Baggage scanner toy

Beat the Christmas rush and order your Scan-It toy x-ray machine (via Amazon) early.

ScanIt box ScanIt close-up

Said one Amazon reviewer:

If you're a parent, then you've probably been struggling with how to teach your kids about how much fun it is to have your rights systematically stripped from you. […] Kids can become familiar with the process of search and arbitrary seizure of dangerous items like toothpaste, soda, and aftershave (or TSA). The attention to detail on this toy is great. Notice the Homeland Security Threat Level Advisory glued to the side. See how tiny green and blue are? You'll never need them, because we live in an orange world. That's right, the terrists are right around the corner, maybe under your bed! This will keep a constant, low-level feeling of fear instilled in your kids, just like DHS wants!

(via Woot)

Ever heard of "kite tubing"?

Combine a kite, a modified inner tube, a rope, & a boat, and what do you get?  Kite tubing (a.k.a. Darwin award winner).

The Wego Kite Tube is an insanely bad idea — it's totally unstable and will flip you right off.  This video shows a dude falling from 35 feet at 35 mph.  Not surprisingly, it's been recalled due to at least 39 injuries and 2 reported deaths.   YouTube has a bunch more videos.  This blog entry has lots of comments by people who were injured.

The Manta Ray is slightly better.  At least it's stable, although as this video shows it can still be pretty dangerous.  It's not been recalled (yet).

Scam alert: "Travel Agents Direct"

KOMO TV (the Seattle ABC affiliate) did a story on July 6 about a company scamming people over the phone.

The wild thing is that today I've gotten a call at work from this company twice.  The phone number on caller-id showed as 727-683-1119 (a Florida area code).  The tricky thing is that they start out by saying they've got some free rewards.  Then they asked me to confirm my home address, and they correctly tell me my home address.  But then they ask me to tell them what my bank name is and ask for my checking account number.

Fortunately something felt wrong so I never gave them that information.  When I asked why the person calling me why they needed it, they basically said that in order to get my "free rewards", they needed that info.

Based on the KOMO story and also a thread on Scam.com (found via Google), it looks like if you give them your banking information, they send you coupons, but directly charge your checking account for these "free" coupons.  Unlike a credit card charge, because they do it directly to your checking account, it can be a lot harder to get your money back.

So be careful.  If anybody ever asks you to "confirm" any account numbers, the caller should be able read them to you and you say "yes" or "no".  If they insist, ask them to give you the the first 4 or 5 digits, and you will finish for them.  Even then, be wary — if they really are from your bank (or wherever), they shouldn't need this kind of information from you.  If they claim that it's important, hang up and then call your bank (or whatever) directly — if it is legitimate, you will be able to resolve things by calling your bank.

RFID tags a new virus risk?

Most viruses take advantage of bugs in programs that are too "trusting" of the input the program receives. Viruses take advantage of this trust to exploit these bugs. Programs should never "trust" the data they receive — if all programs that recieve input were paranoid, there would be no way for virus authors to exploit bugs. But many programs make the mistake of being to trusting about their input.

For most computer viruses, the "input" is a specially constructed file that exploits a bug to install a virus (also in the file).

In principal, virus authors could create specially constructed bar codes to infect supermarket computers by exploiting bugs in the bar-code-reading software. Virus writers could do the same thing with magnetic card readers — create a specially constructed magnetic stripe that exploits bugs in the magnetic-stripe-readers.

The risk for "bar code viruses" and "magnetic card viruses" is pretty low (I've never heard of any). The risk is low for two reasons:

  1. Bar codes don't "store" very much data, so probably the most a virus author could do is crash the computer running the bar-code-reading software. Magnetic stripes can store a bit more data, but the viruses would still have to be very simple. So it's not as tempting of a target for virus writers.
  2. It's easier for computer owners to control/track the risk. The infection points are the bar code readers and magnetic strip readers, and the opportunity for infection occurs at the scan/swipe. These readers are pretty specialized, and it would be difficult to propagate the virus because it requires a human to actually scan/swipe.

But what about the combination of RFID tags and the RFID readers?

Computers running RFID-reader software are likely to become very widespread. There's talk of putting RFID tags in all the items in a grocery store, then putting an RFID reader in every refrigerator — this would allow your refrigerator to tell you everything that is inside without opening it up. We may see RFID readers in automobiles, check-out lines, hospitals, nearly everywhere.

Furthermore, to get this kind of convenience, the RFID-readers need to reading all the time so that they can read every tag that goes by the reader — if they are not reading all the time, most of the convenience promised by RFID-technology evaporates.

This combination of widespread adoption and continuously accepting input (reading) makes the threats of virus transmission via RFID much, much greater. The only "consolation" is that the data storage of RFID tags is also low, so most viruses would probably be limited to the crash-the-computer variant. Of course, if their are RFID readers in your car, well placed RFID tags scattered over the highway could crash the computers in the cars driving that freeway at rush hour (all theoretical of course).

So what can we do? Mostly start thinking about these risks. Those creating RFID-reading-software will need to start with the mindset that the input can not be trusted, and be more careful with their programming. Hopefully we won't have to learn the lesson the hard way.

[This post inspired by a Mar 15, 2006 Slashdot story. The idea of barcodes and magnetic strip readers inspired by Vo0k's post in response to that article.]

Scott Adams on airline risks

Scott Adams, author of the Dilbert cartoon strip, had this funny post in his blog:

How Certain is Certain?

I’d better reduce the font for this entry because it’s about the guy sitting next to me on the flight to Chicago.

Before takeoff, we both sat here tapping away on our Blackberries, sending last-minute messages. But where I interpreted the flight attendant’s instruction to turn off all electronics as just that, the high powered executive next to me had a different view. He interpreted it to mean hide your Blackberry when the Flight Attendant is looking. Otherwise, keep working all the way through takeoff.

On one hand, I’m almost totally certain that a Blackberry can’t bring down an airline. If it could, even in the most unlikely scenario, it surely would have happened a dozen times already. If you consider all of the flights in the world and all of the cell phones and Blackberries and laptops and PDAs that have traveled on them, it seems impossible that they could be a threat.

But still. There he was, tapping away, and maybe, just maybe killing me. I thought about doing something, like informing the flight attendant. But I need to rely on this passenger to move for me at some time during this flight so I can use the rest room. It could be a tense, uncomfortable flight if I get him angry. I had to weigh a 20% chance of not getting a timely wiz versus a .00000001% chance of a fireball-related death.

So I just sat there staring at the rule-breaker thumbing his little death machine while the pilot gunned the engines and headed skyward. Could this be the one time when a Blackberry causes a jet to plunge into the Rockies? How certain was I that this was safe? Can you ever be sure enough in these situations?

My only solace is that if this puppy goes down, the headlines will read “Plane Crashes. Dilbert Cartoonist is turned into Charcoal.” That’s called Top Billing, baby. Take that, rule breaker! I hope he’s not the new Chairman of the Fed or something. That would really suck.

Striking a balance on "protecting the children"

Yahoo now bars use of Yahoo! Chat to users under 18, most likely related to this agreement with the New York State Attorney General.  A couple of excerpts from the NY AG agreement:

Under the agreement, one of the nation’s leading internet service providers, Yahoo!, has removed and barred the posting of user-created chat rooms with names that promoted sex between minors and adults.

"We need to be vigilant to protect our children," [New York Attorney General] Spitzer said. "It is imperative that parents, industry, prosecutors and lawmakers all work together to identify and address possible threats, and that we teach our children to protect themselves from those who would do them harm."

Attorney General Bruning said: "Millions of people use the internet every day, and many of those are children. Because of this agreement Yahoo! chat rooms are a safer place today than ever before, meaning our children are safer online and predators have fewer opportunities to prey on them."

So if the problem is minors getting in over the heads on chat rooms, an 18-year old cut-off will likely not help this problem.  Instead, those same minors will probably lie about their age.  In some ways this is even worse, because the predators will now have plausible deniability: "I though everyone in the chat room had to be over 18" they will say.

It's interesting to see how the "protect the children" instinct can go awry.  Here's another example of "protect the children" legislation that has surprising side effects:

Woman Ticketed For Sitting On Park Bench With No Kids
The ticket could result in a $1,000 fine and 90 days in jail.
Sept 29, 2005
(http://wfmynews2.com/watercooler/article.aspx?storyid=49163)

New York, NY — It's an only in New York story. A woman was given a ticket for sitting on a park bench because she doesn't have children.

The Rivington Playground on Manhattan's East Side has a small sign at the entrance that says adults are prohibited unless they are accompanied by a child. Sandra Catena, 47, said she didn't see the sign when she sat down to wait for an arts festival to start.

Two New York City police officers asked her if she was with a child. When she said no, they gave her a ticket that could bring a $1,000 fine and 90 days in jail.

The city parks department said the rule is designed to keep pedophiles out of city parks, but a parks spokesman told the Daily News that the department hoped police would use some common sense when enforcing the rule.

The spokesman told the paper that ticketing a woman in the park in the middle of the day is not the way you want to enforce the rule.

Associated Press
Alan Wagmeister, Special Projects Producer

Most studies show the most of of the molested children are abused by adult family members, or abused by adults friends of the family.  As a society, if we want to reduce child molestation we should focus on detecting and preventing family abuse.  Steps that try to target abuse by strangers (like banning sitting on a park bench without children) will not do much to reduce overall child molestation, because stranger abuse is very rare compared to family-related abuse.

Epistemic uncertainty

Below is an excerpt from Jonh Ridgway's book review of "Waltzing with Bears", which is about software project risk management.  The general concept of epistemic vs. aleatory uncertainty is very important.

[…] Do yourself a favour, ignore what the book says about risk analysis [for software projects] and go and buy a good book on Bayesian Methods and Decision Theory. You don't have to take my word for this, just type in 'epistemic uncertainty and Monte Carlo' into your Internet search engine and take it from there. In the meantime, here are some background notes to help explain my remarks:

There are two types of uncertainty: epistemic and aleatory. As the name suggests, epistemic uncertainty results from gaps in knowledge. For example, one may be uncertain of an outcome because one has never used a particular technology before. Such uncertainty is essentially a state of mind and hence subjective. Aleatory uncertainty results from variability that is intrinsic to the behaviour of some systems [like throwing dice] (alea is the Latin for die). For example, I can be confident regarding the long term frequency of throwing sixes but I remain uncertain of the outcome of any given throw of a dice. This uncertainty can be objectively determined. Read More …

Nanny-in-the-Middle Attack

"Man-in-the-Middle" attack's occur in the "real" world, not just in computer security. In this case, it was a Nanny-in-the-Middle…
Security Notes from All Over: Man-in-the-Middle Attack

(from http://www.schneier.com/crypto-gram-0404.html#6)

The phrase "man-in-the-middle attack" is used to describe a computer attack
where the adversary sits in the middle of a communications channel
between two people, fooling them both. It is an important attack, and
causes all sorts of design considerations in communications protocols.

But it's a real-life attack, too. Here's a story of a woman who posts an ad
requesting a nanny. When a potential nanny responds, she asks for
references for a background check. Then she places another ad, using
the reference material as a fake identity. She gets a job with the good
references — they're real, although for another person — and then
robs the family who hires her. And then she repeats the process.

Look what's going on here. She inserts herself in the middle of a
communication between the real nanny and the real employer, pretending
to be one to the other. The nanny sends her references to someone she
assumes to be a potential employer, not realizing that it is a
criminal. The employer receives the references and checks them, not
realizing that they don't actually belong to the person who is sending
them.

It's a nasty piece of crime.

The San Francisco Chronicle carried the full story.

Spreadsheets: 25 Years in a Cell

An interesting article on how people delude themselves using spreadsheets for planning/estimating.


Spreadsheets: 25 Years in a Cell
(http://news.yahoo.com/news?tmpl=story&u=/zd/20040323/tc_zd/121973)
Tue Mar 23, 4:24 PM ET
Peter Coffee – eWEEKIn this 25th anniversary year of the PC spreadsheet, we can be proud of the progress we've made in decision technology. We can also be appalled by the stagnation of our decision-making practices. The things we learned to do badly in 1979, upon the debut of VisiCalc, we mostly continue to do wrong today.

IT observer Stan Kelly-Bootle described in 1995 the impact of VisiCalc and its descendants: "The PC soon blossomed as the Uzi of creative corporate accounting," he wrote. "The What-If moved to Why-Not, indicting the spreadsheet as the chief culprit in the 1980s S&L scandal."

Kelly-Bootle was talking about the ease with which we slide our assumptions toward their optimistic limits, inching good numbers up and bad numbers down until we get the result we want — failing to admit that the result is based on multiplying a series of less-than-even chances.

Read More …

Software industry == tobacco industry?

"The thing that will really improve software is when someone figures out how to establish a [more] direct link between the risks of using a product and the creation of the product. The software industry seems to think the tobacco industry business model is a good one. It's okay to kill your customers, there will always be a new one to replace the one you just lost."

— Scott James, as seen in the 15 March 2002 issue of Crypto-Gram