A Petty Blog

“I have dual citizenship. With the United States and Florida.”

OK. This is not very timely, but I still laugh out loud every time I watch.

This is from a Saturday Night Live skit, via Flowing Data.

Tim Harford captured my attention with the opener of his recent article, Illiteracy rules

I hope you won’t mind me setting a little test of financial literacy. You buy a new £1,000 computer and borrow money to pay for it. You have a choice: either (a) pay 12 monthly instalments of £100; or (b) borrow money at an APR of 20 per cent, meaning you pay back £1,200 at the end of the year. Which offer is better – or are they (c) identical? (The answer is at the end of this column.)

It seems a simple question, but 93% of Americans get it wrong, according to the article (so you’d better not assume you got it right.)  The article goes on to make the case that we need formal financial education.

The sophistication of financial products has increased dramatically; the sophistication of consumers has not. “Knowledge hasn’t caught up with the real world,” says Lusardi. “The important word is ‘literacy’. You can’t live in society without being able to read and write, and now you can’t live without being able to read and write financially.”

The obvious answer is financial education. But it has been tried and doesn’t seem to work terribly well. According to a survey published by Lewis Mandell of the University of Washington, financial education seems to have no impact on formal measures of financial literacy, although, puzzlingly, it does seem to improve financial decisions a little later in life.

Why doesn’t it work?  Does it not work?  I love the assessment offered by Annamaria Lusardi, an economics professor and director of the Financial Literacy Center. While the track record of financial education is not encouraging, the evidence that is available now tells us very little about whether it would work if done right. … perhaps the reason that financial education doesn’t seem to work is that nobody has tried it properly.

Ouch.

On a barely related note, Terry Zink posted a graphic the FBI put together explaining how a money mule operation works.  The article doesn’t say so, but I believe many of the mules are [willfullyl] ignorant of their roles.

Slightly less related is this video about online cons (again, via Terry Zink’s blog)

And one final link related only by criminality:

Criminals Steal Cars by Calling Tow Trucks

That’s right, you can just call someone to haul that car away.  Like to the scrap yard.

The law does little to protect a car’s owner when the vehicle is at least 10 years old. Thieves can call in a wrecker service and have it towed right out of an owner’s yard; they don’t even need a title.

I came across this graphic at Flowing Data in America is not the best at everything.

I realize that America is not the best at everything, but I might argue about which direction we need to go to improve <grin>.

I’ve learned to look at this kind of graphic with a critical eye, starting with motivation -

• Why is the author presenting this information?  Why did he choose this title?
• I see that the United States is dead last.  The nations are not alphabetized, so they must be ordered, but how?  We’re not the worst at everything, so there must be some unexplained weighting to the measures.
• There are exactly 33 countries listed.  I expect that if the United States ranked 25th, then the chart would have stopped at 25.
• Income Inequality.  I really hate this one because it is so misguided.  If you doubled the income of every American tomorrow, that would widen the “income gap,” but everyone would be better off.  So that would be a bad thing?
• I think I’m just plain cynical on the “Food Insecurity” data.  I suspect the definition of “need” may be an issue.

What do you think?
If you click through  the graphic to Flowing Data, then to the source article, you’ll see that determine for yourself whether the author has a bias.

 I like this advertisement, mostly for the psychology.

I like this video because I’ve always liked the old “got any grapes” joke on which this is based.

A bald, wizened little man was rocking in a chair on his porch, smiling happily. A passerby, charmed by his smile, came up to him and said, “I couldn’t help noticing how happy you look. What’s your secret for a long happy life?”

“I smoke three packs of cigarettes a day,” he said with a toothless grin. “I drink a case of whiskey a week, eat fast food, and never exercise.”

“No way! How old are you?”

“Twenty-six.”
via Mikey’s Funnies…daily Christian humor email list

DO NOT DESTROY.  DO NOT BEND.

URGENT

DOCUMENTS ENCLOSED.

Yes, this is petty,  but it grabbed my ire today and shook it.

By no stretch of anyone’s imagination is a sale flyer from Dish Networks URGENT.  It strains our language to call this “DOCUMENTS”

Harumph.

Dear Postmaster.  Please do not destroy this letter, as I assume you do to those not otherwise marked.

I can’t seem to wrap up this security jag.  Stuff keeps happening.

This article highlights again why secret questions are a bad idea.

In a cautionary tale for users of social-networking sites, a California man has admitted using personal information he gleaned from Facebook to hack into women’s e-mail accounts, then send nude pictures of them to everyone in their address book.

…

Prosecutors said Bronk would scan women’s Facebook accounts looking for those who posted their e-mail addresses. He would then study their Facebook postings to learn the answers to common security questions like their favorite color or father’s middle name.He contacted the women’s e-mail providers and used the information to gain control of their accounts. He also often gained control of their Facebook accounts by hijacking their passwords…

There are at least three lessons here (if you find this alarming)

• Don’t share passwords across accounts (Bronk stole email passwords and used them to hijack Facebook accounts)
• Don’t give real answers to the security questions. (Bronk used the security questions to get email account passwords)

and finally,

•  Don’t store compromising pictures of yourself on a web mail server. (duh)

Putting Nuclear Reactors and Banks into the same sentence seems odd to most people, but Tim Hartford points out in What we can learn from a nuclear reactor that there are some important similarities.  Both are complex and tightly coupled systems.  There are similarities in their failure modes and safeguard systems — and there are similarities in the way the safeguards can fail us and cause further harm.

It might seem obvious that the way to make a complex system safer is to install some safety measures. Engineers have long known that life is not so simple. In 1638, Galileo described an early example of unintended consequences in engineering. Masons would store stone columns horizontally, lifted off the soil by two piles of stone. The columns often cracked in the middle under their own weight. The “solution” – a third pile of stone in the centre – didn’t help. The two end supports would often settle a little, and the column, balanced like a see-saw on the central pile, would then snap as the ends sagged.

Galileo had found a simple example of a profound point: a new safety measure or reinforcement often introduces unexpected ways for things to go wrong. This was true at Three Mile Island. It was also true during the horrific accident on the Piper Alpha oil and gas platform in 1988, which was aggravated by a safety device designed to prevent vast seawater pumps from starting automatically and killing the rig’s divers. The death toll was 167.

In 1966, at the Fermi nuclear reactor near Detroit, a partial meltdown put the lives of 65,000 people at risk. Several weeks after the plant was shut down, the reactor vessel had cooled enough to identify the culprit: a zirconium filter the size of a crushed beer can, which had been dislodged by a surge of coolant in the reactor core and then blocked the circulation of the coolant. The filter had been installed at the last moment for safety reasons, at the express request of the Nuclear Regulatory Commission.

The problem in all of these cases is that the safety system introduced what an engineer would call a new “failure mode” – in other words, a new way for things to go wrong. And that was precisely the problem in the financial crisis.

“… a new safety measure or reinforcement often introduces unexpected ways for things to go wrong”

We the people do not understand this principle.  We the people demand that something be done.  But often that something just makes the system more complex while introducing new modes of failure.

(more…)

Last week I dumped a bunch of information about the sorry state of passwords and the internet, mostly from Light Blue Touchpaper.  As usual, I soon ran across more information that should be included.  It turns out that Gawker had another problem.  Why should we think they are alone?

Read on if you’re interested.

Light Blue Touchpaper » Blog Archive » Another Gawker bug: handling non-ASCII characters in passwords
A few weeks ago I detailed how Gawker lost a million of their users’ passwords. Soon after this I found an interesting vulnerability in Gawker’s password deployment involving the handling of non-ASCII characters. Specifically, they didn’t handle them at all until two weeks ago, instead they were mapping all non-ASCII characters to the ASCII ‘?’ prior to hashing them. This not only greatly limited the theoretical space of passwords, but meant that passwords consisting of any n non-ASCII characters were equivalent to ‘?’^n. Native Georgian or Korean speakers with passwords like ‘రహస్య సంకేత పదం’ or ‘비밀번호’ were vulnerable to an attacker simply guessing a string of question marks. An attacker may in fact know in advance that some users are from non-Latin countries (for example by looking at their email addresses) potentially making this more easily exploitable.

We users-of-ascii-english have it easy — and hard in a way.   I have had to deal with related issues in recent years, primarily because C/C++ does not account for non-ascii characters for sorting unless you take special steps.  That causes ordering and uniqueness issues as soon as you run into data with accented characters.