Archive for January, 2008 Page 2 of 2

Newer Entries »
Jan 13

Improve your Presentation with Field Profiling

in Analysis and production. Comments Printable version Printable version

When you speak of profiling, most of people assume that you are talking about serial killers because they are influenced by TV shows. However profiling is more than that. The definition profiling is:

Recording a person’s behavior and analyzing psychological characteristics in order to predict or assess their ability in a certain sphere or to identify a particular group of people

Profiling has a very broad range of applications, ranging from employee evaluation, to self improvement, to selling, to teaching. Any human interaction can benefit from it. As a matter of fact I started studying profiling not for serial killer but to improve my teaching back in 2002. I was very young to do lectures, hence after a few lectures, I was wondering if my audience was interested and if I have been able to communicate efficiently my message. I needed a tool to know how good I was , and what I need to improve. That is why I started to learn about profiling. 5 years later I started to teach some of these materials during the competitive intelligence course. I was very surprise by how positive my student was about this part of the lecture. I even have received email from former students that thanks me about this particular lecture because theses techniques have help them to get a job or sign a contract.

There is two kind of profiling

  1. Live profiling: this kind of profiling occurs when you interact with the person and profile at the same type. When you do a job interview, a sale or lecture for instance
  2. Asynchrone profiling: This kind of profiling  occurs when the profiling is done prior or after the interaction. The most obvious type of asynchrone profiling is personality test.

Even if they can be combined, live and asynchrone profiling use two distinct sets of techniques. Beside personality test, asynchrone profiling has became a very prominent area due to Internet: Many sites are eagar to profile their visitors. What is for example google analytic or any audience meter if not a profiling tool ? :) There is a lot to cover in this area but as promised in the title I will focus on live profiling (however I plan to write about asynchrone profiling, if profiling is a subject that you (readers) are interested in).

Live profiling

The key particularity of live profiling is the time constraint and its biggest challenge: you have to do it in real time. This constraint has a bright side, you can see the result of your action directly. For example if you profile that your interlocutor is no interested in the current subject, you can see if is boring by the current topic and therefore be able to change subject to observ how he reacts to the new one. I break profiling into three types.

  1. Willing profiling
  2. Coercive profiling
  3. Field profiling

Compliant profiling

Compliant profiling occurs when the target acknowledge to be profiled. In most human interaction this is the case. When you apply to a job, you are compliant to answer every question your future employer ask you. Your are even eager to do so.

In personal relationship, people are often also compliant to answer your questions. As a matter of fact many dating questions are profiling (some call it screening) questions : What do you like, what make you happy, what do you do in this situation … Of course there is some boundaries, and you can’t bluntly ask a person to run a psychological test. However, from my personal experience many girls have asked me to run test on them as soon as they have discover that It was part of my job. So to a certain extent, with diplomacy, you can profile your relative if you want and they even may thanks you for that.

Coercive profiling

Coercive profiling occurs when you face someone that is unwilling to be profiled but you have authority on it. This mainly occurs when someone is busted. In this context you have various methods that are more or less legal from polygraph to torture. This is a very specific type of profiling and not something I am used to do.

Field profiling

Field profiling is somewhere between the two. It is when you actually can’t ask profiling questions. This type of situation is common in many jobs that involve human group interactions. When you are giving a speech, or facing a client you are in the field, and there is no way you can ask profiling questions to know how well the information you deliver is received. Ironically this is exactly the type of situation where you really want to know if your audience have a positive attitude toward you, and interested in your subject. Thankfully that is where profiling came to help you.

The origin of field profiling

Fields profiling techniques are based on an observation made by Darwin in the 19th century. Darwin discovered that all across the world people have the same type of gestures and  that some gestures have the same meaning regardless of the culture (Think of the act of  nodding). Hence there is a strong correlation between what you think and how you act. Field profiling is therefore based on analyzing people behavior to determine state of mind. If you wonder how effective non-verbal communication is, then be glad to know that study have be done on the subject. If I take the average of studies results I have readed, it is assumed that on-verbal communication represent around 55-65% of human communication. That seems a very big part, but If you  think how many time you are smiling to acknowledge someone, or nodding your head to approve, then it does not seem that unrealistic.

How field profiling work ?

Basically field profiling is very easy too during the interaction: you look for IOI (Indicator of Interest) or IOD (Indicator of Desinteresst). Then you use theses indicators to adapt your speech accordingly. For instance, if one of my slide triggers many IOD I tend to move on to the next as fast as possible. On the other hand, if one slide triggers many IOI, I tend to push the idea a little furher. Therefore my presentations are no more static but are rather a dynamic relation with the audience. It also improve my presentation because it gives me more confidence that what I am talking is indeed interesting my audience.

Field profiling techniques

There is two sets of techniques, based on the context of the presentation.

  1. Large audience profiling techniques. They are used when you do a presentation or a lecture.
  2. Close up profiling techniques. They are used when you perform a negotiation or do a job interview.

Close-up techniques mainly rely on body expression (inborn, genetic and cultural) to know how a specific person react to you. There is plenty of literature about it. One of the most interesting area of it is called Neuro-linguistic programming created by Bandler and Grinder. The key basic assumption of NLP that internal mental processes such as problem solving, memory, and language consists of visual, auditory, kinesthetic (and possibly olfactory and gustatory) representations. When people think about problems, tasks, activities or engage in them, sensory representations are constantly being formed and activated. So by looking at some sign of the mental representation you are able to infer what current mental process is currently happening. Therefore you can find the appropriate form of verbal communication that echo it. For example if it is a visual representation, one can use visual sentences such as do you see

Large audience techniques

Large audience techniques are audience targeted. In other words, you dot try to profile how one specific person is responding to your lecture but how the audience behave. This is called Group dynamics. You look for macro IOI and IOD. So what are we looking for:

  • Noise Level
  • Audience compactness

Noise level

Noise level is the easiest one to evaluate. The less noise you have, the more attention you have. As soon as the noise level rise, you are loosing your audience. It can be the subject but also because people are tired. Have a break or do an exercise. It is well known that human mind have great difficulty to focus on the same subject for a long time so trying a diversion is often a successfully tactic.

Audience Compactness

Audience compactness is my personal technique to read the audience mood. I never see it detailed elsewhere. I use it to know, before I start in which disposition the audience is about my future speech. It helps me to adapt the opening to try to win them over since the beginning ,which is easier than to win them over the presentation.

Here how it works: The more your talk sound appealing (because of previous lecture, or reputation or subject) the more the audience is compact and close to you. As a person leans in to listen something the found interesting the audience will get closer to you if they are eager to listen what you said. This probably explains why contesting questions often came from people seated in the back. Since the beginning they have been against you.

I break my audience in three type of groups :

  1. The support group which is the people in front of you. They are here to listen and will more likely participate and are your allies.
  2. The wing group which are people that sit on the side. I assume they are neutral. It’s also a sign that they don’t want to be spotted because they try to be out of sight. I usally make them shine to win them over
  3. The back group. They are the person that don’t want to listen or are even against you.

This allow to narrow the research of IOI and IOD. Instead of looking into the back to see how it went, I tend to focus on wing group because, if they start to be interested in, then due to the group dynamics people in the back will start to react positively in turn. A repetitive pattern I often observe is that the attention start from the center, spread to the wings and eventually finish to reach the back.

Win over techniques

Based on this observation, I use several “win over” tactics :

Group breaking : I often try when possible to move people in the back people to the front so the social dynamic pressure will work on them. They will be more receptive to my talk. I often do this by keeping my voice relatively low. That is also a sign of authority and confidence: if you think that what you say is interesting why yelling ? So in any case, that is a good tactic. Hence when a people in the back ask me “Can you raise your voice”, I tend to reply “Come closer” or if is not a student, I often add “I won’t bite you”. Because it push pressure to this person and he will less likely response “No that’s okay” because of it.

Having a people moving from the back to the front is positive thing because in an inconcsious level, it shows that you are in charge and that people have to validate to you. Raising the voice is the opposite, you show that you have to validate to your audience and you are in the weak position.

An other key strategy is to ask wings people to answers because they are those who will control the mood of the audience. There is two way to target a specific person with a question. One is to know his name which can be difficult, two is to force the eyes contact. If you stare at someone when you ask the question, then he feels that he has to answer. That’s group pressure.

If your goal is to win people over (which means that it is not a lecture) then the most successful tactic I know is to use the Yes escalation. Start with a simple assertion that you audience will agree. Then take a step and ask again and again. You are setting up a positive dynamic. It is easier to have an interaction with people when you have defeated they fear to talk. Making them say “yes” is a effective mean to make them comfortable

A last tactic on the subject to close this post: When I do a lecture, I take the time at the beginning to call every people by their name and stop to ask to some of them, quick question such as “is this an Italian name” to start building the interaction.

See you next Sunday.

Jan 06

Attack Surface: Comparing Products Relative Security

in Analysis and production, Planning and direction, Security and Software. Comments Printable version Printable version

One of the recurrent questions in security is which product is the most secure. Windows Xp or Linux Debian ? Firefox or Internet Explorer ? Often theses comparisons are based on subjective opinions or the number of vulnerabilities count. A third way exist: Attack Surface analysis.

Often as a security specialist, my friends and students keep ask me which product is the more secure. That is a tough question, really because how do you measure a product security ?

Current Comparison Methodologies

Authoritative answer

Of course you can go for the authoritative proof : X (very famous) has said it. However science is about questioning and experiment so every time I heard this type of answer I wonder how this X guy knows that this product is more secure.

Statistical Analysis

The other well known method is to count the vulnerability that each product have suffers from the past. This is a method based on statistics and at the first sight it seems more reasonable. For example here is result of Nilotpal’s study to compare Vista to ubuntu Drapper. (You have a similar study that compare OSX and Vista on Larry’s zdnet blog)

ubuntu+vs+Vista html m27e37cfa

While more scientific this methodology still have several flaws that make it quite unreliable:

First it assumes that from the past, you can predict the future. The basis of this approach is : if Y vulnerabilities have been discovered over the last X month then it is probable that same order of amount will be discovered in the next X month. If you use statistics on a subject that have pattern, it works really great. For example it works great for temperature, river water level or shop sales because they have pattern and cycle. For example temperature has a pattern conditioned by the rotation of earth over the sun and therefore you have a clear 12 months long cycle. But for system security there is no such cycle.

Moreover the only cycle that is well known for software is the product cycle : The interest for a product decreases with the time and ultimately it going to be supercede by a new version or a new one. It is the same for vulnerability analysis. When a product is released many peoples focus on find its holes. As time flows the number of people interested in finding holes might decrease as people move to other products/version.

ProductLifeCycle

The second flaw in the approach is that in regular statistical analysis you are able to say. Over X customer/month Y have been this or that. Here you don’t actually now how many people have look at the code to find holes and how much time they spend on it. So maybe there is more flaw found because more people are looking at this precise product.

Thirdly, a more subtle flaw in the approach appears when two products are compared over the last X month. This is not a faire comparison because theses their have been released at a different moment and therefore are not in the same part of their lifecyle. How comparing a product in its maturity stage against one in its introduction state can be objective ?

That is why, we need a more objective measure to compare products. Something that doesn’t rely on the past or some oracle but on facts. This is attack surface.

Attack Surface

An attack surface is a relative measure of product security. We say it is relative because it exists only in comparison to other products. For instance a spoon can be view as small only because some there is some bigger spoon: this is a relative measure. Similarly a product is more secure than an other (relative).

Absolute versus relative measure

An absolute measure is not possible because we can’t prove that a product is absolutely safe or has no bug. This is related to the halting machine problem and the rice theorem. If you are interested in bug detection take a look at ASTREE, the static analyzer made at the ENS.

The ultimate goal to achieve with attack surface is to be able to say “product X is more safe than product Y because it have a smaller attack surface”

Intuitively the attack surface aims at measuring how many attack vectors are available for each product. It does not measure if theses entries are actually used as attack vector but evaluate the potential. A way to view this is to think about mountain climbing: A way is relatively more easy than an other because it has more hooks to put your feet and hands. It does not tell you that the more difficult one is unusable or not it just tell you that it is more likely that easiest one is usable to reach your goal. Same for products, a product with a larger attack surface will be more likely vulnerable than one with a smaller one.

Attack surface history

Attack surface have been around in research since 2003. I believe that it is Michael Howard of Microsoft that informally define the notion of Relative Attack Surface Quotient (RASQ). The first paper on the subject called “Measuring Relative Attack Surfaces” was published in workshop by Michael Howard, Jon Pins, and Jeannette M. Wing in Dec. 2003. Since then the “Attack Surface Measurement” project is held at Carnegie Mellon.

How to measure it ?

So how an attack surface is measured ? Well that is the big challenge ! There is several on-going work on it but the basic idea is quite the same in every research.

You have three parts that define the attack surface :

  1. Target
  2. Enabler
  3. Vector

Targets are attacker objectives : a root shell is the most obvious one. Leaking sensitive data is an other etc …

Enablers are the set of process and services that allow the attacker to reach is goal for example an http server running.

Vectors can be view as the medium used to reach enabler and target. It can be a socket, memory sharing, pipe …

So roughly an attack surface is somehow the product of : Target X Enabler X Vector (It is not totally accurate and depends on the formalism but it should give you the idea). Stephen Northcutt intuitive definition is very bright (check his post on attack surface):

We can define attack surface as our exposure, the reachable and exploitable vulnerabilities that we have. The best word picture I know of is the depiction of the Spartan Phlanx depicted in Warner Brothers’ tale of the Battle of Thermopylae, based on Frank Miller’s ‘300′.”

Some other criteria can be used to derive attack graph surface for instance you can use the LOC : Line of Code index. The idea behind this index is : the more the line of code there is the more likely their is bug. However this rule of thumb have also counter example (so far). For instance the iphone bootloader code is smaller that the baseband code. however bugs have been only found in the bootloader so far.

Current uses

Some product are already on the market for attack surface analysis such as Holodeck :

attack-surface-gui-large

And you can find pretty good attack surface analysis that try to evaluate the potential security of product. The most famous is probably the “Windows Vista Network Attack Surface Analysis” by Symantec.

You also find a mention of attack surface in many windows 2008 preview. Such as in zdnet, 4sysops, and a windows2008blog.

Conclusion

Attack surface is currently the most scientificaly grounded method to compare product security. It is intuitive and simple in the concept but very complex to model and implement. This metric helps to answers important question such as does the new version of product X is better that Y from a security perspective.

See you next Sunday and a happy new year to you !

Newer Entries »