Shostack + Friends Blog Archive


SHB Session 8: How do we fix the world?

(Bruce Schneier has been running a successful prediction attack on my URLs, but the final session breaks his algorithm. More content to follow.) So as it turns out, I was in the last session, and didn’t blog it. Bruce Schneier and Ross Anderson did. Matt Blaze has the audio. I’ll turn my comments into an […]


SHB Session 7: Privacy

Tyler Moore chaired the privacy session. Alessandro Acquisti, CMU. (Suggested reading: What Can Behavioral Economics Teach Us About Privacy?; Privacy in Electronic Commerce and the Economics of Immediate Gratification.) It’s not that people act irrationally, it’s that we need deeper models of their privacy choices. Illusion of control, over-confidence, in privacy people seek ambiguity, people […]


SHB Session 6: Terror

Bill Burns (Suggested reading Decision Research: The Diffusion of Fear: Modeling Community Response to a Terrorist Strike) Response to Crisis: Perceptions, Emotions and Behaviors. Examining a set of scenarios of threats in downtown LA. Earthquake, chlorine release, dirty bomb. Earthquake: likely 100-200 casualties. Dirty bomb, expected casualties: 100 at most. Chlorine may be thousands to […]


SHB Session 5: Foundations

Rachel Greenstadt chaired. I’m going to try to be a little less literal in my capture, and a little more interpretive. My comments in italic. Terence Taylor, ICLS (Suggested reading: Darwinian Security; Natural Security (A Darwinian Approach to a Dangerous World)). Thinks about living with risks, rather than managing them. There are lessons from biology, […]


SHB Session 4: Methodology

David Livingstone Smith chaired. Angela Sasse “If you only remember one thing: write down everything the user needs to do and then write down everything the user needs to know to make the system work. Results of failure are large, hard to measure. (Errors, frustration, annoyance, impact on processes and performance, coloring user perception of […]


SHB Session 3: Usability

Caspar Bowden chaired session 3, on usability. Andrew Patrick NRC Canada (until Tuesday), spoke about there being two users of biometric systems: the purchaser or system operator and the subject. Argues that biometrics are being rolled out without a lot of thought for why they’re being used, when they make sense and when not. Canada […]


SHB Session 1: Deception

Frank Stajano Understanding Victims Six principles for systems security Real systems don’t follow logic that we think about. Fraudsters understand victims really well. Working with UK TV show, “the real hustle.” Draft paper on SHB site. Principles: Distraction, social compliance, herd principle, decption, greed, dishonesty David Livingstone Smith What are we talking about? Theoretical definitions: […]


Security & Human Behavior

I’m at the Security & Human Behavior workshop, and will be trying to blog notes as we go. I should be clear: these notes aren’t intended to be perfect or complete. Update: Bruce Schneier is also liveblogging. intro. Ross Anderson is blogging in comments to this post.