Archiv der Kategorie: English

Posts in English

The 6 Cutest Animals That Can Still Destroy You

English, Fundbüro, Safety,

»If animals could talk, they would spend most of their time calling us dicks and telling us to get off their land. The traits we think of as „cute“ are often simply tricks animals have developed to get tourists to throw them food.

Here are six animals that you’ll probably want to steer clear of, no matter how adorable they look on that wall calendars. (…)«

(The 6 Cutest Animals That Can Still Destroy You)

The Fear Factory

English, Fundbüro, Propaganda, Risiko, Safety, Security, Verschwörung, ,

The Rolling Stone has an article on homegrown terrorism in the U.S., grown by task forces that are supposed to fight terrorism:

»The FBI now has more than 100 task forces devoted exclusively to fighting terrorism. But is the government manufacturing ghosts?«

Manufacturing ghosts makes a lot of sense, marketing-wise, if you are an officially appointed ghostbuster.

(via Telepolis)

A Rationalist Approach to Risk Assessment

English, Nebenwirkung, Propaganda, Safety, Studien, Verboten, , , , , , , ,

»I believe smoking bans are doing great damage, and not only economic damage. They promote intolerance, social tension and a ‘stool pigeon‘ culture. They ostracise a large and law-abiding segment of the population. They set a worrying precedent for all kinds of other social engineering. And they bring Nanny into Nightlife: the last place she belongs.«

Over at Plazeboalarm they celebrate (in German) an essay by Joe Jackson, Smoking, Lies and The Nanny State (PDF), and rightly so. He perfectly demonstrates a rationalist approach to risk assessment, which is based on fact rather than opinion and hidden agendas. He also demonstrates how real and unreal health risks can be abused politically and possibly lead to much worse an outcome even if the original risk fought was real.

Even though not everyone may agree with him, even if the factual basis of his essay were wrong (I didn’t verify his numbers yet), he reminds us of the virtue of skepticism. Even experts can be wrong. Terribly wrong, sometimes:

»It is has become ‘common knowledge’ that smoking is one of the worst things you can possibly do to yourself; ‘all the experts agree’. Of course, ‘all the experts’ once agreed that masturbation caused blindness, that homosexuality was a disease, and that marijuana turned people into homicidal maniacs. In the 1970s and 80s British doctors told mothers to put their babies to sleep face-down. Cot deaths soared, until a campaign by one nurse succeeded in changing this policy, which we now know to have claimed something like 15,000 lives.«

No matter how you feel about smoking, read his essay and try to grasp the many points he makes that are not immediately related to cigarettes and tobbacco but rather to rationalism and workable ways of running a society. A must-read for everyone. Conspiracy theories about the tobacco industry are not an acceptable excuse.

Will HTML 5 Promote Insecure Programming? Maybe not.

English, Freundlich zum Nutzer, Nebenwirkung, Security, , , ,

[Notice for our international readers]

A few days ago the W3C published the first draft of HTML 5. One of the many new features struck me as a possible amplifier for insecure programming: HTML 5 extends the type attribute of the input element to support URLs, e-mail addresses, date, time, and other types. The rationale for the new types reads (emphasis by me):

»The idea of these new types is that the user agent can provide the user interface, such as a calendar date picker or integration with the user’s address book and submit a defined format to the server. It gives the user a better experience as his input is checked before sending it to the server meaning there is less time to wait for feedback.«

Now this is a really old theme in Web (in)security. The Web as a platform for programming invites errors in input validation and sanitation by giving the programmer equally powerful tools for two different domains of trust, the client and the server. Furthermore, client-side input validation does make sense and is desirable under usability considerations but cannot replace server-side enforcement.

Consequently, one all too common mistake in Web application programming is to validate or sanitize data on the client side but not on the server side where one must not rely on any assumptions regarding client behavior. At the first glance abovementioned extensions seem to provoke even more of these mistakes by improving on the client-side features, thus making them more attractive.

The new feature makes generating code easier, though, which means it may become easier to develop and use frameworks instead of hand-coding. This would be good, security-wise, as one framework usually makes fewer errors than hundreds or thousands of programmers.

At this time, both theories seem equally plausible to me. Empirical studies, anyone?

5 dangerous things you should let your kids do

English, Fundbüro, Safety, Video, , , ,

»Gever Tulley, founder of the Tinkering School, talks about our new wave of overprotected kids — and spells out 5 (and really, he’s got 6) dangerous things you should let your kids do. Allowing kids the freedom to explore, he says, will make them stronger and smarter and actually safer.«

5 dangerous things you should let your kids do (video, 9:20)

Attitude Adjustment Needed?

English, O-Ton, Safety, Vertrauen, , , , , ,

[Notice for our international readers]

I have no idea what went wrong today when a British Airways jet crashed short of the runway in London Heathrow. Nobody does at this point, we’ll have to wait for the results of a thorough investigation as will undoubtedly be carried out for this crash like for any other. This is the way the aviation community learns from mistakes all around the world.

So there would be not much to say about this accident, hadn’t I tripped over a statement that BBC News quotes prominently in their online coverage of the events, attributed to David Learmount, Air transport expert:

»BA pilots don’t make error of judgements of that type, especially not at the home base, let alone anywhere else«

This is not the appropriate attitude towards safety and the causes of accidents. In reality, pilot or flight crew error is the primary cause of accidents in aviation. At this point, let me repeat myself, we don’t have the slightest idea what caused this crash, but we know for sure that even BA pilots make errors of judgement, perhaps even of this particular type.

To be fair, according to my experience with the media, this sentence is one short snippet selected by a journalist out of a longer conversation. It may not entirely represent what had been said and our air transport expert may be innocent. However, in the particular way in which it appears on the BBC page, emphasized through page layout and ripped out of its possible context, it is just plain wrong.

Update:

  • The Man in a Shed points out: »It is worth speculating as to why all BA 777’s and other airline 777s haven’t been grounded given the reported total electrical failure of the aircraft. Perhaps something is known about the cause after all.« I’m afraid he might have wrong expectations about aircraft being grounded. This is not the common reaction to any incident or accident unless it is obvious that there would be a high, immediate danger in not doing so.
  • Kevin Anderson criticizes the Times‘ coverage of the events.
  • Holly of PlaneBuzz discusses the many ways in which this accident is perplexing. This is exactly why it needs to be investigated.
  • Juan Antonio Giner of Innovations in Newspapers noticed a BA ad in the middle of a news report on the accident, and has further comments on the reporting.
  • Jon, too, complains about the style of reporting and recommends that we wait for the results of the investigation.

Helen Keller on Security

English, O-Ton, Security

»Security is mostly a superstition. It does not exist in nature, nor do the children of men as a whole experience it. Avoiding danger is no safer in the long run than outright exposure. Life is either a daring adventure, or nothing. To keep our faces toward change and behave like free spirits in the presence of fate is strength undefeatable.«

Helen Keller, deafblind American author, activist, and lecturer. Quote found here.

Important Lessons on Bicycle Safety

English, Safety, , , , , , , , , , ,

Cycling per se isn’t any more dangerous than other kinds of road use. However, the specific risks encountered sometimes differ from those of other users. More importantly, real risks and appropriate countermeasures are not always in line with perceived risk and measurs taken by cyclists out of fear. A cyclist may feel threatened in situations that are rather harmless and fail to see risks in situations that are not. That’s all too human, but in order to be safe one needs to reduce real, not perceived risk.

Under the heading »How to Not Get Hit by Cars« BicycleSafe.com explains ten types of collisions that cyclists are commonly involved in, and explains how to avoid them. As far as I can tell (I’m a cyclist and a scientist but not a cycling scientist) all the scenarios and tips make sense and follow the general concept of vehicular cycling. Read these lessons, and teach them to your children.

Most WordPress Blogs Vulnerable

English, Hackmeck, Studien, Wortpresse

»Security analyst David Kierznowski shocked bloggers yesterday with a survey showing that 49 out of the 50 WordPress blogs he checked seem to be running exploitable versions of the widely used software. He said, ‚The main concern here is the lack of security awareness amongst bloggers with a non-technical background, and even those with a technical background.‘ Mr Kierznowski also uncovered recent vulnerabilities in WordPress plugins that ship by default with the software, adding: ‚WordPress users developing plugins must be aware of the security functions that WordPress supports, and ensure that these functions are used in their code.’«

Slashdot | Survey Finds Most WordPress Blogs Vulnerable

The Monster Approach to Testing

English, Hackmeck

What’s going on in our security test lab? That’s a long story I cannot tell in a single post. Security testing is a mixture of structured analysis and playful exploration. The latter one boils down to a single rule: try the most irregular, stupid, nonsensical, unexpected action that comes to your mind. Chances are that the developers of a system did not think of it because it’s so irregular, stupid, nonsensical or unexpected. And always question the vendor’s claims – as well as your own assumptions.

The Sesame Street Computer Monster in this video does just that:

Olympiad of Misguided Geeks

English, Events

Worse Than Failure, formerly known as The Daily WTF, is running the Olympiad of Misguided Geeks contest:

»Readers are invited to be creative with devising a calculator with the craziest code they can write. One lucky and potentially insane winner will get either a brand new MacBook Pro or comparable Sony VAIO laptop.«

The goal is:

»… to solve an incredibly simple problem using the most obscenely convoluted way imaginable. And for this first contest, the simple problem is to build and implement the logic for a four-function calculator.«

Submissions are due May 14, 2007, 11:59 PM EST.