Text Adventures
You see an article or a twitter toot or whatever.
> read the thing
You see a link that looks interesting.
> click the link
You just made be Mike Arrington some cash.
> undo
I'm sorry, I don't understand "undo"
> damnit
Swearing won't help.
Enough of that
No thanks, right? I mean it's all well and good to just close the tab, of course, when you go to a site you don't want to work for, but the ads have already loaded. That's revenue. Gross.
The web isn't a passive medium. These links can be fixed go to better sites. The web isn't a passive medium.
So I made this greasemonkey script to zap all links to all the sites I don't want to work for. Zap them dead. If it's too late—say a shortened url tricked me—I'd rather see a goat scream like man than see what a mistake I just made, so it does that too. You can edit it to do something less drastic of course, but where's the fun in that?
Also dude—javascript-massaging the HTML DOM is so relatively simple and easy that an idiot like me can do it. So should you. Look at this. You can do this.
The web isn't a passive medium.
var url = location.href;
// add all the domains here
var natch = /(DOMAINS YOU WANT TO AVOID GO HERE)\.\w+\//;
// Serious options
// var ohShit = 'about:blank';
var betterLink = '#';
// Comedy options
var ohShit = 'http://grantstavely.com/evil/';
// var betterLink = ohShit;
// if it's too late
if (url.match(natch)) {
window.location = ohShit;
}
// if it's not too late
list = document.getElementsByTagName('a');
for (i=0; i<list.length; i++) {
if (list[i].href.match(natch)) {
var scream = document.createElement('a');
scream.setAttribute('href', betterLink);
scream.innerHTML = list[i].innerHTML + "<sup>✌</sup>";
list[i].parentNode.replaceChild(scream, list[i]);
}
}
Run that against the entire web and it turns nasty links into neuters, and adds ✌ to them so that it's obvious.
Well, I think it's fun.
Install the greasemonkey script
(You need greasemonkey for it to work)
I've always called this collection of phenomena thermostat fallacies, but my dad does HVAC for a living, so, go figure. I'm not even sure that they are proper fallacies.
The premise
In our cars, the analog dial or lever spanning a blue triangle stacked on a red triangle presents an analog blend of temperatures. At least that's how they used to work. But in analog home thermostats, and increasingly in cars, in multiple zones even, the temperature dial offers "now" and "target" temperatures.
This can confuse the crap out of people.
Anyway, in the car, with the old fashioned thermostat, most of us start out with the dial cranked to all hot or all cold and then adjust to comfort. Being uncomfortable is uncomfortable, we seek its undoing with a vengeance. We don't want the inside of the car to be 85°F in February, we just want it to be 68°, or whatever, faster than if we asked the car vents to spit out 68° degree air.
But home thermostats don't work that way, and not letting that stop the mind from thinking that they do is what I call the thermostat fallacy. It has three faces. I'll present them here as design patterns.
Do not try to put significant figures into an binary bucket
For example: Coming home cold, and raking the analog home thermostat dial up to 85°. If the house is already 64°, setting the thermostat target to 70° or setting the thermostat target to 85° make no difference whatsoever. That's just how the things work. 85° doesn't fit into the on/off bucket, it fits into stop when bucket. The heating and air conditioning is not working harder, it's just running longer, and will eventually boil the frog.
Do not represent a binary state with exclusively insignificant figures
This is the inverse of standard thermostat fallacy and better demonstrated in other technologies.
For example: Nearly every instance of numbered badges of unread email, unread RSS and atom subscription articles, unread twitter posts, unread whatever are representing "you have unread items" with "you have a specific-yet-useless number of unread items."
You see, if the badge says 43 now, and five minutes later, it says 44, it still only conveys "There is unread email". The number lacks context but it still has to be parsed. More importantly, there is no unit-comparability. All of those messages could be spam, or one could be a life changing job offer, and so on.
Do not expect insignificant figures to have unit-comparibility
For example: Insisting thermostats at separate houses set at the same temperature are creating the same environment in spite of perceived differences in temperatures caused by room layout, thermostat placement, humidity, elevation, and so on.
This is a big one. I consider it an instance of ceteris paribus, or the all else equal fallacy. It's what leads people to wonder why Oscar the Grouch doesn't just go to college and get a job, damnit.
So?
Significant figures matter, but when human perception is the target, and not scientific measuring apparatus — lossy compression isn't just okay, it's humane. The mind works better in some cases with fuzzy numbers than specifics. When numbers can't be avoided, keep the thermostat fallacies in mind when working with them.
Given an effectively infinite set of behaviors, and a limited set of actors, the simplest and most common control strategy to restrict the behavior of actors seems to be:
- Deny any known forbidden actions.
- Permit all other actions.
But consider the numbers involved.
- Deny finite known forbidden actions.
- Permit infinite unknown actions.
Okay, so for a behavior control equaition that’s something like:
For y equal to ∞ – n finite knowns: ∞ – y = ∞
I’m not good with math. But that’s definitely an infinity over there. OK, so arguably it’s an infinity on both sides and we are playing with imaginary numbers, literally, but I hope the point is still clear.
This actually works quite well in practice. Consider: An escape artist tied to a chair seems to be restricted by a strong control to prevent the undesired action of escape from a room. But the rope leaves the escape artist free to do anything, so long as that thing isn’t one of the many, yet finite, activities that the rope restricts, like, say, escaping, or doing jumping jacks, or square dancing.
Two components of that are interesting.
- The control is restricting actions that aren’t forbidden.
- The control is allowing infinite unknown behaviors to continue without restriction.
Doing jumping jacks in the room is not escape from the room. Neither is square dancing, however goofy it may be. In fact, forced jumping jacks or square dancing might be better controls than the rope — they are distracting, require dextrous locomotion, and in the case of square dancing, a guard could keep hold of the escape artist’s arm the entire time.
You see, this is when many practitioners argue for defense-in-depth. OK, they say, we’ll lock the room, and we’ll use a strong chair, and we’ll put chains on top of the ropes, and fill the room with water to 8 inches below the ceiling, and so on until you get sick just hearing from them. Escape artists design their tricks to be loaded with defense-in-depth security theater, it makes the escape look less like a foregone conclusion.1
But no matter what, that pesky infinity is still sitting there on the right side of the escape artist’s behavior controls equation. Don’t forget that, because it’s very important. Actually, mind your mediations, it’s a Lemniscate of Bernoulli sitting there, standing in for infinity. Anyway.
OK, let’s back up and try another thought experiment, with those two points in mind. Instead of wrapping an escape artist, or a prisoner, in controls; consider implementing controls to protect a cohort of data analyst workers at Acme Incorporated™ from risks, with the intent — and this is important too — with the intent that they best be able to spend their time data analysting, whatever that is. Pause for a moment and reflect that Acme’s data analysts are not prisoners becase too many people get tripped up on that. The intent is risk reduction in order to promote data analysting, not just pink and naked risk avoidance.
Sure, sure, we’ll use all the standard controls from our handy principle of least privilege guide-book, restricting risky actions we have enumerated that Acme’s data analysts aren’t even interested in. We’ll use a roof and four walls to keep the analysts and their computers from getting wet every time it storms. We’ll put a guard at the door so that they don’t blow all their cash on cheap art prints from cube-to-cube rogue sales folks. We’ll block ports used by their desktop computer’s file sharing protocols with a firewall between their network and the Internet, because no one with good intentions wants to share files with them over the Internet. OK, you can even use your defense-in-depth principles and put more firewalls in different places, and put a roof over the roof, and put a guard on the guard, but please don’t go too crazy — controls add overhead, both in capital and operationally, because they aren’t free, and after all, what’s the point of a control if it isn’t monitored?
But what about controls that start to affect the analyst’s data analysting work? If we determine that an inline proxy-based web filter is a control we want to implement, how should we configure it? Do we want to restrict the analysts from watching jumping jacks videos or learning more about square dancing? Sure, the naive security practitioner says. Square dancing isn’t data analysting! Neither are any damned jumping jacks!
I promise I’m getting to the point here, we’re almost there. Skip ahead: our Acme data analyst is using the system we’ve designed.
On the web, there are effectively infinite destinations, but most usage patterns start at a search engine and end at a popular media streaming site, popular news site, popular information site, etc.
Consider the bizarre notion that our data analyst, might have some free time, between data sets, and want to learn about the Allemande Left, a square dancing call I had to look on Wikipedia to learn about.
‘Denied!’ say the prison wardens.
‘Denied!’ say the defense-in-depth practitioners.
‘Denied!’ say the principles of least-privilege.
‘Denied!’ say the curmudgeonly supervisors unable to suspend disbelief in ‘free time’.
But remember that whole infinity part. The prison wardens and defense in depth folks can only block what they know about, and in this case, things they think are related to things they know about. They think they know that video sites are bad.
Let’s exaggerate and pretend that last night’s The Bachelor had a long square dancing element to it, highlighting the Allemande Left. Attackers know this — they are depraved enough to watch The Bachelor too. They’ve spent all night hacking small blogs and turning them into sites about nothing but how great the Allemande Left goes with trojan botnet installers. Search engines have spent all night indexing these Allemande Left & Trojan Botnet Installer sites.
Enter, stage left: An analyst.
“With free time“ the choruses remind us.
The analyst searches the Internet: “Alemand left bachlor“
The search engine replies: “That’s silly, here, here are ‘Allemande Left bachelor‘ findings”.
The analyst sees that the first search result is a video of last night’s The Bachelor on a tv streaming site.
click
DENIED! You are violating security policy!
The analyst returns to the search results and sees the second search result links to a clip of square dancers doing something on another popular user-uploaded-content video streaming site.
click
DENIED! You are violating security policy!
The analyst returns to the search results and sees lots of garbage sites that look kinda strange, but whatever. The search engine preview says something like: Allemande Left Alamand Left Square Dancing The Bachelor Allemendy Left The Bachlor The backlet Skware Dansing Allemen…
We know this is the proverbial wolf in sheep’s clothing.
An aside: ‘Clothing’ is a weird word choice for skin, or fur, or whatever, in that idiom, isn’t it? More importantly, our data analysts aren’t sheep, we are just really paranoid. The data analysts are human. Draw no further conclusions from the silly proverb other than the masquerade idea. Sheep are stupid, our analysts are just ignorant, busy, and have been yelled at twice now for no good reason.
The analyst clicks on the third link, praying for no more DENIED! wastes of time.
Pop goes the analysts browser. Pop goes the analysts acrobat reader. Silently the computer we are protecting joins a global criminal network and begins attacking websites to fill them with more Allemand Left stories and trojans.
Another aside: The analyst returns happily to data analysting the next data set. Our mission is not impacted. There is a very interesting discussion to be had down this rabbit hole, and I think it ends in a tragedy of the commons mess that will cause us to reconsider if our mission actually is impacted, but that is neither here nor there.see 1 again
Let’s cut our thought experiment off right there because we’ve come to the point: Controls become paradoxical when their restrictions drive actors to alternative behaviors which are equally risky, or in the case of square dancing video trojan botnet installers, much more risky, than the behavior they were implemented to control.
Be ever mindful! Not only are square dancing videos, for the most part, harmless, but they are very much not the multitude of worse things the analyst could be doing with their free time.
Returning to our behavior control equation:
For y equal to ∞ – n finite knowns: ∞ – y = ∞
For every harmless element of the set y removed from ∞, the ∞ of available behaviors ratio tips 1 unit more towards undesirable.
As a design pattern, try to avoid doing that.
1 Tomes could be written on this mess, it’s debatable, join any security mailing list and wait for the thread to revive.
