Law 4 is “Trust no One”. Often when I present the ten laws, when arriving at this one, there are laughter and of course the inevitable question: “Even not you?”

Obviously, security cannot be build without trust. Trust is the foundation of security. Unfortunately, trusting people is the most difficult part of the design.

In an article for the Wall Street Journal, Bruce Schneier proposed five heuristics to deal with trusted people:

1. Limit the number of trusted people…

2. Ensure that trusted people are also trustworthy…

3. Limit the amount of trust each person has…

4. Give people overlapping spheres of trust…

5. Detect breaches of trust after the fact and prosecute the guilty…

In other words, trust people until a given limit. Build some safeguards around trusted people. My preferred one is number 2. it is also the most difficult to enforce.

I am more and more strolling around the psychological sides of security and risks. Magne Jorgensen (Simula research lab, Norway) published a paper which result is counter-intuitive. Its title is Identification of more risks can lead to increased over-optimism of and over-confidence in software development effort estimates.

Through four experiments, he highlights that when people are going more in depth in risk analysis, it most often ends up with a lower effort estimation and higher success estimation than when people make a fast risk analysis!!

He proposes some potential explanations. Once more we end up with judgment-based (the Guts) versus reasoning-based (the Brain) (See Gardner’s book) Among the explanations:

• illusion of control; people are more confident when they believe to be in control. Seeing more risks may give an illusion of control. Identifying a risk is already a little bit controlling it.
• Availability heuristics: the more vivid in the memory, the higher the importance for the Guts. When analyzing risks, it is more probable that the most important ones will be find quickly whereas the last discovered ones will have the lesser probability. Unfortunately, the Guts will be biased by the last analyzed one for the overall risk. In other words, it will lower the global risk.

Jorgensen proposes a method to limit this bias. Analyze each risk and their impact together. Then sum the expected impacts.

May that study have some impacts in the way we make threat analysis? I am not sure. Threat analysis is a long process where the availability heuristic will probably be watered by time.

Nevertheless, it may impact the way we wrap up a threat analysis. Personally, I describe the threats in decreasing order of importance. In other words, the audience’s guts, when leaving the room, will remember the less important threats 🙁 I should present them in the increasing order. This would have two advantages: some thrill / suspense and the more dangerous threats in the Guts’ memory.

Daniel GARDNER wrote an excellent book titled “The science of fear”. Based on the latest information about human psychology, he explains the incoherent reactions we have in front of fear.

The problem relies mainly on the fact that our mind is driven by two entities: the “guts brain” and the “rationale brain”. The guts brain is what operates by reflex, by instinct. It is what allowed our ancestors, the cavemen, to survive. It does not think a lot but reacts awfully fast. It is the guts that makes as run when we see a snake. The “rationale brain” is the part that actually thinks. Unfortunately, it is slow and lazy.

Thus, the first reaction comes from the guts and later (if the brain believes it needs) the rationale reaction. It is why people may become havoc. The guts have been tuned to survive in an environment that slowly changed for several million years. And it worked fine. But since several decades, the world is changing extremely fast. the guts are not anymore fine tuned. The rationale brain is fine tuned but it reacts too late.

The book illustrates why this conflicts makes that we do not evaluate correctly the risks, why we have the feeling that the world is going worse, how the media use (consciously or not) this bias, why we have a wrong perception of fear…

An example: would you ask if the world is safer in our days than two centuries ago. Most people would say that it is worse today. But the facts prove the contrary. There were never in History less wars than today. The criminality rate is 20 to 40 times lower than 3 centuries ago!!! But with media showing always murders, wars or disasters, the guts believe that we are in hell! And brain does not take time to analyze the figures (by the way, people are awfully bad at numbers (see section 5))

Once you read this book, you will probably have lost a lot of proud about human: the caveman is really not far.

If you are interested in security and psychology, read the book. And I am definitively convinced that there is a link between both. A good book to read (if only for section 5).

The subjects are:

• Our guest: WILLIAMS Jim (MPAA)
• The news of past quarter
• Attacks on social networks only expose naïve users
• Latest attack on SSL
• Digital media Forensics (part 1)

It is available here.

We all protect our house with keys and locks. We are most probably all aware that locks will not resist to an expert locksmith using lock picking or lock bumping. Last year, three US students demonstrated that we should perhaps also fear our neighbors.

They demonstrated that with some minor signal processing tools, it is easy to extract all the needed information from a digital picture to reproduce the key. The steps are rather simple:

• Take one picture
• Using reference points (from the given type of key, compensate distortion through homography
• Normalize the picture to get a reference size
• measure the pits and valleys
• reproduce the key

They experimented using normal digital cameras, cell phones. the most impressive one is using a 5000mm focal to capture pictures from up to 100 feet. And it worked!

Funny paper that once more demonstrates that the frontiers of security are always moving back.