True Security, or Job Security?

“We must plan for freedom, and not only for security, if for no other reason than that only freedom can make security secure” — Karl Popper

Remember when flying was an adventure?  When people-watching at the airport was fun, and walking through the gates to an aircraft would fill your soul with excitement and the feeling that you were going to see the world and to accomplish wonderful things?   I do too.

It hasn’t been that way for quite a long time now.  We’ve squeezed the life out of it.  The airlines charge ever more for less and less of the experience.  Having to pack differently and to show up two hours earlier for less of a flying experience makes it feel more and more like a bus ride to a neighboring town than an adventure.

What of this extra two hours, the standing in line, the extra layers of screening, and “no telling of jokes or otherwise filling the time!”?  What is the price we are paying, and what is gained at that price?  How much have you paid in extra fees over the past *13* years? How much has it cost for all the extra queues, the metal detectors, the body scanners, all the personnel, the bulletproof doors on cockpits?  What has that extra two hours on top of the ride to the airport, check-in, baggage, cost you out of your vacation time or business time?

What do we all get for all this expenditure?  Are we more safe?  Do you get a warm, fuzzy feeling, knowing that someone in a uniform scrutinizing your undershorts?  Do you feel better overall?  I’d like to see the yearly statistics on the number of actual, bona fide threats that have been thwarted after all this outlay.  Sure, they have trashed countless tubes of toothpaste, wasted many hours of peoples’ lives, and maybe found a few hundred thousand little pocketknives, but I am talking about serious threats by people who seriously wanted to do those around them serious harm.  How many?  2? 5?

Ladies and gentlemen, I would like to share the results of a security audit performed on one of the backscatter scanners by RADSEC.  it’s not terribly long, but what you will see might surprise you.


 

“One of the primary goals of the Transportation Security Administration (TSA) is to provide the highest level of security and customer service to all who pass through our screening checkpoints.” — TSA.gov

“Our duties are wide-ranging, but our goal is clear: a safer, more secure America, which is resilient against terrorism and other potential threats.” — DHS.gov


When the scanners and their operating systems were being designed, they insisted on a closed engineering model, hoping to keep anyone from defeating the security measures by simply keeping details of how the scanner works as a secret.   Those who are familiar with software development and OSS can cite thousands of instances where this method gets you the exact opposite.

The RadSec team was able to get the scanner as a government surplus item via eBay.

Via RADSEC.org
Available on eBay — The scanner designers seem to have assumed that attackers would not have access to a Secure 1000 to test and rehearse their attacks. However, we found that we could purchase a government-surplus Secure 1000 from an eBay seller, even while the machines were still in use by TSA.

Here is the report by RADSEC:  Rapiscan Secure 1000

These things are horrible, don’t do what you think, and as you see in section 4, are horribly hackable, and you can even capture partial images from anywhere nearby of someone else being scanned.

Oh, just the scanners, you say?

How about this?  tsa-on-the-run

Or maybe this one?  Hey, thanks for the 900 Million dollars.  Let’s flush it.  What could be better than spending nearly a billion dollars to say you have “trained” people to follow their gut suspicions, and then just drop the program entirely, saying that it isn’t effective?

The airline industry sure has changed, but if you talk with gate agents, attendants, or pilots, you will find that it’s not better for them, and we already know that it’s not better for passengers.

Show of hands, how many of us have looked at flight prices, started to calculate the extra cost, time, and effort, and then decided to make it a long car trip instead?  I thought so.

Private School

When thinking about personal digital security, I would disagree with some of the information that I have been hearing in the media and in casual conversation, but there are a lot of points that are absolutely correct.

One of the points that I totally agree with is that everyone needs to understand the issues with their security, to understand exactly how much of a sitting duck you are when you groggily connect to that juicy free public wifi and start up your music streaming, your chat sessions, and start logging into any number of other places (including your bank) online with laughably weak passwords.

I’ve demonstrated on many occasions how the average laptop-toting public will do these things exactly. If they think of security at all, they assume that if they can’t see someone looking at their screen or watching them type that nobody sees what you are doing. This reminds me of the “Ravenous Bugblatter Beast of Traal” in The Hitchhiker’s Guide. [If you cover your eyes, this keeps anyone else from seeing you.]

If you are on an open network and your communications are in the clear, anyone else connected to that network can read your communications.

Would anyone be interested in some discussion of basic personal digital security? I wouldn’t create a slew of “how to hack the planet” posts, because not only do those walkthroughs exist, but anyone interested in that would already understand the basic concepts of security they would be circumventing.

I do have to say that the Snowden files and the other interesting news blurbs about federal snooping are not a surprise at all. When the Homeland Security Act was being proffered, all of these issues were being hotly debated among everyone I knew at the time in IT, and especially in security. We all foresaw the egregious over-application of this law and the wild shenanigans that it would put into place, what it would cost in dollars, what it would cost in time, and what it would cost in loss of freedom.

Thought exercise: Think of any time you have been on or near an airplane since 2002. How much extra time, effort, money, and stress was involved than the same flight in, say, 1999? Now, for all the airport reconfiguration, all the DHS staff and equipment, all the footwear removal and body scans, all of it on all flights everywhere… How has it helped?

The NSA (a rogue agency)that, if you remember, never existed in the first place (roight.)

Edward Snowden Speaks at SXSWi
If you didn’t see the talk, the ACLU has published a copy Here on YouTube

Accusations of

In the sxsw video, they mentioned some good basic tools (some of which I happen to be using at the moment). If you wanted to read about them or get copies, I’ll helpfully point you in the right direction to learn:

Wrangling Another Gremlin (WAG)

Being someone who “works with computers,” Family and friends quite often fling random personal hardware into my lap to “fix when you have some spare time.”

This is one of those spare times.

I’ve seen the patient (a late model Dell Inspiron, well apportioned with several hardware options, no signs of abuse or even heavy use) several time now for systems issues.

First it wasn’t showing local drives and had some permissions issues installing any new software, even if you logged in as an admin. There was a small trojan that had dropped a reg key to keep itself from getting uninstalled. I corrected the reg key, put some basic adware/junk filters in place, installed the software in question and returned it, advising a full backup of personal data and a dirty install of windows.

When the patient returned with complaints involving spyware blocking prompts, I thought that the basic crap filter had been left a bit sensitive. Signing on, I found a huge mess.

Starting with the usual review of startup processes, killing off of regular user clutter, I found the gremlin…

The now-famous trojan, Antivirus Home 2009 has been updated, and the patient is singing the Fake AV Blues. Loudly. From the back fence.

Our botnet buddies have included some familiar features, but have ramped things up. The install has become very worm-like. It has the usual home base, but any CPL “uninstall” or use of any of the usual removal tools in your tool belt will make it very defensive.

Even after killing off all of its processes, renaming its executables, and cleaning the tempspace, it sees mbam, spybot, and the stinger, kills them off, puts its OWN fly-by installer in place of the exe of the tool, and hides another install of itself using what looks like randomized names.

I ended up doing a manual kill, very similar to the list found at syschat, but with several new ones added to the list, including:

A load of registry entries that I should have logged, as they were all serial based.
_scui.cpl in a secondary location
lots of copies of a binary batch file, with names like asox, avaxo, tufija
reg files named ylifat, etc
inf files named like xehiger
and lots of copies of the same .dat file in all of the locations mentioned at syschat, but with names like jabocixevu, jihomuri, sevotif

After getting the polyps knocked down, I did a restart, then removed the installs and stubs of all the detect and protect tools because they are all suspect at this point.

Rebooting again, things look much better. For the first couple of minutes. Then a notifier bubble shows up from the task tray with a fake “malware detection” notification. Downloading and installing a fresh mbam install and running it kicks off a new install of antivirus 2010.

Back to square one.

boarding basics

It’s just a pet peeve, but when I hear people in media verbally giving out links, they make a couple of mistakes. These mistakes bleed over into the habits of non-media people,and it’s a really big mess after a few years.
Number one is the nomenclature of the symbols on the keyboard. The slash and backslash are completely different buttons. A slash (/) leans forward. You are reading this text from left to right, as you would in the vast majority of languages in use on this planet (left-to-right-reading languages like Hebrew and Arabic would likely have a completely different nomenclature for the slashes). It’s leaning forward, toward the rest of the line. A BACKslash (\), therefore, leans backward. The slash is generally next to the right-side shift key with the question mark. The backslash is usually above the enter button with the pipe(|) symbol. Since the backslash and pipe are rarely used, the button is generally ignored. In web addresses used in a browser to get to a website, the slashes are just slashes. Any mention of a “backslash” by someone in media to the general public wastes a syllable and confuses anyone who is paying attention. The character that you get when you hold the shift key and press the number 8 is an asterisk (*). Not “asterik”, not swastika.

ASMW — Alexa Ray Joel

I completely stumbled onto Alexa Ray Joel, and liked what I was hearing, before it started to dawn on me exactly *who* I was hearing. I have a feeling that this is the kind of thing she would prefer from new fans.

This is the first single from her second album, her first featured her own artwork, and sampled herwide range from folk/country to alt-pop, and into jazz. This track would sit gingerly in the pop-jazz area. Reminiscient of Corrine Bailey Rae and Billie Holiday, The writing has strong hooks and the arrangements are balanced.

As stated above, I got into the track for a while before finding out more about who she is. The tipoff to some of you would have been the Joel surname. She’s the daughter of Billy Joel and Christie Brinkley.

VD Epoch 13


This year is the only time that VD will be coupled with the Unix epoch rolling to sequential number. Of course, the two are a few hours apart, but hey, any excuse to celebrate dorky geek trivia *and* being a more-or-less willing target for a heavily-armed, floating infant deserves a nod.

For the geek-deficient, here’s the executive overview:The epoch for Unix systems is 1/1/1970. To these systems, this date is the beginning of our current time. When you request today’s date, the create date of a file, or the last access date of a file, the system has that info stored as the number of seconds since midnight January 1, 1970. For the most part, this number is reformatted to the date style you are used to reading in your part of the world. Programmers, analysts, and administrators often use the raw number to do faster calculations of dates without t trouble of programming around things like leap years and daylight savings shenanigans. Yesterday evening, the number reached a sequential pattern. It’s like noticing that your car’s odometer has rolled to all 2’s (like mine did a few weeks ago)

Besides that, yesterday was Friday the 13th, and we have another Friday the 13th next month.
The new Friday the 13th movie was released last night. It’s supposed to be a remake of the first three in the series, so there should be lots of room for serious cheese. Hopefully, it will have some good scary, gory parts, and probably some t&a and drugs, but definitely a lotta cheese.

Oh, and on this VD, the floral industry would like to once again thank you all for creating an incredible demand for out-of-season product. They grow them artificially in greenhouses on another continent and ship them in at a premium, and them charge a premium to you. Thanks for looking out for the planet there. What if next year, everyone buys something local and in-season? Think of the transportation savings. Even more than that, think of how much fresher the flowers will be, since they won’t have spent so much of their little bloomin’ lives in a shipping crate. And you would be helping the economy in your own neighborhood.

That said, I’m going to share a non-mushy VD sentiment.
Cyanide and Happiness, a daily webcomic
Well, I suppose it’s non-mushy. I didn’t actually poke at it to find out.