thinking often seen when investments in information security are deferred. Patri Friedman discusses poker strategies in light of selection bias:

You see that if you look at the performance of many businesses w.r.t. a risky practice that is a bad gamble, you can find the slightly negative trend line. But what happens if you consider only those businesses still around? This happens accidentally all the time - after all, its much easier to survey those businesses. The result is that you eliminate the worst failures of the practice you are examining, leaving a falsely positive impression.

The same thing happens in the poker tournament world. Certain styles of play trade EV for variance, allowing people to build up huge stacks occasionally, but usually go bust. Such players often win tournaments - but that doesn’t mean they are playing right. How many times do they fail for each victory? Do they fail more often compared to the money they win than a more conservative player? Some of these “maniacs” are smart players, carefully choosing their gambles and maximizing their returns. But some of them, frankly, are just maniacs, gambling and getting lucky, and giving the false impression that high-variance play is the way to go, because we don’t notice the hundreds of people playing that way and losing.


According to a number of places, but primarily Bruce Schneier, SHA-1 has been broken by a team of researchers in China. It's not time to panic if you're using it, but it is time to start thinking about a replacement.


There is an excellent post on Security Fix Blog about cross-site scripting flaws at major financial institutions pointed out by Lance James (author Phising Exposed.


There are two things to keep in mind when discussing two-factor authentication:


And the results are not good.

“The premise is that site-authentication images increase security because customers will not enter their passwords if they do not see the correct image,” said Stuart Schechter, a computer scientist at the M.I.T. Lincoln Laboratory. “From the study we learned that the premise is right less than 10 percent of the time.”
The article also points out that perceived user convenience is more important than security:
Banks immediately knew what they did not want to do: ask customers to download new security software, or carry around hardware devices that feed them PIN codes they can use to authenticate their identities. Both solutions would add an extra layer of security but, the banks believed, detract from the convenience of online banking.
This is a problem, though, because their opponent is more than willing to install software on the user's computers. Moreover, they are willing to attack an ISP's computers in the middle. This asymmetry will cause problems for financial institutions.

Recent Posts







RSS / Atom