Category: risk

Nanny-in-the-Middle Attack

Posted onAuthornetjeffLeave a comment

"Man-in-the-Middle" attack's occur in the "real" world, not just in computer security. In this case, it was a Nanny-in-the-Middle…
Security Notes from All Over: Man-in-the-Middle Attack

(from http://www.schneier.com/crypto-gram-0404.html#6)

The phrase "man-in-the-middle attack" is used to describe a computer attack
where the adversary sits in the middle of a communications channel
between two people, fooling them both. It is an important attack, and
causes all sorts of design considerations in communications protocols.

But it's a real-life attack, too. Here's a story of a woman who posts an ad
requesting a nanny. When a potential nanny responds, she asks for
references for a background check. Then she places another ad, using
the reference material as a fake identity. She gets a job with the good
references — they're real, although for another person — and then
robs the family who hires her. And then she repeats the process.

Look what's going on here. She inserts herself in the middle of a
communication between the real nanny and the real employer, pretending
to be one to the other. The nanny sends her references to someone she
assumes to be a potential employer, not realizing that it is a
criminal. The employer receives the references and checks them, not
realizing that they don't actually belong to the person who is sending
them.

It's a nasty piece of crime.

The San Francisco Chronicle carried the full story.

Spreadsheets: 25 Years in a Cell

Posted onAuthornetjeffLeave a comment

An interesting article on how people delude themselves using spreadsheets for planning/estimating.

Spreadsheets: 25 Years in a Cell
(http://news.yahoo.com/news?tmpl=story&u=/zd/20040323/tc_zd/121973)
Tue Mar 23, 4:24 PM ET
Peter Coffee – eWEEKIn this 25th anniversary year of the PC spreadsheet, we can be proud of the progress we've made in decision technology. We can also be appalled by the stagnation of our decision-making practices. The things we learned to do badly in 1979, upon the debut of VisiCalc, we mostly continue to do wrong today.

IT observer Stan Kelly-Bootle described in 1995 the impact of VisiCalc and its descendants: "The PC soon blossomed as the Uzi of creative corporate accounting," he wrote. "The What-If moved to Why-Not, indicting the spreadsheet as the chief culprit in the 1980s S&L scandal."

Kelly-Bootle was talking about the ease with which we slide our assumptions toward their optimistic limits, inching good numbers up and bad numbers down until we get the result we want — failing to admit that the result is based on multiplying a series of less-than-even chances.

Read More …

Software industry == tobacco industry?

Posted onAuthornetjeffLeave a comment

"The thing that will really improve software is when someone figures out how to establish a [more] direct link between the risks of using a product and the creation of the product. The software industry seems to think the tobacco industry business model is a good one. It's okay to kill your customers, there will always be a new one to replace the one you just lost."

— Scott James, as seen in the 15 March 2002 issue of Crypto-Gram

The reason that non-elective group insurance is cheaper

Posted onAuthornetjeffLeave a comment

At most of the companies that I've worked for, they have a deal on life insurance that is very inexpensive, but with one catch — you have to sign-up for the life insurance before your first day of work (more or less), or else you have to jump through some hoops if you later want to get the insurance. It turns out there's a reason why, as described by Daniel A. Graifer (dgraifer@cais.com) in the 15 Apr 2001 Crypto-Gram newsletter:

… the other big bugaboo of insurance: "adverse selection": Insurance buyers have better knowledge of their risk characteristics than the insurers, leading higher risk clients to over-insure (because it's cheap relative to the risks) and low risk clients to under-insure. That's why non-elective group insurance is cheaper than individual policies in any risk category.