If you tell enough stories, perhaps the moral will show up.


Spam Counter - 2009 Apr: 986

But it was 1300 earlier in the month.

There's a big new botnet at work -- quarantines at have vastly increased lately. Mostly traditional stuff with rather more images and spam poetry than we've seen lately.

One thing that stands out is the new wonder drug: Magnesium Oxide. Why am I getting Magnesium Oxide spam? It's milk of magnesia -- an antacid. Why would anyone buy that online? What really perplexes me is that they obviously expect their target market to know why they want it -- or is it that people who respond to spam are precisely the people who will buy anything?

Uphill Battle

(Two FSA posts in two days -- bad sign.)

The FSA have lately been taking a very hard line on data leak risk, and they themselves deal with extremely sensitive information.

So it does seem rather hard that they can't accept or originate TLS encrypted email. It's doubly hard that they use Messagelabs which handles TLS easily -- encryption must have been explicitly disabled.

So I have to dick around with fancy encryption utilities to get something that should be free.


Facing Up To It

Just a little note about our pandemic planning.

When the system was set up, we canvassed the business very carefully. Who could work at home, and who would have to come in?

The message was clear. Investors and traders could not work at home. They needed their colleagues around them, they needed their morning meetings and their bosses and compliance reps needed to see them. Delivering the order management and dealing apps on the pandemic remote access system was unnecessary and actually dangerous. Fortunate really, as some of them do not respond well to Citrix.

Well, now here we are, and I sense a slight quavering of the upper lip. When you really think about it, the idea of wealthy, numerate, well-informed and self-confident men and women with family responsibilities actually risking a lethal infection to nurse their portfolio  is a bit daft. They'll stay home whatever the boss says. The first two or three, you can sack, but if it's the whole team, it becomes our problem not theirs.

Meeting tomorrow to start the the process -- "well, if that's not what you really meant, what do you mean?" We'll see how it goes.

Meanwhile, Mrs U is discussing what food to stock-pile.

G20 Meltdown Saves the Finance Sector

The protestors -- G20 Meltdown and the climate campers -- did a big favour to London finance firms.

For three years, the FSA has been nudging us to do "pandemic planning" -- to prepare for situations like a legal or de facto quarantine where most staff will be staying at home by choice or under legal compulsion (or a train strike, or civil disorder or ...) This isn't DR proper -- if you don't want to say pandemic (and I don't, it's silly) you can call it Colleague Availability Planning.

And since we are a good and dutiful regulatee we have done what we can. In our case, that's a Citrix farm and an SSL VPN, with security settings that make it a little less unsafe when it's accessed from untrusted PCs. To ensure it's running and up to date, we use it for most of our remote access (I've preserved a little dignity by insisting that remote admins, and staff  who need off-line access to data still have to use a trusted laptop.) The gimmick is that the equipment is grossly overspecified. Over a normal day, maybe 2% of staff log on. But the farm, the gateways and the Internet access is sized for 50%, and that presented us with a problem. We have no idea whether it is could handle the planned load, as we could never arrange that many to try it at once.

We got some information from the snow day in February -- that got us up to 15%. But the G20 demos were another thing again. Staff told to work at home, and pretty much told that unless they showed up on the VPN they'd be taking the day as holiday.

The first day, we struggled. A lot of silly glitches and one big one -- the presentation servers in the farm had not been built to specification. Very easy to fix, as it happened, and the second day went smoothly with about 40% of users -- pretty much the expected number -- on line.

And that's the gift that the G20 protesters gave us. Whatever you think of Mexican Swine Flu, you can be certain that we'll have to demonstrate to the FSA that our pandemic plan is up to scratch. And, now, thanks to the crusties, we can say, confidently and truthfully (and you need both to speak to the FSA) that it is.

Thanks, guys and gals! Was that what you wanted to do for us?


OPD (1 per Decade)

Naked-eye planets, obviously.

To be honest, I never expected to see Mercury. It's much harder to spot than Jupiter, Mars, Venus and Saturn. And I haven't seen Saturn, confidently, for a while.

When I went out  to shut up the chickens at 21 my eye was captured by the one of the prettiest new moons I've seen. A tiny crescent silver sliver reclining, cradling a huge oval of earthlight in the last purple of the sunset. And there it was -- just off the moon/sun line -- the only star visible between the moon and the horizon.

I'd been tipped off by the night sky column in the LMS's BBC Focus magazine. "Surprisingly bright" it said and bright enough it was. And that's my lot. If I want to see another planet, I'll need binoculars. But the LMS is off too a good start.


How Sweet

This is mostly a funny story. "Now, boys, you are getting F grades at school for the exact same reason that you probably shouldn't bother trying to hack into the systems to change them..... "

Perhaps it's wrong to laugh. The Sumitomo hackers were prosecuted with evidence gathered by the spyware they left behind. Keyloggers are two-edged swords.


X Detectors

This is an interesting story on the BBC. It appears that as part of their probation, a pilot sample of convicted sex offenders are to be interviewed under a polygraph in an attempt to catch them sliding back into abusive behaviour.
I don't think any official body in the UK, certainly not the courts, police or the probation service are prepared to say that lie detectors "work" -- in the sense that they reliably detect when an interrogation subject is lying. The problems seem to be:

  • Unconscious physiological arousal is not solely caused by lying (should this get a "duh"?),
  • Some very dangerous people lie without turning a hair,
  • Guilty subjects are disproportionately motivated to inform themselves about the devices and learn to overwhelm their measured responses with willed arousals,
  • The innocent are undone by the free-floating guilt that afflicts so many of us (sometimes seriously), or by "false" positive rates that the American Polygraph Association seems to believe range up to 15%.
So this has been an obstacle to adoption of lie detectors in the UK. They don't work, and even if they did sort-of work the false positive rate would be oppressive in an population where even a small proportion of  people are guiltless. But investigators and enforcers love the idea of the polygraph: it's just so sciencey and promises an amazing shortcut. What polygraph enthusiasts want is a group which no-one will defend, which is universally assumed to be permanently guilty, and it looks like sex offenders are chosen.

The bit that interested me is the quote from Professor Don Grubin, the man behind the tests:
"Disclosures made during polygraph examinations, as well as conclusions drawn from passed or failed examinations, allow probation officers and the police to intervene to reduce risk ... Just as important, it is also aimed at enhancing the co-operation of offenders with supervision, helping them to focus on, and avoid, the sorts of behaviours that make re-offending more likely."
That is a very careful statement indeed, and I hope the Beeb haven't picked out something unrepresentative. Grubin is a proper academic at a proper university -- Newcastle -- where the university profile identifies his current approaches to sex-offenders as being polygraphy and Prozac. And on the strength of this quote, it seems that he finds the chief value of a lie detector is that it's called a "lie detector". He does mention passes and failures, but his focus is on the interview itself. It appears that the purpose of the "lie detector" is not to spot lies, but to persuade the subject that telling the truth is the best plan.

Now I don't think this necessarily a bad thing. We needn't worry about intelligent psychopaths who can fool the machine -- because this isn't about the interviewer believing the results. There's no objection to interviewing probationers -- it beats prison, and interviews in these particular cases might actually be helpful.

A little bit of stagy flim-flam in the form of lie detectors doesn't really make a moral difference -- it's on the same level as good cop/bad cop or Reid. I do worry that the idea of polygraphs as a worthwhile tools of investigation will acquire an spurious respectibility -- we mustn't reach a situation where a spoken denial plus a "lie" response is treated as a confession. I worry that if this goes beyond the pilot, it'll create a constituency of "skilled polygraph operators" which will tend to expand its area of operations regardless of value. But overall, when many of these subjects -- people convicted of nasty crimes with a huge recidivism problem -- believe that the impressive device can read minds, that's good, provided no-one, er, lies about it. And that's the rub.

Professor Grubin is treading a careful line. Somewhere on the continuum from
  • "this machine has no real function, but we hope you will believe, mistakenly, that it is a lie detector", through
  • "this machine records your physiological arousal and correlates it with your answers to the questions I ask", and
  • "this is a polygraph, more commonly called a lie detector", right up to
  • "this machine will tell me if you lie"
there is a moral limit. Grubin knows it's there. He's going to spend the next three years wondering whether he's gone over it.

And if we want to avoid dancing around with truth and falsehood we need a better name than "Lie Detector". The machines may have a use, but detecting lies isn't it.

[Updated 2012-07-20 when the pilot completed. Para after the bullets expanded to identify the appeal of  sex offenders as a target for this.]


Naming More Risks

On the theory that risks need names, here's a couple more from the recent Sumitomo bank job.

  • O'Donoghue (Kevin) risk: Bent security guards.
  • Rodley ("Lord" Hugh) risk: Dealing with stereotypical peers who aren't in Debrett's. Check the photo in the BBC report....
There are some lessons there as well.
  • First reports are generally wrong. On the morning the arrests were made, I was told to drop everything and check out all machines with access to SWIFT for keyboard loggers. Which would have made sense -- probably does always make sense -- but wasn't relevant to the facts of this attack, which was based on software loggers.
  • Access control around documentation is not security by obscurity. Or if it is, then SbO works. Because what allowed Sumitomo to keep its funds was the mild complication of the fund transfer setup.
  • Business-hours limitations would have made sense, too.

Spam Counter - 2009 Mar: 939

At least it's not going up.
"Update your manhood here and now" (upgrade?)