Injecting RDS-TMC Traffic Information Signals a.k.a How to freak out your Satellite Navigation
To be updated after lunch 1 year agoBuilding and Breaking the Browser - Mozilla Project
Mozilla is continuously looking for vulnerabilities, shipping security updates on a regular schedule.
- Don’t have to wait for a major release to get the benefit of the security work Mozilla is doing. “Its not nice to force customers to pay for an upgrade to get security fixes.”
Tools capture expertise so that non-experts can behave more like experts.
Mozilla’s metrics:
*Severity - helps prioritize what to fix first and when to ship.
*Fix rate - how long does it take to fix bugs?
*Time to deploy
Security stuff for the future:
*API stability
*Session restore
*Enhanced phishing and malware protectin
*Larry shows site security
*Reflow rewritten, large test suite added
*Cycle collector
*Moving to cairo
*Even faster and fancier text and graphics
JavaScript Fuzzer -creates JavaScript function bodies and runs them (also decomplies them)
Creates the functions using a bunch of mutaully recursive functions:
- makeStatement
- makeExpr
JavaScript Fuzzer found 280 bugs in Firefox (~exploitable)
1 year agoBlack Hat Vegas 2007
Keynote: The Psychology of Security - Bruce Schneier
Security is both a feeling and a reality. And they’re not the same.
Security is a trade-off. This is something I have written about extensively, and is a notion critical to understanding the psychology of security. There’s no such thing as absolute security, and any gain in security always involves some sort of trade-off.
There are several specific aspects of the security trade-off that can go wrong. For example:
- The severity of the risk.
- The probability of the risk.
- The magnitude of the costs.
- How effective the countermeasure is at mitigating the risk.
- How well disparate risks and costs can be compared.
“Common Sense” About Risks
INSERT CHART HERE
Risk Heuristics: Prospect Theory
When things are phrased in terms of a “sure win” people are more likely to choose the the sure win. When things are phrased in terms of a “sure loss” people are more likely to choose a risky loss.
Endowment Effect- Sell price is twice asking price.
Other Heuristics:
* Optimism bias
* Control bias
* Risk involving people
* Risk involving children
Availability Heuristic:
- We believe that something is more probable the easier it is for us to recall (TV messes this theory up)
Vividness:
Other:
* The worst memory tends to be the most available
* Hindsight bias - people mis-remember what they origianlly thought
Representativeness :
* We tend to think something is more probable the more it fits the stereotype in our head
Cost Heuristics: Mental Accounting
* Amount of an actual item matters and not the amount saved
: Time Discounting
Choice bracketing:
*you can give your boss 3 choices and put your in the middle
When we make our decisions in bulk we tend to have less variety
The higher number you see the higher number you guess - hand people random data and they fixate on it.
People have very fine tuned perceptions of risk and cost but they are based on heuristics.
*Let’s understand these brain biases to overcome them.
*Let’s understand these brain biased so we can exploit them (like banks, commercials).
We as a community need to spend more time on how people perceive security.
Books:
Stumbling on Happiness Daniel Gilbert
For More Information Visit Bruce Schneier’s: The Psychology of Security
1 year ago