Friday, November 26, 2010

More Security Theater

EFF has a great piece about the whole stir regarding the new TSA whole body scanners or Advanced Imaging Technology (AIT) as it's formally called.  In essence TSA has moved aggressively to deploy the scanners at an enormous cost without validating whether the scanners address the threat they are meant to find - namely easy to conceal, hard to detect powder-type explosives.  As EFF reports in their post, it turns out that the scanners are fairly easily confused - even by folds of clothing.  Additionally these scanners were developed to detect more traditional threats - weapons, liquids, and more traditional explosives like C4 and plastique.  Powder was not one of the drivers in the development of these scanners.   EPIC has filed a lawsuit against TSA demanding that the deployment of the AIT scanners be halted pending an independent review of their effectiveness.

It's interesting that the EFF article quotes a former chief security officer of the Israel Airport Authority who calls the scanners "expensive and useless . . . That's why we haven't put them in our airport."  Yes, and TSA should pay attention to the Israelis experience...they have had a successful track record at Ben Gurion airport and of keeping terrorists off of planes - and they don't need to "touch your junk"!

Monday, November 15, 2010

Fresh rage...

Ok, I know this is supposed to be a place to put funny stuff from the security industry... BUT...

(I apologize for the ranting, rambling, link heavy content)

I have been thinking about the new security procedures at the TSA check points. There have been some "interesting" changes of late.

First, we now have the two new technological fixes for underwear bombers; MilliMeter Wave (MMW) and x-ray backscatter scanners. Cool, technology is a good approach right? HAH!!

Think they don't store the pictures? They ADMIT that they do...

Second, we have the new "aggressive pat down" for those who either present an anomaly or just flat refuse the new scanners. Aggressive is an interesting euphemism to employ. Frankly (based on my own observations, not hearsay) it amounts to a full on prison grope in public. Apparently they are allowed to touch your junk, check the inside of your underwear, the full Monty as it were.

A little backlash...

After doing a little research, I found the following interesting bits to ponder...

One of the manufacturers, Rapiscan, is closely tied to Michael Chertoff. I am not certain as to his actual role as I have seen multiple assertions from lobbyist to CEO. Do a little looking around and see what you can find. What I am certain of is that he is closely tied to one or more of the makers of the scanners. Does his name ring a bell? He used to be the head of the DHS. Interesting, no?

Michael Chertoff argues for Full Body Scanners :

Michael Chertoff connection to the vendors supplying the very equipment he argues so stronly for...

Next, I had been pondering the idea of what happens when you refuse both the scanner AND the grope? Can you just say "No thanks." and go back to your car? NO!!! You are subject to civil prosecution! (I will add the federal district court case citation later today) one you enter the domain of the TSA, you can't leave freely until they have their way with you. Neat!!

The Official TSA Guidance on Civil Penalties:

All this makes me wonder; what are folks who have a religious proscription against being seen naked by a stranger or touched in what amounts to an intimate manner by someone who is not family or a doctor, to do? I am thinking that a majority of conservative and orthodox faiths will have some issue with this. Naturally, ones that spring to mind are the more strict interpretations of Islam, Judaism, and Christianity. We can't profile, but we can make it so uncomfortable that the people we THINK of as the antagonists here will avoid air travel. Somehow there is this collective faulty memory that the only people who have committed terrorist acts in and against the US are Arab and Persian Muslims. Funny, I wasn't aware that McVeigh was Arabic, or that some of the crazies who always wanted to go to Cuba might actually be Persian... I mean, look how well Muslims have fared in Cuba in the last nine years!

I am thinking about a few social experiments... I am after all a security researcher, time to perhaps do some research...

A) If you, the reader, would be so kind as to spread links to this blog post, I'd like to see if TSA scrutiny goes up on me. The traffic wouldn't bum me out either ;)

B) I am going to track down a few methods to see if I can find a way to write secret messages to the screener in the back and see if any of it shows up tone InterWebs. Possible methods include: metallic fabric paint on the inside of a t-shirt, carbon fibre thread used to embroider something clever and/or rude on the band of my underwear or metallic thread in hems to do the same.

C) I am looking into having a series of t-shirts printed that say "I am not a criminal..." on the front, and "...I am an airline passenger." on the back.

D) I will be refusing the scanners and taking note of just exactly HOW intimate the grope is. I will also be interested issuing how the process differs based on how I am dressed and what
sort of carry-on I have.

Under the current rules, you have more privacy and civil rights as an arrestee than as an airline passenger. As an arrestee, there must be "probable cause" before an aggressive pat down can commence. We won't get into the more, shall we say intrusive, procedures you can be subject to. And I want to know when I was read my Miranda Rights in line???

Welcome to the next act, scene one of security theatre as presented by the Theatrical Security Administration Players for your voyeuristic pleasure...

Friday, September 17, 2010

Strong Cryptography? Really?

Working with a client about a year ago, they were trying to implement strong cryptography.

After multiple failed iterations, I explained that the cryptography had to be strong, meaning they had to use a robust encryption algorithm and an encryption of sufficient length that it could not be feasibly broken through brute force attacks.

The client's response: "We use a 14 character passphrase. Isn't that good enough?"

* facepalm *

Thursday, September 16, 2010

Passwords will stop them ...

Me: "Mr. Client, you have no firewall at this Internet connection point. You really need to deploy one."
Client: "Why?"
Me: "Because you currently have no protection from hackers. Anyone on the Internet can get direct access to your system."
Client: "That's why we have passwords. They have to login first, and if they don't have a password, they can't get in."

* facepalm *

We make *blahblah*...

Me: "Mr CIO, our network is wide open, my five year old could hack it"
Him: "Oh, so what. All the important stuff is on our miniframe"
Me: "...and that's impenetrable?"
Him: "Yep, NO ONE has ever hacked our type of miniframe"
Me: --walk away, come back 10 minutes later and hand Mr. CIO his password and the root password for the system.
Him: "Oh... well we just make *blahblahblah*. No one would ever hack us"


A D-?? really??

"Ms. Customer, what is your goal with this PCI-DSS gap analysis?"
"We want to pass the audit with a D-"


Bolt on?

"Mr. Customer, to characterize your security as "bolt-on" would be disingenuous. I would rather say that you took security, poured it into a paint bucket and then proceeded to drizzle it over your product in the manner of a Jackson Pollock piece"

That should fix a thing or two

Okay, in theory you can post comments now... If you'd like to be a contributor, send me an email address so I can set you up...


Wednesday, September 15, 2010

Introduction to SecFacePalm

So you figure you will go forth and make the world a better place. Going to fix all the problems in security. It's just soooo obvious that any idiot will understand it once you explain it to the in terms they can understand...

BWAAAAAaAAAAaAa ha ha ha ha ha !!!!! (in a voice like Bender from Futurama)

This is a place to share your favorite Stupid user tricks, MBA quotes, and developer in denial babble.

Anonymous or attributed, I don't care, just bring us your security facepalm moments...

Let the laughter begin...