From: Harvey Newstrom (mail@HarveyNewstrom.com)
Date: Thu May 30 2002 - 00:27:55 MDT
On Thursday, May 30, 2002, at 12:58 am, spike66 wrote:
> Let us remove the emotionally charged black/white and put it
> in terms of food.
You imply that I am confused by the emotional issue. But no matter how
you give the examples, the math works out the same way. Profiling does
not work. Direct measurement with high accuracy is the only workable
method.
> You collect two kinds of mushrooms, the
> fleebs and the kloongs. 10% of the fleebs will give you
> diarrhea, whereas 20% of the kloongs will. You know that
> most will not harm you at all, but you know that devouring
> a kloong is twice as dangerous as eating a fleeb.
In your above example, picking the "good" mushrooms will statistically
make you sick every tenth mushroom. If you eat 10 mushrooms in a meal,
you still get sick 100% of the time. This is simply not working. Even
if you only eat one mushroom per meal, it still doesn't help much to
delay sickness 10 days instead of 5 days. You still will get sick in
the immediate future. Furthermore, if you throw out the "bad"
mushrooms, 90% of what you throw in the garbage is good food. This also
is wasteful and unacceptable.
You can argue all you want that one system is technically "better". But
the fact of the matter is, this system doesn't work. If bad mushrooms
get through in the immediate future, and your garbage is 90% full of
falsely rejected mushrooms, it is time to come up with a better system.
What you need is a direct test for mushroom toxin. You screen all
mushrooms the same. Only safe mushrooms are eaten. Only bad mushrooms
are thrown away. Trying to directly measure the danger and respond only
when it is detected is the only valid method. The profiling scheme
above does not work.
> These are tough questions, we must all admit, ones which
> must be handled delicately.
I don't know why people keep saying that. These are not "tough"
questions. This stuff is freshman statistics. It is elementary to
point out the mathematical errors in this scheme. Any security
professional needs to be able to calculate risk analysis or they would
fail any certification test. This stuff is easy. The only "difficult"
part is trying to get everyone else to go along with these schemes when
they cannot be demonstrated to work, and when the logic and mathematics
fail rigorous examination.
> Which criminal would you rather have living next door to
> you, a person who steals a million dollars using a computer,
> or a person who steals a hundred dollars using a knife?
> Which would be a greater danger to you personally?
Neither. I need to keep the knifer away from my body and the embezzler
away from my bank account. I reject the notion that I need to make a
choice between these two. No security professional would ask such a
question, because they would be fired from their job. Why the choice?
We can do both. There is no reason one affects the other.
> We will soon have the tools to tell a person's income
> and criminal record by looking at them. Face recognition
> in a wearable computer, along with some kind of universal
> (even if sketchy) database with info on people's
> criminal past, work history, address, etc, will soon
> take the place of our current very error prone system
> of judging threats by skin color, gender or size. Would not
> this be a faaaar better means of estimating your risk
> when coming in contact with a stranger?
No way. Better than what?
If we get all that data collecting and scanning technology, i would use
it detect a gun rather than check the guy's bank account. I would
record his face and lookup his ID so that he knows he can't get away
with any crime. I will have the monitors automatically lock the doors
or call the police or take other defensive action if a robbery starts to
occur.
It is ludicrous to suggest we use all that technology just to gather
profiling data so we can make an educated guess. All that technology
can directly detect or predict criminal activity better than the profile
could. The other activity of trying to use technology to automate our
outdated guesses is ludicrous.
> Would
> not a shop owner love to have a system that would give
> a head's up when a paroled armed robber entered
> her store? Would not this tool be the end of racism? spike
The shop owner doesn't care if the robber is paroled or not, or what
race the robber is. They care that the robber is armed. Why measure
appearance to predict violence when we can measure violence directly?
Why detect their history or bank account when we can detect weapons or
suspicious activity directly?
Not using race to make inaccurate judgments is the only way to end
racism.
-- Harvey Newstrom, CISSP <www.HarveyNewstrom.com> Principal Security Consultant <www.Newstaff.com>
This archive was generated by hypermail 2.1.5 : Sat Nov 02 2002 - 09:14:29 MST