Shostack + Friends Blog Archive


SHB Session 1: Deception

Frank Stajano Understanding Victims Six principles for systems security

Real systems don’t follow logic that we think about. Fraudsters understand victims really well. Working with UK TV show, “the real hustle.” Draft paper on SHB site.

Principles: Distraction, social compliance, herd principle, decption, greed, dishonesty

David Livingstone Smith

What are we talking about? Theoretical definitions: that which something has to have to deploy a term. Deception is difficult to define properly: not just false belief, but induced false belief which is known to be false. Can’t be based entirely on human deception-animals decieve. Mirror orchids decieve wasps with chemical signals & flowers that look like wasps. Deception is evolved or learned behavior which causes a victim to fail to behave the way it has learned or evolved to behave.

Bruce Schneier

3 short things: (1) how we buy security: we want things for fear or greed. Security sells based on greed don’t seem to work. (2) conficker didn’t take over very much: dates mattered a lot (April 1) news media could hook a story on the date, but week later update wasn’t noticed. (3) science fiction writers: US Gov hires to imagine threats. Paper on risk analysis showed that formal analyses didn’t get right risks. Control bias, availability hueristic, peak end rule.

Dominic Johnson Paradigm Shifts in Security Strategy

Book: natural security a darwinian approach to a dangerous world. Evolution is 3.5BB years of security problems & solutions. 9/11 threat was recognized but no preperation was executed. Slow or no adaptation over time; sudden adaptation after disaster. Ties in Kuhn’s paradigm shifts. Foucualts moments of rupture, punctuated equilibrium, economics progresses with each funeral. Hypothesis: adaptation after disaster. Predictions: policy changes follow disasters. Selected “policy watersheds since 1945” from army war college. Causes: set of biases: sensory, psychological, leadership, organizational, political.
Dominic Johnson‘s page

Jeff Hancock

Psychologist studies interpersonal deception. Interested in how tech shapes the way we lie, and can it help detect. Most people lie for reasons: few lie for fun. Studied online dating: men lie about height, women lie about weight. People on social networking sites are “ridiculously honest.” Study on resumes showed people were more honest when they expected resumes to be posted to LinkedIn. “Warrants” concept (didn’t capture well, sorry.) Many major scandals of last 5 years involve email. Tech shapes ways in which we lie.

Detection: everything is becoming textual. Processing advances allows us to process more & more text faster. Are there ways to detect lies in text? Examined some corpuses. Lies often involve “social distancing.” Use of first person singular drops as lies increase. Dating sites: more lies, less “I.” Looked at Bush admin statements about Iraq, compared to other statements on same day. If belief states were the same, then 1st person singular should be the same. Effect size was so large that they re-checked the data. Causative complexity, other measures all indicate knowing indications. Politicians tend to be highly aware of language, maybe these are hard to control.

Update: Bruce Schneier’s notes are here.