Perverse Incentives

“It’s O.K. to spend $85 on a hotel, $15 for parking and another $15 for breakfast, but if you spend $90 for a hotel where parking and breakfast are included, you’re over budget,” he said. “And it’s O.K. to drive 400 miles in your own car and to get reimbursed at 34 cents per mile, for a total of $136. But get a comfortable rental car and pay $75 and you’re in trouble.”

Like governments, large corporations become bureaucratic. A small organization finds it easier than a large one to hire talented people with strong values and inculcate a shared culture and shared expectations about appropriate expenses. The challenge is much greater as a company grows, and the temptation exists to replace judgment and community norms with rules.

Writes Webflyer, commenting on a story in The New York Times, via Travelnotes.

Webflyer pretty much nails it, so I’d just like to add:

Not that the TSA would ever fall victim to software doing this sort of thing, or create software that would encourage such behavior.

"A Sign Of The Times?"

A woman said she drove home to San Diego from Denver rather than submit to what she viewed as an intrusive search by airport security screeners.

Ava Kingsford, 36, of San Diego said she was flagged down for a pat-down search at Denver International Airport last month as she prepared to board a flight home with her 3-month-old son.

I’m not going to criticize the woman, I’ve often felt like doing this. The risk manager in me wants to scream, too. Driving that far is far riskier than flying. And we wonder that airlines are failing left and right?

(USAToday, “Woman drives home rather than submit to airport search,” via Secondary Screening.)


So it seems that Apple installs /bin/ps setuid root. (Scare #1).
It seems also that the last bits emitted by a ‘strings /bin/ps’ is


. I have no idea what that is or what it means, but I think it belongs on a tshirt.

(Thanks to Dave and Ted for validating those for me. I thought I was 0wned.)

Bush, Socrates, and Information Security

“Wherin links between a number of disparate ideas are put forth for the amusement of our readers”

Orcinus talks about one of Bush’s answers to a question in last night’s debate.* (I thought Bush did surprisingly well, but think that Kerry still came out slightly ahead. Both, depressingly, still want to spend my money on their own pet projects, and fail to offer bold responses to the challenges we face.)

The questioner — seemingly a middle-class homemaker — simply wanted to know if Bush could admit to having made mistakes. After all, most of us ordinary humans make them too, but we also tend to be acutely aware of them. That Bush was incapable of giving her a straight answer was incredibly revealing.

Socrates used to go around in search of a wise man, questioning everyone he met. Bush’s answer (read the whole answer at Orciunus) was “historians will look back and say.” That’s not the answer of a man who looks back and evaluates what he’s done. Looking back and evaluating your choices is a key part of making better decisions in the future. The ability and willingness to doubt and question as you’re making a decision is a good one. You need to know when to stop and make a decision, but you also need to know how and when to analyze.

On the other hand, I’ve gone through media training, and that’s one of those questions that nearly requires either a dodge or a facile answer. Clinton might have been able to word-smith his way through it.

Information security has a number of long-standing camps. One is the mathematicians who want to prove theorems about systems, and thus state their security. Another is the empiricists, who try to set up experiments which can invalidate a system’s security claims. It should come as no shock that I think the work of the empiricists is more useful. Cryptography is a sometimes exception to this, where it would be nice to have some proofs, but we can’t even show P=NP, so, its a ways away.

I don’t think that the math camp has stepped back enough to self-analyze. The empiricist camp does so regularly. I’ll use as examples two papers by Eric Rescorla: “Is Finding Security Holes a Good Idea?” and “Time to Patch, Revisited.” The latter is an examination of work (not yet online) that I did in collaboration with the team at Immunix, including Crispin Cowan and Steve Beattie. Eric points up that we needed more data to arrive at the conclusions we did, which is fair enough. (The main point of the paper, which is that patch management is a risk management game, stands, and I stand by it.) The Finding Holes paper questions one of the underlying claims of the full disclosure camp: That finding and fixing holes will eventually result in more secure software.

*UPDATE: I wrote this mostly on Saturday, but was searching for links to Rescorla’s papers.
Update 2: Rescorla kindly put his TTP work online, now linked above.

Secondary Screening

Ryan Singel has a couple of good posts up: Why Privacy Laws and Advocates Matter and Trusty Logo Not Worth The Pixels It Is Printed On. The later explains in detail what economics predicts: Trusty won’t shaft its paying customers to make them actually enforce privacy policies, when people who rely on the trusty seal complain. This makes the Trusty seal worthless, which will eventually come back to bite them, but they get to ride the gravy train for a while.

Afghan Elections

The elections in Afghanistan have apparently gone off with fewer problems than expected, which is outstanding. (And hey, the ink I mentioned to Sama makes an appearance!)

I am slightly worried by a line in The New York Times article, ” International organizations, which spent $200 million to finance the election, indicated that they had little patience for would-be spoilers challenging the vote’s validity” but that seems to perhaps be a reporter’s opinion.

It is, at the end of the day, a very exciting day for Afghanistan if they can have elections, and have the resulting candidate be considered by their people to be the legitimate leader of the country. Strong-arming by outsiders doesn’t add to that, although it may give the process time to sink in. The courage of Afghans who registered to vote, and went to the polls despite threats of violence, what gives it legitimacy. And as Winston Churchill pointed out, democracy is the worst form of government we have, save all those others tried from time to time.


I listen to a lot of music. When I visit friends, I often invite them to drop random discs they think I’d like into iTunes for a rip. Combine that with my cd habit (“I can quit anytime!”), and I have a fair bit of music that I don’t recognize quickly. So I just found Quicktunes, a menu-bar controller for iTunes. It’s not as elegant looking as X-Tunes, which I’m keeping around because I like it. But it puts the current song in the menu bar, where I can glance at it effort-free.

Want to Save American Lives?

Do you want to save American lives? Stop senseless deaths? Here’s some ideas:

  • Require real driver training, and enforce traffic laws.
  • Ration the sale of alcohol to prevent the nasty diseases over-indulgence causes.
  • Ban tobacco.
  • Ban firearms.
  • Require calisthenics in the morning, by neighborhood, and in the afternoon, at work.
  • Ban the use of corn syrup as a sweetener, leading to slimmer, healthier Americans.
  • Impose a national ID card, creating a slim possibility that you’ll catch a terrorist sometime in the next year.

Guess which one Congress is on top of?

Incidentally, I’m not in favor of any of these, except maybe enforcing the traffic laws. Most Americans would look at every item there, and say, that’s an infringement on people’s right to decide how to live their lives. And they’d be right.

Can Prayers Heal?

There’s an article in today’s The New York Times asking, Can Prayer’s Heal? (Critics Say Studies Go Past Science’s Reach). The article talks about a number of studies that apparently show a correlation between being prayed for and better medical results. The article also talks about how flawed some of the studies are, once you have a statistician examine them in depth.

Unlike many of the scientists quoted in the article, I’m not opposed to small funding for these efforts. If you believe that being prayed for means that a very small stab wound will heal better, fine, lets test that theory. Any supreme being I’m willing to credit will be ignoring the experiment, but the nice thing about experiments is that they can prove people wrong. (The Rev. Raymond J. Lawrence Jr, whose title is too long to quote in full, says that it cheapens god, which seems like a fine stance to take. Faith isn’t supposed to be proven, that’s why it’s faith.)

On the other hand, if patients being prayed for do better, or patients thinking they’re being prayed for do better, then great! Let’s pray for them. The most interesting studies are the fully-blinded ones, where the patients don’t know they’re being prayed for. That sometimes raises concerns for the human research boards, since people are supposed to be given a chance for informed consent. It may even be offensive to some folks to be being prayed for, or to be prayed for by heathens of one stripe or another. On the other hand, it would seem to be needed to really prove the effect of prayer, absent a placebo effect. The final line of the article mentions that alcoholics “who knew they were being prayed for actually did worse.”

So, the studies, even without a theory for how they work or what they’re testing, show interesting behaviors. Other scientists will step in to explain those, and we may well end up learning something, if we’re not careful.