True Security, or Job Security?

“We must plan for freedom, and not only for security, if for no other reason than that only freedom can make security secure” – Karl Popper

Remember when flying was an adventure?  When people-watching at the airport was fun, and walking through the gates to an aircraft would fill your soul with excitement and the feeling that you were going to see the world and to accomplish wonderful things?   I do too.

It hasn’t been that way for quite a long time now.  We’ve squeezed the life out of it.  The airlines charge ever more for less and less of the experience.  Having to pack differently and to show up two hours earlier for less of a flying experience makes it feel more and more like a bus ride to a neighboring town than an adventure.

What of this extra two hours, the standing in line, the extra layers of screening, and “no telling of jokes or otherwise filling the time!”?  What is the price we are paying, and what is gained at that price?  How much have you paid in extra fees over the past *13* years? How much has it cost for all the extra queues, the metal detectors, the body scanners, all the personnel, the bulletproof doors on cockpits?  What has that extra two hours on top of the ride to the airport, check-in, baggage, cost you out of your vacation time or business time?

What do we all get for all this expenditure?  Are we more safe?  Do you get a warm, fuzzy feeling, knowing that someone in a uniform scrutinizing your undershorts?  Do you feel better overall?  I’d like to see the yearly statistics on the number of actual, bona fide threats that have been thwarted after all this outlay.  Sure, they have trashed countless tubes of toothpaste, wasted many hours of peoples’ lives, and maybe found a few hundred thousand little pocketknives, but I am talking about serious threats by people who seriously wanted to do those around them serious harm.  How many?  2? 5?

Ladies and gentlemen, I would like to share the results of a security audit performed on one of the backscatter scanners by RADSEC.  it’s not terribly long, but what you will see might surprise you.


 

“One of the primary goals of the Transportation Security Administration (TSA) is to provide the highest level of security and customer service to all who pass through our screening checkpoints.” — TSA.gov

“Our duties are wide-ranging, but our goal is clear: a safer, more secure America, which is resilient against terrorism and other potential threats.” — DHS.gov


When the scanners and their operating systems were being designed, they insisted on a closed engineering model, hoping to keep anyone from defeating the security measures by simply keeping details of how the scanner works as a secret.   Those who are familiar with software development and OSS can cite thousands of instances where this method gets you the exact opposite.

The RadSec team was able to get the scanner as a government surplus item via eBay.

Via RADSEC.org
Available on eBay — The scanner designers seem to have assumed that attackers would not have access to a Secure 1000 to test and rehearse their attacks. However, we found that we could purchase a government-surplus Secure 1000 from an eBay seller, even while the machines were still in use by TSA.

Here is the report by RADSEC:  Rapiscan Secure 1000

These things are horrible, don’t do what you think, and as you see in section 4, are horribly hackable, and you can even capture partial images from anywhere nearby of someone else being scanned.

Oh, just the scanners, you say?

How about this?  tsa-on-the-run

Or maybe this one?  Hey, thanks for the 900 Million dollars.  Let’s flush it.  What could be better than spending nearly a billion dollars to say you have “trained” people to follow their gut suspicions, and then just drop the program entirely, saying that it isn’t effective?

The airline industry sure has changed, but if you talk with gate agents, attendants, or pilots, you will find that it’s not better for them, and we already know that it’s not better for passengers.

Show of hands, how many of us have looked at flight prices, started to calculate the extra cost, time, and effort, and then decided to make it a long car trip instead?  I thought so.

Private School

When thinking about personal digital security, I would disagree with some of the information that I have been hearing in the media and in casual conversation, but there are a lot of points that are absolutely correct.

One of the points that I totally agree with is that everyone needs to understand the issues with their security, to understand exactly how much of a sitting duck you are when you groggily connect to that juicy free public wifi and start up your music streaming, your chat sessions, and start logging into any number of other places (including your bank) online with laughably weak passwords.

I’ve demonstrated on many occasions how the average laptop-toting public will do these things exactly. If they think of security at all, they assume that if they can’t see someone looking at their screen or watching them type that nobody sees what you are doing. This reminds me of the “Ravenous Bugblatter Beast of Traal” in The Hitchhiker’s Guide. [If you cover your eyes, this keeps anyone else from seeing you.]

If you are on an open network and your communications are in the clear, anyone else connected to that network can read your communications.

Would anyone be interested in some discussion of basic personal digital security? I wouldn’t create a slew of “how to hack the planet” posts, because not only do those walkthroughs exist, but anyone interested in that would already understand the basic concepts of security they would be circumventing.

I do have to say that the Snowden files and the other interesting news blurbs about federal snooping are not a surprise at all. When the Homeland Security Act was being proffered, all of these issues were being hotly debated among everyone I knew at the time in IT, and especially in security. We all foresaw the egregious over-application of this law and the wild shenanigans that it would put into place, what it would cost in dollars, what it would cost in time, and what it would cost in loss of freedom.

Thought exercise: Think of any time you have been on or near an airplane since 2002. How much extra time, effort, money, and stress was involved than the same flight in, say, 1999? Now, for all the airport reconfiguration, all the DHS staff and equipment, all the footwear removal and body scans, all of it on all flights everywhere… How has it helped?

The NSA (a rogue agency)that, if you remember, never existed in the first place (roight.)

Edward Snowden Speaks at SXSWi
If you didn’t see the talk, the ACLU has published a copy Here on YouTube

Accusations of

In the sxsw video, they mentioned some good basic tools (some of which I happen to be using at the moment). If you wanted to read about them or get copies, I’ll helpfully point you in the right direction to learn:

Admonishment

Dear Asshole,
Whomever gave to you the license to drive
Obviously never saw you park.
You ruin the day of drivers and pedestrians sharing this planet with you.

Dear Asshole,
You had better pray to the god of smelly punks that I never find you
after how you made those kids feel.

Dear Asshole,
You saw an opportunity to help those around you
And you didn’t.
You know exactly how it feels to be excluded,
to go without,
To need.
You could easily make things better but somehow decide that it is
someone else’s job.
You get to live with that.

Atlanta Dinner Picks

кухненско обзавежданеThis is a list of ten memorable restaurants in the Atlanta, GA area that I have been to (over the past, say, three years) who meet the following criteria:
Good for entertaining (bringing clients/dates/friends&family)
Excellent waitstaff
Menu includes vegetarian-friendly options as well as interesting options for those with a standard North American diet.

This is in no way an exhaustive list, only some highlights that have ranked very high with both myself and guests. A lot of these have been venues for various dates, and some have been used as meeting spots when friends have come to visit from out-of-state. The vast majority of my dining out has been with non-vegetarians, so there’s a resistance for hitting all-vegan or entirely-vegetarian restaurants. Each of these has great vegetarian options available right on the menu, so that ordering doesn’t feel like you are asking them to remodel the kitchen with a “special request” when all you want is an option that is carcass-free. Some of these are much more formal, and some are very casual. All of them are exciting spaces that are also quiet enough for conversation.

On to the list (not in ranked order):

  1. La Tavola (latavolatrattoria) – This is one that comes to mind any time a special occasion comes up. When friends or family come to visit, when it’s someone’s birthday, any time I have an excuse to go, really. La Tavola is fun and interesting, has some really great veg options, and has a way of being formal and nice without being rigid or stuffy. The dining area can be very full at prime times, but there are really wonderful tables on the deck out back which are fantastic for spring brunch/lunch… (hint, hint. This week? Anyone?)
  2. Eros (erostapas) – Tapas and music. Right off I-85 at Monroe Drive, It’s in the multi-level what-used-to-be bank building. The tapas are great, and the space creates an interesting indoor-outdoor “patio” feel. It’s a great spot for a gathering, since it’s finger foods and music, as well as space that’s easy to move around in.
  3. Sugo (sugorestaurant) – Sugo has a fusion of Italian and Greek influences. Their staff is very friendly and knowledgeable. The food is spectacular. All three of their locations are North of the perimeter.
  4. Artistry (No known URL) – I’m not clear about whether this one has recently closed, is currently being renovated, or if it has recently changed hands. I had a great experience there. It was well-appointed, had live jazz musicians, and the food was great. My date on that night still mentions from time to time how awesome the steak and the shrimp was. I ate like a king on a wide variety of veg hors d’oeuvres. The waitstaff completely bent over backward. I hope they aren’t closed.
  5. Thai Spice (thaispiceatlanta) – This is Thai done beautifully, and with a lot of style. It’s the best Thai I’ve tried north of the perimeter.
  6. The Flying Biscuit (flyingbiscuit) – There’s nothing wrong with the various new locations as they became a chain, but I’m talking specifically about the original location just outside of Candler Park. There’s a completely different feel to this one. I was floored by the devil “burger”, but when you’re looking for something more “down home”, There’s nothing like the vegan bbq burrito.
  7. Buddha (no known URL) – This gem is right off I-75/I-85 at the end of the 10th Street bridge. Mostly Chinese fare, they have an extensive vegetarian menu, and are open incredibly late, which is handy, since it’s around the corner from Primal, and just a few blocks from Door44, Sutra, Opera, etc.
  8. Mambo Italiano (mamboitaliano) – This is a really neat traditional Italian place with a wonderful staff. The place is decorated like 1950s Italian. Great veg lasagne, good drinks.
  9. Octane (octanecoffee) – This is a wonderful independent cafe with great plates coming from the kitchen, some of the best baristas in North America(They kick butt every year in local, regional, and world barista competitions), and the space is relaxed, yet abuzz. Maybe it’s the caffeine. They have a second location near Emory University that I really should check out, since that would be much closer for me.
  10. Ecco (ecco-atlanta) – Of all the restaurants on this list, it’s been the longest since I’ve been to Ecco. Ecco is managed by the same group as La Tavola. It’s a much more formal dining experience than La Tavola, and I did a full review after my first trip there..

Where are your favorite dining spots in Atlanta? Leave a comment and let me know.

Your iPad can also be an E-book reader! Yay!

The first thing I saw this morning when I was looking at tech news was this article:

E-book apps for the iPad

The iPad is already more or less an e-book reader and web tablet, but because of it’s proprietary bending, we see immediate development work in order to enable it to handle Kindle and Nook proprietary formats, as well as to enable instant and user-friendly sales for Amazon and Barnes & Noble.

I think it’s funny that because of the lack of a true standard and due to various competing DRM practices, once you have spent gobs of cash on your new tablet reader hardware, you will need to immediately download apps that will allow it to also become an e-book reader, or an e-book reader.

Still, between the two designated devices, I still lean toward the Nook. I big reason for this is the longevity factor based on little things like having a replaceable battery and being an Android-based device.

I used a Sony PDA years ago as more or less an e-book reader, and it worked out really well. At the time, I was able to convert several of my textbooks to PDF easily, and some were even forward-thinking enough to provide a standard PDF of the text in the purchase of the textbook. I loved having a backpack’s worth of books available in the palm of my hand, being able to read my assigned chapters one-handed while on transit on the way to and from work each day, and being able to both highlight and make annotations. It made the commute productive, and after getting home, was able to streamline time on research papers and workgroup discussions because I’d already got the reading in.

When between classes, I was able to use the PDA similarly for extracurricular reading. At the time, it was the Harry Potter series, some older Asimov titles, and a load of CS journals.

If I’d had to wrestle with DRM with each of these, I don’t know how I would have had the time at all. Between getting notations synced, getting different titles moved back and forth, and keeping up with all I was working on at the time, the headaches that I hear people struggling with as a symptom of DRM would have been way too much.

In the Zone

When writing code and “in the zone” where the syntax seems to flow effortlessly and a second and third terminal screen show loads of data flitting by exactly as expected, I sometimes imagine the workstation on a giant turntable a la the 80s drummer in MTV videos, and a couple of dancers gettin’ down like this:

The rock star life of a developer, right? or maybe it’s more along the lines of Delusions of Grandeur…. n’est-ce pas?

Wrangling Another Gremlin (WAG)

Being someone who “works with computers,” Family and friends quite often fling random personal hardware into my lap to “fix when you have some spare time.”

This is one of those spare times.

I’ve seen the patient (a late model Dell Inspiron, well apportioned with several hardware options, no signs of abuse or even heavy use) several time now for systems issues.

First it wasn’t showing local drives and had some permissions issues installing any new software, even if you logged in as an admin. There was a small trojan that had dropped a reg key to keep itself from getting uninstalled. I corrected the reg key, put some basic adware/junk filters in place, installed the software in question and returned it, advising a full backup of personal data and a dirty install of windows.

When the patient returned with complaints involving spyware blocking prompts, I thought that the basic crap filter had been left a bit sensitive. Signing on, I found a huge mess.

Starting with the usual review of startup processes, killing off of regular user clutter, I found the gremlin…

The now-famous trojan, Antivirus Home 2009 has been updated, and the patient is singing the Fake AV Blues. Loudly. From the back fence.

Our botnet buddies have included some familiar features, but have ramped things up. The install has become very worm-like. It has the usual home base, but any CPL “uninstall” or use of any of the usual removal tools in your tool belt will make it very defensive.

Even after killing off all of its processes, renaming its executables, and cleaning the tempspace, it sees mbam, spybot, and the stinger, kills them off, puts its OWN fly-by installer in place of the exe of the tool, and hides another install of itself using what looks like randomized names.

I ended up doing a manual kill, very similar to the list found at syschat, but with several new ones added to the list, including:

A load of registry entries that I should have logged, as they were all serial based.
_scui.cpl in a secondary location
lots of copies of a binary batch file, with names like asox, avaxo, tufija
reg files named ylifat, etc
inf files named like xehiger
and lots of copies of the same .dat file in all of the locations mentioned at syschat, but with names like jabocixevu, jihomuri, sevotif

After getting the polyps knocked down, I did a restart, then removed the installs and stubs of all the detect and protect tools because they are all suspect at this point.

Rebooting again, things look much better. For the first couple of minutes. Then a notifier bubble shows up from the task tray with a fake “malware detection” notification. Downloading and installing a fresh mbam install and running it kicks off a new install of antivirus 2010.

Back to square one.