The science of fear

Posted on July 27, 2009 by wunderbarb

Daniel GARDNER wrote an excellent book titled “The science of fear”. Based on the latest information about human psychology, he explains the incoherent reactions we have in front of fear.

The problem relies mainly on the fact that our mind is driven by two entities: the “guts brain” and the “rationale brain”. The guts brain is what operates by reflex, by instinct. It is what allowed our ancestors, the cavemen, to survive. It does not think a lot but reacts awfully fast. It is the guts that makes as run when we see a snake. The “rationale brain” is the part that actually thinks. Unfortunately, it is slow and lazy.

Thus, the first reaction comes from the guts and later (if the brain believes it needs) the rationale reaction. It is why people may become havoc. The guts have been tuned to survive in an environment that slowly changed for several million years. And it worked fine. But since several decades, the world is changing extremely fast. the guts are not anymore fine tuned. The rationale brain is fine tuned but it reacts too late.

The book illustrates why this conflicts makes that we do not evaluate correctly the risks, why we have the feeling that the world is going worse, how the media use (consciously or not) this bias, why we have a wrong perception of fear…

An example: would you ask if the world is safer in our days than two centuries ago. Most people would say that it is worse today. But the facts prove the contrary. There were never in History less wars than today. The criminality rate is 20 to 40 times lower than 3 centuries ago!!! But with media showing always murders, wars or disasters, the guts believe that we are in hell! And brain does not take time to analyze the figures (by the way, people are awfully bad at numbers (see section 5))

Once you read this book, you will probably have lost a lot of proud about human: the caveman is really not far.

If you are interested in security and psychology, read the book. And I am definitively convinced that there is a link between both. A good book to read (if only for section 5).

Consumer Strategies for Deterring Illegal File-Sharing Using Digital Serial Numbers

Posted on July 1, 2009 by wunderbarb

The Digital Watermark Alliance (DWA) released last month the results of a survey it commissioned. The purpose was to evaluate what the impact of using Digital Serial Number (DSN) would have on piracy. Digital Serial Number embeds through watermark a unique identifier of the device that rendered the content. This allows to trace back the origin of an eventual leakage.

The answer is obviously that it would have an effect. About half of the responders admitted that they would stop file sharing. This is probably not a surprise for anybody.

A more interesting output is the reasons why about half responders would not stop file sharing.

– I don’t download enough to be caught.
– The online community will remove DSNs.
– DSNs will not be enforced strongly enough to make a difference.
– My downloading would remain the same as a statement of principle.
– The BitTorrent community can avoid sharing files with DSNs.
– The risk is worth it.

The document also highlights that DSN is deterrent only if users are aware of it.

The document is available here.

PS: THOMSON is member of DWA.

Should we stop to mask password?

Posted on June 30, 2009 by wunderbarb

According to Jakob Nielsen, masking password while dialing it is a bad idea. The arguments are that users may make more errors with blind typing, and that due this complexity, they will choose simpler passwords.

Jakob Nielsen is a highly respected guru of usability. When I was working in User Interfaces research (many years ago), I religiously read all his books. I learn a lot. It was my first contacts with human psychology and brain behavior. I’ll soon come back to that interesting topic. Thus, his comments deserve our interest.

His first argument is definitively true. Who had never got his/her password rejected because the cap key was on? A visual feedback would avoid this type of errors. I must confess that each time I have to enter my long passphrase of PGP, I’m nervous. Especially if you are like me keyboard dyslexic. 🙁

I would tend to disagree on the second argument. People mainly choose a simple password because it is more difficult to remember complex passwords, rather than because it is difficult to dial them.

Sometimes, we have forgotten the initial design purpose. Password masking is mainly to avoid shoulder surfing. Shoulder surfing on a mobile device (such as BlackBerry) is far more difficult than on a notebook in an airport. Thus, is it using to protect against this threat on mobile? If there is nobody present for shoulder surfing, why protect against an non existing threat?

Thus, I would rather agree with Jakob Nielsen to mitigate the orthodoxy of password masking with some rules:

When shoulder surfing is not possible, do not mask (unless you fear screen capture, but then you may also fear key logging)
Propose a checkbox that would allow to mask/unmask the password. I would suggest that the default state could be masking.

Should we violate this rule?

Britain’s graduated answer

Posted on June 29, 2009 by wunderbarb

UK Government just published its vision of the future of Digital Britain. As expected, a section is dedicated to copyright issues. In chapter 4, “Creative Industries in the Digital World”, the report highlights the need to fight unlawful file sharing. It describes the two stage mechanism that the Government foresees to deploy.

The first step is the typical spotting of illegal file sharers and sending notifications. It is expected that this should seriously deter the piracy. nevertheless, if it would not be sufficient then other tools such as traffic shaping, bandwidth capping or address filtering would be deployed.

Legislation to reduce unlawful peer-to-peer file-sharing

The key elements of what we are proposing to do are:
● Ofcom will be placed under a duty to take steps aimed at reducing online copyright infringement. Specifically they will be required to place obligations on ISPs to require them:
– to notify alleged infringers of rights (subject to reasonable levels of proof from rights-holders) that their conduct is unlawful; and
– to collect anonymised information on serious repeat infringers (derived from their notification activities), to be made available to rights-holders together with personal details on receipt of a court order.
Ofcom will also be given the power to specify, by Statutory Instrument, other conditions to be imposed on ISPs aimed at preventing, deterring or reducing online copyright infringement, such as:
●Blocking (Site, IP, URL);
●Protocol blocking;
●Port blocking;
●Bandwidth capping (capping the speed of a subscriber’s Internet connection and/or capping the volume of data traffic which a subscriber can access);
●Bandwidth shaping (limiting the speed of a subscriber’s access to selected protocols/services and/or capping the volume of data to selected protocols/services); and
● Content identification and filtering.
This power would be triggered if the notification process has not been successful after a year in reducing infringement by 70% of the number of people notified.

After one year of experiment, the government would check the efficiency. The objective is to reduce by 70 to 80% unlawful file sharing. If the objective would not be reached, then the Government would study new measures.

The interesting part is the attempt to limit the network use to fight piracy. Nevertheless, it may open the Pandora box. Is it the end of Net neutrality in UK?

The full report is available here.

Thanks to MJC for the pointer to the doc :Happy:

Security Newsletter #13 is available

Posted on June 24, 2009 by wunderbarb

The subjects are:

Our guest: WILLIAMS Jim (MPAA)
The news of past quarter
Attacks on social networks only expose naïve users
Latest attack on SSL
Digital media Forensics (part 1)

It is available here.

80,000$ per song

Posted on June 22, 2009 by wunderbarb

That is what Jammie Thomas-Rasset should pay to four major labels for copyright infringement of 24 songs. The total fine is $1,900,000!!!

Jammie Thomas was spotted by Media Sentry in February 2005 for sharing 24 songs through Kazaa. She always claimed to be innocent and refused settlement. This was an appeal. The initial decision was around $9,000 per infringing songs.

Unfortunately, for this trial, her defense collapsed. Her defense was that it was not true because the experts could not spot anything on her hard disk. She always claimed that the songs must have been on the hard drive that she had exchanged at Best Buy. Unfortunately, the exchange occurred after the infringement occurrence. Furthermore, she claimed to not even know what Kazaa was. Unfortunately, while student, she wrote an essay about Kazaa. So long…

The severity of the sentence may be explained by a popular jury who did not liked that she lied to them. The severity may also incite people to go for fast settlements rather than prosecution in accordance with current RIAA’s

Beezik: an interesting distribution model

Posted on June 17, 2009 by wunderbarb

The French site Beezik just opened. This interesting site proposes an alternate distribution scheme for music.

Beezik allows to legally download songs for free! Yes, you pay no dime! And it is legal. The announced size of the catalog is about 2 million songs. And they offer some of the current blockbusters. (when exploring some of my favorite performers, I often found (in the style of …)? Nevertheless I found some original interesting titles.

So where is the trick? The clearly announced one is the mandatory exposure to advertisement. Once you selected your song, you have to choose among 4 advertisers. During the download time of the song, the ad is displayed full screen. If you reduce to window size, the download of the song is interrupted. In other words, your computer is “blocked” to display an ad during the download time. The obvious thought to escape advertisement is “Ok, lets go drink a coffee or a coke, or whatever you want, I’ll come back later”. This does not work. Once the download completed, you have 6 seconds to click on the screen in order to launch the screen that saves the song on the computer, else you loose it.

Thus, it has been wisely designed to maximize the advertisement exposure. This has strong value for advertisers. Of course, your selection of ad, plus your selection of songs will allow to profile you. Thus, increasing the value of the ad. Well done.

There are a few non announced limitations:

The songs are protected by Windows DRM 11; So long for iPod afficionados.
The licenses are valid for one month. Each time you download a song, it extends all licenses for a new month. If you did not download during the month, you loose all licenses (it seems that licenses are not renewable later, you have to download again the obsolete song). Once more, this monthly obligation of download is a nice trick to increase advertisement exposure.

Two nice tricks:

Beezik does not sell any song. Nevertheless, it displays the value of the song. This enforces the feeling that you make a good bargain. 1 minute of ad for 0.99€
The more you download, the more points you gain. The points can be converted in coupons for sponsors.

Beezik explores an interesting business model. It has been well designed to offer the highest value for advertisers. Are you aware of similar sites elsewhere? If yes, please send the pointer.

Would you use such service?

P.S.: Beezik is only available for France and Monaco (at least currently)

The blog of content protection

A site managed by Eric Diehl

Author Archives: wunderbarb