Releasing Criminals

My friend Sameer takes issue with my hoping for experimentation by criminals, on two grounds:

First, he believes I’m encouraging violence. This wasn’t my intent. I assume that there are all sorts of ways to non-violently behave badly, from calling a guard snookums to having a tattoo needle in your cell. However, I don’t know.

His second argument is that my criteria for release are orthogonal to being a menace to society: That this fellow could be a clever psychopath. This is true. I made the (again unstated) assumption that, like most people in jail, this fellow is in jail for a non-violent drug crime.

If he’s in jail for violence, or needs to commit violence to get out, that would temper my previous position.

How Much Is Risk Management Worth?

David Akin blogs that Fitch Ratings has purchased Toronto’s Algorithmics for $175M (the press release is datelined New York, so I’m guessing that’s a US dollar figure).

Algorithmics makes risk management software, focusing on market risks for banks, things like hedging strategies and BASEL II compliance (based on a quick read of their site.) So one answer is that better risk management is worth $175m.

But presume that you know a lot about other banks’ risk management strategy, because you make the software that drives it. Can you anticipate their actions and use that against them? (Fitch seems to be only in the ratings business, and so may not be positioned to do this.)

A good day for liberty

In its powerfully worded decision, the [UK Law Lords] said that the government’s “draconian” measures unjustly discriminate against foreigners since they do not apply to British citizens and constitute a lopsided response to the threat of a terrorist attack.

(From The New York Times, see also the BBC or Volokh.)

WASHINGTON (AP) — A [US] federal judge ruled Thursday that an American held in Saudi Arabia for suspected links to terrorism might be able to challenge his detention in a U.S. court because there is “considerable” evidence U.S. officials were behind the arrest.

(From the AP via the New York Times, or Volokh.)

The way to win a kulturkampf is by showing off the best parts of your kultur. Its a good thing we have the courts to do that, when our executives are deranged. Hey, that balance of power thing was a good idea. Maybe some others could adopt it?

Clever criminals

Over at Marginal Revolution, Alex Tabarrok quotes a letter from an inmate:

[Inmate:] A privately owned and publicly traded company like CCA has no incentive to rehabilitate criminals.  It is in the best interests of the company for even more criminals to exist.  Unfortunately, the same is true of government run prisons.  And contrary to what you may have been told, prisoners are not paroled because they have indicated by their actions or behaviors while inside that they are less likely to reoffend; they are let go because the Parole Boards believe that will commit another crime.  This way the prison lobbyists can then “prove” that parole doesn’t work.  The Department of Corrections gets less money from paroled prisoners than it does for those kept inside.  And also, “good” inmates are less trouble (less labor) than the trouble-makers, and so trouble-makers get released.

[Alex:] Good analysis.  I hope, however, that he does not test his theory on how to gain early release.

Alex did not elaborate, but it seems to me that this fellow is clever, insightful, and may well be a fine person to get released. Not knowing why he’s in prison, I hope he does test his theory, and that he shares with us the results. All in the name of science.

Quickies has an interesting article about taxes and your phone company. Any article that starts with an error about how long ago the Spanish American war took place is a little worrisome, but I love watching badly written law becoming irrelevant.

Stefan Geens has a great article taking a simple question and exploring the math required to answer it. And I love his format, and his commenters. Why don’t I get great comments like his?

Browser privacy from the server?

A friend writes and asks:

I’m working in NYC now, as the Web Admin for Safe Horizon. We’re the largest service agency in the
US for victims of violence, crime or abuse. We’re interested in
putting in some features into our site, but we have to protect our
visitor’s privacy, since they might be visiting our site from a
computer their abuser also uses.

We have instructions on our site detailing how to delete your history,
empty your cache, etc. And we don’t use cookies. But, I was wondering
if there might be an easier way for our visitors to stay safe. I know
there are proxy sites that allow you to surf anonymously, and telling
them to use those is certainly an option.

But, I was wondering if there was a better way. I found out about a
company called Apparently, they have a “click here once and
the rest of your session is not recorded” technology. But, it’s only
for IE 5+ for Windows. Granted, that takes care of 90% of our
visitors. But, if they’re doing it, maybe someone else is too.

I’m not familiar with Ponoi: Does it work? Is anyone familiar with something else that the site can do to help? Comments are open, and appreciated!

Signalling by Counting Low Hanging Fruit?

I’ve been thinking a lot about signaling software security quality. Recall that a good signal should be easy to send, and should be easier for a higher quality product.

I’d like to consider how running a tool like RATS (link) might work as a signal. RATS, the Rough Auditing Tool for Security, is a static source code analyzer. Would it work to provide a copy of the results of RATS, run across your code? Firstly, this is pretty easy to do. You run rats -R * > report.txt and you get a report. A company could give this report to customers, who could weigh it, and have more information than they have today. (Literally. A long report, taking more pages, means worse software. At least, it means worse software as seen through a RATS filter.)

That filter is imperfect. First, it rewards worthless behavior such as changing strcpy(dest, "foo") to strncopy(dest, "foo", 3) so that RATS won’t complain. Next, it rewards writing code in languages that RATS doesn’t scan. This is somewhat useful–code written in C will have more string management errors than code written in another language that doesn’t have string manipulation problems. Given the number of such errors, the added incentive to move away from C is not economically perverse.

It would be fascinating to know if the items that RATS detects are predictive of other bug density. On the one hand, much research into quality assurance and testing indicates that bugs do cluster. On the other, the use of a library call that sometimes has security problems may be disjunct from other types of bugs in how concentrated it is. Knowing if RATS is predictive would allow us to judge how useful a signal it is. There may be other useful things to do with the data, too.

If RATS output became accepted in the marketplace, would it be easy to forge the signals? Unfortunately, it would be. Generating a report that is 2 pages shorter than the competitions is easy. Just cut lines from the file. Simple inspection won’t reveal that. There are ways to examine binaries, but they require skill and a little time. I don’t think this is likely behavior. A company that certifies that it ran a test, and alters the results of the test is engaging in deceptive trade practices. And yes, there may well be used car dealers who offer fake warranties, but they’re few and far between. The downside is too large.

Finally, I’d like to run this through a 5 step process proposed by Schneier in the April, 2002 Crypto-gram, to see what we learn. (Read the article for clarification on why this is a fine evaluation framework. I’m abusing it slightly, by looking at a signal, rather than at a security measure.)

  1. What problem does the security measure solve?
  2. How well does the security measure solve the problem?
  3. What other security problems does the measure cause?
  4. What are the costs of the security measure?
  5. Given the answers to steps two through four, is the security measure worth it?

Distributing RATS output helps to solve the question of how a customer should evaluate software. The question of how well it does this, as noted is open. There are some clear problems. There’s no security problem caused by the technique. It’s cheap to do. And so, even though its not a great signal, its probably worthwhile.

Referrer spam: The end is ROI

The first two claim to be UNDER CONSTRUCTION, and this makes my hypothesise that they are honeypots of a sort, respectively researching whether Deep-URLs (“/friendslinks.php”) or merely Root-URLs (“/”) are most effective methods of Referrer-Spamming, plus also providing a check to see which blogs are the most valuable ones to be worth spamming.

In short: I hypothesise that the referrer-spammers are now doing ROI (“Return On Investment”) calculations.

writes Alec Muffett. Go read it.

Welcome, Carnival readers!

My friend Rob Sama is hosting this week’s Carnival of the Capitalists, and was kind enough to give me a shout out. So, welcome if you’re coming in from there. I’m traveling on business, so blogging will be a little slow, but please, have a look around! I try to apply economics to security problems here, and there’s also a lot on personal liberty, which any good reader of Hayek knows is linked to economic freedom. So enjoy! Comment!