Sunday, July 12, 2015

A simple way to make your site more secure

Let users have different passwords for web logins and mobile logins.

Why?  Because in my desktop browser I can use a password manager to store strong passwords.  In your proprietary mobile app, I will (almost certainly) have to type the password in manually, and on a tiny keyboard, which makes it almost impossible to use a strong password in that context.  Also, it's actually not necessary to use a strong password in a mobile app because you can use the device identifier as an additional security factor.

And for the love of God, don't deliberately undermine the use of password managers by disabling autofill in your login forms.  (I'm looking at you, Citibank!)

Thursday, July 09, 2015

A guest post from Captain Obvious

I was watching the news reports about the a Confederate flag finally being removed from the grounds of the state house in South Carolina and they were interviewing defenders of the flag, some of whom of course insisted that the flag had nothing to do with slavery.

These people need a history lesson.  Fortunately, the founders of the Confederacy wrote a Constitution in which they codified exactly what they were fighting for:
Article I, section 9, paragraph 4:
No bill of attainder, ex post facto law, or law denying or impairing the right of property in negro slaves shall be passed.
And just in case that wasn't clear enough:
Article IV, secion 3, paragraph 2: 
The Confederate States may acquire new territory; and Congress shall have power to legislate and provide governments for the inhabitants of all territory belonging to the Confederate States, lying without the limits of the several Sates; and may permit them, at such times, and in such manner as it may by law provide, to form States to be admitted into the Confederacy. In all such territory the institution of negro slavery, as it now exists in the Confederate States, shall be recognized and protected be Congress and by the Territorial government; and the inhabitants of the several Confederate States and Territories shall have the right to take to such Territory any slaves lawfully held by them in any of the States or Territories of the Confederate States.
Of course it was about slavery!  They wrote it into the fucking Constitution, for Christ's sake!  They even went so far as to make it explicitly negro slavery!  At least the original U.S. Constitution expressed a certain queasiness about the institution by using the term "other persons" instead of "slaves."  The Confederacy could have pussy-footed around the issue just as easily, but they didn't.  Why?  Because that's what they were fighting for!  They were proud of it!

That's the ultimate irony.  All those people who insist that the flag is about "heritage" and not about hate are actually denying the very heritage they are purporting to honor.  Anyone who professes to want to fly the Confederate flag in the name of Southern heritage needs to read those passages from the Constitution of the Confederate States and let the words "negro slave" sear themselves into their soul.  Maybe the only way to heal the still-festering wounds of the Civil War is to cauterize them.

Monday, July 06, 2015

Why the data do not support profiling Muslims

I'm going to go into some detail here about why the recently published data about extremist violence do not support profiling Muslims.  I thought this would be obvious, but apparently it isn't.

Let me start by summarizing the (fallacious) argument for profiling Muslims.  It goes something like this: Obviously, most extremist violence in the world is undertaken by Muslims.  In fact, by the recent numbers, Muslims are about 40 times more likely to engage in extremist violence than non-Muslims.  So it is obviously we should be profiling Muslims rather than non-Muslims.

When couched in those terms it seems like a pretty compelling argument, doesn't it?  But here is a completely equivalent argument, which is (I hope!) obviously bogus:
Self-identified atheists are about 2.4 percent of the U.S. population.  If we assume that these are more or less uniformly distributed across the country, then there are probably about 1500 self-identified atheists living in Chapel Hill, North Carolina.  (More likely the number is lower, but let's be conservative here.)  One of these, Craig Hicks, shot and killed three Muslim students in February of 2015.  So about 0.06% of self-identified atheists living in Chapel Hill have committed acts that could reasonably be characterized as terrorism.  So the concentration of terrorists among atheists in Chapel Hill is about 200 times greater than the concentration of terrorists among Muslims in the U.S.  Therefore we should be profiling Chapel Hill atheists in order to improve our odds of catching terrorists.
Hopefully I don't have to convince you that this argument is fallacious, and yet it is structurally identical to the argument for profiling Muslims.  So why does it seem so much more compelling when applied to Muslims?

Part of the problem is that there really is a connection between terrorism and Islam.  Most of the world's terrorists are Muslims.  However, it is emphatically not the case that most of the world's Muslims are terrorists!  And if your goal is to find terrorists (as opposed to figuring out what religion a terrorist happens to be) that is what matters.

The real problem with all of these arguments is that terrorists are actually quite rare, and in the U.S. they are extremely rare.  There have been 26 documented terrorist attacks in the U.S. since 9/11.  That's less than two a year.  So out of 300,000,000 people, less than two of them will (on average) commit a terrorist act in any given year.

The problem is that when the numbers are that small they become very sensitive to outliers and boundary effects.  For example, I've been using the number-of-incidents as my statistic, but the NewAmerica web site actually headlines the body count instead.  If we use body count, things look worse for the Muslims: the ratio of Muslim to non-Muslim violence grows from 37% to 54%.  However, note that fully half of the Muslim body count is due to a single event: the Fort Hood shooting.  If we ignore this one event as an outlier, the body count ration plummets to 27%.  Even if we also ignore the Charleston church shooting as an outlier on the non-Muslim side, the ratio is still only 33%.

But all of these numbers are red herrings.  They will help you figure out after the fact whether a particular terror victim was likely killed by a Muslim or a non-Muslim, but that's not really what we want to know.  What we want to know is how to improve our odds of catching terrorists before they commit acts of terror, n'est pas?  And for that goal, these numbers don't help at all.

The reason they seem to help is that the rate of terrorism among American Muslims is 37 times higher than it is among American non-Muslims.  That seems like a compelling number, until you recall that the incidence of terrorism among Chapel Hill atheists is 200 times higher than it is among American Muslims, and 7400 times higher than among the population at large.  I hope I don't have to convince you that profiling Chapel Hill atheists will probably not have a positive impact on the problem of terrorism, despite the overwhelmingly higher rate of terrorists among them.  Yes, profiling Muslims might increase your odds of finding terrorists from 0.0000001 to 0.0000037.  But those are still mighty poor odds.  And the resentment that you would instill in the American Muslim community might well cause more terrorist acts than the profiling prevents!

So what should be done instead?  Surely we have to do something about terrorism?

Well, no, actually we don't.  The fact of the matter is that terrorism is really not that big of a problem in the U.S.  The total body count since 9/11 is only 74, or only about five people a year.  About that many people die in car crashes every hour.  Even if we include 9/11 and Oklahoma City that's still only about 150 people a year, less than two days worth of traffic fatalities.

Of course, we really do want to keep weapons of mass destruction out of the hands of crazy people.  But your ordinary run-of-the-mill terrorism of the sort that anyone can accomplish with readily available light ordinance is just not that big of a problem, despite the splashy headlines.  It is hard to imagine a more irrational policy than profiling Muslims to prevent terrorism.

The definition of a no-brainer

The state of Colorado has made the startling discovery that if you give women access to birth control, they have fewer babies.