Pensieri di un lunatico minore
A new “explosive” security risk is going around the blogosphere, and people are having a field day with it. To quote Wired magazine:
You’re a smart, safety conscious iPhone user, right? You keep the phone set to require a 4-digit passcode every time it wakes up, so if you ever lose your baby, all your personal information is safe. But if you are running v2.0.2 of the iPhone operating system, you might as well not bother. A simple hack will get anybody past your PIN code with free access to all your mail, contacts and bookmarks. Ouch!
The title to the article? “Massive iPhone Security Flaw Exposes Your Private Data – Here’s the Fix”
Wow, talk about being a total idiot for security-related issues. Anyone who works in security knows that if someone has physical access to a computer/device, no amount of software trickery—and that’s what PINs/passwords are—will stop them from getting your data. Is it “easier” than it should be, yes, but it’s not exactly the doom scenario that the “journalists” would have you believe.
How do you deal with this? Well, theoretically, you could encrypt everything on the phone and have to run everything through a decryption cycle to access it. This would require the PIN to “unlock” and you’d have to clear the memory, etc. However, this is also idiotic since at some point, there’s only 10,000 options (4 digit PIN), and that can be brute forced in a trivial amount of time with physical access to the underlying data.
In the end, it’s just like anything else with your personal data on it: keep an eye on it and protect it. If this “vulnerability” were exploitable remotely without anyone having to have access to the phone, then it’d be a bit bigger deal. As it is, it’s a coding mistake, but hardly the end-of-the-world scenario that it’s made out to be.
As for the implicit comparison to the Blackberry, has anyone actually examined the Blackberry with the same level of zeal that people seem to take in breaking Apple gear? Perhaps; perhaps not.
No thoughts
In a discussion with Bruce Schneier, Marcus Ranum lays out something I think most security people have been worried about for years:
Another trend I see getting worse is government IT know-how. At the rate outsourcing has been brain-draining the federal workforce, by 2017 there won’t be a single government employee who knows how to do anything with a computer except run PowerPoint and Web surf. Joking aside, the result is that the government’s critical infrastructure will be almost entirely managed from the outside. The strategic implications of such a shift have scared me for a long time; it amounts to a loss of control over data, resources and communications.
I’ve watched it for the past 15 years, and not just around security. Any more, there’s simply few technically competent people left in the federal government. They are 99.998523% dependent on “contractors”, who are little more than mercenaries and loyal only to their paycheck. This is terrifying to me, as a tax payer, and as a practitioner in the field. While it does help keep me employed, it doesn’t help me sleep at night.
Who watches the watcher, when they are all blind?
No thoughts
I am shocked, just shocked:
Government investigators smuggled liquid explosives and detonators past airport security, exposing a dangerous hole in the nation’s ability to keep these forbidden items off of airplanes, according to a report made public Wednesday.
When you treat security as theater, why would you expect it to be any more real than a child’s make-believe dreamworld?
No thoughts
It seems that the vending machine at a client’s office is susceptible to a timing attack. If you hit the digits for what you want—in this case some M&Ms—as soon as it accepts the dollar, but before it registers the amount, it won’t actually do anything. So, then you type it again, and it shoots out two bags of M&Ms, and charges you for one. Interesting.
1 thought
From Wired:
What’s gotten DHS’ attention is the institute’s work on a system called Semantic Stimuli Response Measurements Technology, or SSRM Tek, a software-based mind reader that supposedly tests a subject’s involuntary response to subliminal messages.
You are kidding me, right? I mean, I know that TSA is little more than a collection of vaguely sentient monkeys, and that DHS largely exists to line the pockets of contractors, but I just assumed all that corruption, graft and bribery was going to benefit American contractors. Now it’s mind-reading computers from reject-Soviet projects. The comparison with a polygraph only further re-enforces the idiocy of it all. Polygraphs don’t work. They are not only useless, they are in-fact, dangerously useless as they only create a false sense-of-security in people too stupid to know better, i.e., politicians.
I feel safer, don’t you? Next up, the TSA decides to use Ouija boards to decide if you should be allowed on a plane.
No thoughts
Wired has published a report on DCSnet, the FBI’s all-singing, all-dancing privacy raping and pillaging tool. I’d comment on it, but most of this stuff is self evident, plus both Matt Blaze and Steven Bollovin have their own more useful comments.
The most terrifying thing? No real accounting, no logging, just the “honor system,” of a bunch of people with demonstrably little honor.
No thoughts
I’m driving downtown yesterday, on my way to an appointment, and I see the following van in front of me. Now, check out the security that’s on this van:
Seriously. They’ve invested in a high-security padlock that is designed to be nearly impossible to cut off. What they’ve overlooked is that all the hinges are on the outside, and the pins are trivial to remove. Ta’da! The door comes off quite easily.
I love this kind of thing.
1 thought
Earlier, I commented on the speed, or lack there-of for Microsoft’s addressing a vulnerability. First, I want to make a point that Microsoft is not the only vendor that tends to take absurd amounts of time to release fixes. Apple is also guilty of this, as are others. Microsoft simply represents the single largest attack surface for the Internet as a whole.
Now that Mike Reavey has addressed some people’s concerns, I wanted to take a look at the timeline that he offered. First, a small graphical version:
I’ve used estimated process dates from his posting, but they’re accurate enough for the point needing to be made. Overall, I think the basic process is sound, but there’s a troubling bit:
The next stage in our investigation process is creating and testing the security updates which this update went through in February and March. This is an extensive process that takes, on average, two months for the majority of Windows related security updates.
Two months to test a security update. I’ve heard from various former Microsoftians than “building Windows” is a gigantic undertaking that has an enormous staff just to babysit the compilation process. This, combined with some of the horror stories about how code is managed, indicates a faulty process that has been scaled by brute force up to an absurd level. I may be wrong, but two months should not be required to regression test a patch, unless it touches everything.
Therein lies my fear. That a patch to fix a buffer overflow represents a monstrous undertaking. Jokes aside about Windows and QA, a vast majority of the process should be automated, and building should not require a single minute of human interaction most of the time. Anything else is scalable only because of the effective monopoly that Microsoft wields in the marketplace.
No thoughts
It is an unfortunate truth that in this day-and-age, pervasive surveillance is nearly as common as a Krispy Kreme store in NorthCarolina. This kind of thing is most especially true in ports, whether land, sea or air. The reasoning is vaguely sound, although the implementation is largely lacking in many cases. Currently, I’m working with a few places on a more intelligent surveillance strategy that offers the potential to reduce false-positives based on racial profiling and other red-herring indicators, and increase the ability to detect and notice behavioral anomalies. It is these anomalies that often are the pre-curors to actual action.
As part of this effort, we recently had a discussion internally about the issue of privacy when doing this sort of thing. It’s critical to understand that the surveillance system is piggy-backed on top of an existing CCTV system that would normally exist. Instead of feeding hundreds of cameras1 to a huge matrix display and expecting human beings to deal with this data overload, the information is dissected, parsed, analyzed and behavior extracted. Is someone milling about oddly? Are there more cars parked in a lot than is expected at this time of day? Has someone left a bag/package unattended for an extended period? Is someone trying to go “in the out door,” as it were? Questions such as these, which represent the most basic of techniques, allow for a gigantic reduction in noise in the system.
What they also do—more importantly in my mind—is reduce the human factor of racial profiling that so dominates many people’s perspective, whether consciously or not. Instead, it allows the behavior of the individual, or group, to guide interest. As racial profiling will always fail in the end, behavior is the only effective strategy to eluding the next risk, rather than obsessing over the last one. By placing a vast majority of the data under the cold steely eye of the computer, much of the harassment that often results from this kind of omnipresent observation can be removed. In addition, there are techniques to obscure identity for certain users of the system to further protect privacy until real justification exists.
Is it a perfect solution? No. But the reality is that in certain environments this level of observation is unavoidable at this point in history.
1 An average port may have anywhere from 250-500 cameras deployed. Some have even more.
No thoughts
Another day, another catastrophic remote exploit of Windows. The vulnerability affects the way Microsoft’s code processes icons. Yes, icons. Never mind, the story of its fix is telling enough:
Microsoft was first alerted to the .ANI vulnerability back in December, but a patch for it didn’t come before exploits began hitting the wild last week.
Ouch, that’s a long lead-time for what, hopefully, is a relatively simple buffer-overflow attack, and therefore one that shouldn’t take 3 months to resolve. Not that other vendors don’t take similarly absurd lengths of time.
Mark Miller, director of the Microsoft Security Response Center, said in an interview Monday with InformationWeek that the company needed the three-plus months to work on building and testing a good patch. Since the exploit hit last week, he said slightly less than 100 Microsoft technicians have been working “around the clock” to ready the patch.
So let’s say they had 99 Microsoft technicians1 working 24×7, which is the meaning of “around the clock” to most people, for one week. That represents 16,632 hours of work… to fix a buffer overflow? Seriously, either this is a total fabrication (a “lie” in general English parlance), or they really are as pathetic as Linux weenies would make them out to be2. The last buffer overflow I had to fix3 took a couple hours to isolate (gdb), write a test to reproduce and fix.
Miller stands behind Microsoft’s response process and said it has taken the company more than three months to come up with a patch for the bug because it’s simply a long, complicated process.
Have they investigated not using this process, and perhaps investigating something that doesn’t suck so completely at delivering results? Then again, Vista was years behind schedule, and ended up delivering effectively nothing that was promised, so I shouldn’t be surprised.
“It just took the time it took to produce this update,” he said. “When you look at the time it takes to review the security issues, create a fix, and then test, it does take some time. ... Where it is in Windows, it is a core area. The time line is longer because you have to deal with this core area.”
Aye matey, thar be monsters in the core!
1 Technicians? Have they tried hiring programmers, rather than cable TV installers to write their code?
2 This is my standard conundrum: “Are you an idiot, or just lying?” I’m not sure which is more troubling.
3 One of the advantages of writing in dynamic languages is that these sorts of bugs are effectively impossible.
5 thoughts
Today, comes word that some sanity might be showing in the state legislatures:
Maine overwhelmingly rejected federal requirements for national identification cards on Thursday, marking the first formal state opposition to controversial legislation scheduled to go in effect for Americans next year.
Both chambers of the Maine legislature approved a resolution saying the state flatly “refuses” to force its citizens to use driver’s licenses that comply with digital ID standards, which were established under the 2005 Real ID Act. It asks the U.S. Congress to repeal the law.
For those who think this is partisan:
The votes in Maine on the resolution were nonpartisan. It was approved by a 34-to-0 vote in the state Senate and by a 137-to-4 vote in the House of Representatives.
Real ID is nothing but a sham, and security theater. Bruce Schneier has written about it before, but it’s just delusional. The only thing it will guarantee is a sky-rocketing amount of identity theft by many people1 who are not in-the-least terrorist risks.
You must address the actual risk, not some tangential vector. This might be “easy,” and it might sound good in a 5 second sound bite, but it will do absolutely nothing to improve security, and it may, in reality, substantially reduce it by placing an inappropriate trust in an ID.
1 You know, like the people who pick your strawberries and mow your lawn. We put too much faith in identification, which means very little. Even this will be trivially forgeable.
No thoughts
From 27b/6:
Computer security guru Fyodor reports waking up yesterday to find his website SecLists.org essentially removed from the web by his domain registrar, GoDaddy. After a bunch of phone calls to GoDaddy, he eventually got them to explain why: Because MySpace asked them too.
I’m sure this is something totally reasonable, except:
Their general councel tries to defuse it, and just makes it look even more stupid:
General counsel Christine Jones defends taking down SecLists.org, saying that Fyodor had close to an hour to respond to GoDaddy’s voicemail and e-mail warnings yesterday, and didn’t.
“We couldn’t reach him, and because the content was hundreds and hundreds of MySpace user names and password, we went ahead and redirected the domain to remove that content,” she says.
An hour? How generous. Maybe even less based on the information in the article.
“For something that has safety implication like that, we take it really seriously,” she says. “For spammers, we give people a little bit of time to respond to us.”
Wow, talk about blowing things totally out of proportion. Spammers get all the love from GoDaddy, apparently. Idiots.
Please understand that I think publishing this in the way it was done was a bad idea; however, the reaction by GoDaddy only makes the situation worse, and MySpace has demonstrated that they, like so many, are only concerned with the perception of security, and not with doing anything to actually make their user’s more secure. Unfortunately, I’ve used GoDaddy for registration, but that will change.
If people have any recommendations of people who have stood up to this kind of innanity
1 thought
As one of the things I work on, I do penetration testing of some of my clients, and work to determine both the efficacy of their defences, but also whether or not they are easily discoverable. While security through obscruity is not a good strategy, it doesn’t hurt if it’s just another layer. More and more, I’m finding that, at least for systems on the Internet, the general security posture of the platform1 is pretty good.
What is often overlooked, however, is the necessary monitoring and observation that can maintain the proper posture over an extended period. Sure, the system might be “secure” when you install it, but what about tomorrow? What about as the nature of threats change? Someone has to be paying attention. Almost universally, no matter how talented the capabilities of the staff, they are static.
If you’re paying someone to watch your network for you, 24×7, don’t you think they should notice less than subtle attacks on the network? I can forgive not finding totally randomized SYN-probes, but when, just for kicks, I let something like nikto or Metasploit loose without constraint on a server and nobody notices, I am especially concerned.
The lock is not as good as you think if you don’t pay attention to the behavior around the door.
1 I’m speaking purely of network, system and server infrastructure. I am not speaking of the applications developed on top, which continue to be a largely unmitigated disaster.
No thoughts
Marcus Ranum attacks the default permit model that many things take in the security world.
For a number of years – about twenty – I’ve been saying that “default permit” security is stupid. Basically, you’re adopting the approach that “everything is allowed” and then trying to identify the things that are known to be dangerous, in order to block them. We’ve seen this approach used in virtually every area of computer security, and it has been a failure every time. Before firewalls became popular, a lot of organizations used router filters at the edges of their networks to block “bad” applications like rsh – but eventually that approach gave way to firewalls with a “default deny” policy: there were too many “bad” applications to enumerate. Intrusion “prevention” systems take the “default permit” approach, as well. The final bell hasn’t run for them (yet) but if we look a little bit into the future it doesn’t take a rocket scientist to see what the end-game looks like. It looks like antivirus. Antivirus is the absolute pinnacle of “default permit” in action and it’s been sliding down a slippery slope of disaster since the 1980s.
He’s spot on in this way—as he often is—and I wonder how much longer we can continue this arms race in antivirus (anti-virus)? There simply is no way that we can win that war, and so it seems silly to continue on in that path forever. It has to end.
Marcus digs into the issues of execution control, which is a start, but I think that a the end of the day, it’s going to take something more elegant and user friendly. I have some ideas, I just need to put them down on paper, or pixels.
No thoughts
Todd Schriber, the communications director for U.S. Rep. Denny Rehberg, R-Mont., solicited two “hackers” to change his college records system and upgrade his GPA. The transcript of all the correspondence is up on attrition.org and is a real hoot. It’s also depressing as hell how stupid these people are.
Squirrels indeed.
No thoughts
This wonderful post at The Daily WTF illustrates the general state of information security in the marketplace. For all the hundreds of millions spent on fancy devices, the basics just collapse under the weight of laziness.
No thoughts
Security is a tricky place to work. There’s a billion ghost-threats out there, and figuring out what’s real and what’s probably is a huge task that you never get right. One of the ways you figure out what’s possible is the use of red teams where “friends” act as the foe and you find out what can really be done.
The FAA did this and then ignored the warnings, risks and people probably died as a result. Even worse, the FAA and DHS continue to try and cover it up. Was 9/11 preventable? Probably. Was it at least possible to reduce it’s likelihood and potential impact? Most certainly. You can find Mr. Dzakovic’s testimony to the 9/11 commission online:
What happened on 9-11 was not a failure in the system, it was a system designed for failure. FAA very conscientiously and deliberately orchestrated a dangerous façade of security, ignoring the laws cited above. They knew how vulnerable aviation security was. They knew the terrorist threat was rising, but gambled nothing would happen if we kept the vulnerability secret and didn’t disrupt the airline industry. Our country lost that bet.
I’ve done red teaming, both electronic and physical, and universally everyone falls if you’ve got enough room to maneuver in your rules-of-engagement. That’s not the point. The point is to find out what it takes and how easy it is, and then to adapt to those risks before they become real. You must always assume your opponent has as much, or more, capability than you do, and more importantly, is not bound by the same laws and regulations. That’s what makes “you” the good guy, and “them” the bad guy.
No thoughts
Today, in super-vague fear-mongering:
Al Qaeda may be planning to attack rail and air travel in Europe—possibly targeting the busy holiday travel season—according to intelligence findings, the “CBS Evening News” reported on Friday.
Seriously, I could have told you that without looking at a freaking intelligence “finding.” If this is the best they can find, then I want my money back. This is really little short of standard fear-mongering. If you have something definite, then please deal with it, but vague proclamations like this don’t make anyone safer, and only further the goal of the terrorists: fear.
In many ways, the chicken littles that spout this drivel are behaving in a parallel manner to the terrorists. They are instilling and using fear to gain power and control the outcome. That is what terrorism is about. In one case you have people directly causing damage, and thereby creating fear. In the other, you have amplifiers of fear who are doing it out of their own megalomaniacal hubris. It’s a matter of degree, mostly.
2 thoughts
With the release of a new beta of v3.0 of the Metasploit Framework, a new age of vulnerability and exploit research can begin. The new version, built with a lot of Ruby inside, provides even more capabilities than before, and enhanced scriptability. In fact, it even includes an auto-pwn feature that is no doubt scaring the bejeezus out of a lot of security people. Good.
D.H. Moore, and amazing team, once again raises the bar, and I think this is a bar that needs to be raised. Some people might say he’s making it easy for attackers, but it’s always been easier for the attacker than the defender. Everyone in the security food-chain needs to know how to exploit systems, if only so they can try and exploit their own.
No thoughts
Continuing our rants on idiotic ideas in the name of “security”, comes this article by Dennis Forbes:
The CYA Application Security Model is the practice of implementing so-called security obstructions primarily to absolve the vendor from blame if something goes awry during everyday operations. This model is usually sold under the pretense of improving user education, or encouraging safer application usage, but that’s of minimal actual concern (in reality the opposite outcome—more risky application usage—is probable).
Dennis goes on to discuss all the silliness that comes from this. The thing that I don’t think is emphasised enough in this writing though is the Chicken Little syndrome, which teaches users to ignore all the warnings because they’re stupid, and then they’re not actually paying attention when you need them to. This kind of thing also happens with warning labels in our lawsuit-obsessed world.
No thoughts
Franz Kafke called, he wants his ideas back.
Seriously, anyone who thinks that any security has been gained by the performance-art troop that we lovingly call the TSA is living in a fantasy world that is only solvable with heavy medication, or election to Congress. The number of holes in the current methodology and ideas is exceeded only by the danger presented by the false sense-of-security that is granted to those participating in the farce.
Security is founded on trust, and a bunch of hand-waving and smoke screens do not create trust—only a good magic trick. Eventually, someone realizes this and the magician gets upset.
My coworkers have listened to me rant about this exact problem for years now, and if my little brain can conceive of it, then certainly some criminal mastermind can manage the same thing. Never mind the absurdity of expecting any screener to be able to identify the over 3001 valid forms of ID.
Can we please just stop this charade?
1 The number 300 is arrived at by this: 50 states, at least 3 forms (adult drivers license, teenage drivers license and ID-only) issued, and at least 2 currently valid designs. This does not include current passports, and other federal IDs that are accepted.
No thoughts
Security is one of those areas that tends to attract people with strong views. It’s somewhere I’ve occupied for a decade now, and I’ve seen a lot of people express a lot of divergent viewpoints. The one that binds every dedicated and serious security person together is this: “Security through obscurity is no security at all.”
If you think that hiding your “secrets” or weaknesses is going to provide more than the slightest modicum of protection from anyone with an IQ over 50 then you are not only deluding yourself, you are doing a major disservice to your clients—and we all have clients that we serve in one way or another. Dr. Dobb’s Journal cranks of the Fear-O-Matic mongering-machine and comes up with this gem of an article on the Metasploit Project.
There’s nothing singularly wrong with the article, and yet it’s breathless tone of astonishment that someone might create a tool for exploring security weaknesses and then might, horror-of-horrors, release it to the entire world, is so absurd as to be laughable. Just about every security person I know believes in full disclosure. Now, we all don’t agree on the exact mechanism and potential warnings, but we all believe that keeping something secret doesn’t serve the “greater good” that we focus on in general.
Why is that? Why do I think that Moore should release his exploits? It’s quite simple. If you don’t embarass the hell out of most vendors, they will simply ignore the problem. Security is almost nobody’s top priority, even at the security vendors1, and that creates a situation where many problems go unresolved. Most researchers, although not usually Moore, try to make sure they tell a vendor ahead of time. They don’t always listen, or agree. Once it’s out in the open, they often have no choice but to resolve the issues.
I wish I could say it wasn’t necessary to shame people into writing non-crap code, but sometimes it is. Some people will say “but you’re giving our opponents all our secrets,” and that’s true. It is, however, massive folly to delude yourself into thinking they haven’t discovered them independently—especially considering how common a lot of the problems are—or that they aren’t capable of it. You must always assume that your opponent is smarter than you are. Anything less than that and you will lose. Pretending that sweeping a problem under the rug means nobody will know about it is simply not effective.
1 The number of security products that have gaping security holes in their own implementation is pretty substantial.
No thoughts
Many, many moons ago, I wrote software for a Harris/Nighthawk1, specifically to get a certain type of device working for a certain government agency for storage of sensitive information. As such, I became intimately familiar with how complex a MLS system can be, but it was very useful in getting me up-to-speed on formal security models, such as Bell-Lapadula and the Biba trust model. I had parked most of that knowledge far away, as realistically, the systems that ran that kind of technology were no longer within my grasp.
Now, as I’m perusing one of the bazillion blogs that I try to keep up with, I stumble over a reference to the Trusted Extensions on Sun’s Solaris. It’s looking to be an amazing bit of work, and there is more information in these slides and some screen shots that remind me of the whole Compartmentalized Mode Workstation (CMW) effort that was so dominant in the security community through the 90s.
I’m looking forward to seeing what comes of this, and more importantly, potentially exploring it as a secure way to implement some ideas I’ve had brewing for a while. There are a lot of things that become simpler when you can hold multiple labels on the same system.
1 The Nighthawk was a Motorola 88K RISC system that ran a multi-level secure operating system. Strangely, I eventually started using them again, as Harris created the Cyberguard firewall, which ran on Nighthawks initially, and eventually CX/UX (but not SX/UX) was ported to more commodity hardware as Motorola had EOLed the processor. Eventually, CX/UX was totally abandoned, and a commodity OS was used (UnixWare and Linux).
No thoughts
For anyone who has been paying attention for the last few years, it’s become obvious that there’s a shift in the nature of the threat posed by various types of ill-intentioned software. The sky-rocketing adoption of the Internet has no doubt increased the rate of development by dropping the cost of distribution, and thereby increases the probability of return with malicious intent1. I hadn’t seen any documented analysis of this perception, until now. Kaspersky Labs has published an analysis of the past few years of trends in different categories of security attacks. The trends are quite interesting.
1 This is to a large extent the same underlying cause with spam. The cost, per unit, asymptotically approaches zero, which means the risk drops equally. It doesn’t take much to make money.
1 thought
I don’t know what the hell to think about this idiotic organization called TSA:
A stick of dynamite was found in a college student’s checked luggage on a Continental Airlines flight from Argentina, authorities said, in one of six security incidents Friday affecting U.S. flights.
What the hell? A stick of dynamite. One does not accidentally leave a stick of dynamite in one’s luggage.
Federal authorities were investigating why the student, who got off the Continental plane in Houston before it continued to Newark, N.J., had the explosive, FBI spokeswoman Shauna Dunlap said. She said the student did not appear to be connected to terrorism.
WTF? He has a stick of dynamite in his luggage, he gets off the flight before his destination, but you don’t think it might be a bit oddly terroristic? I mean come on, what possible legitimate reason could there be?
While people are stripped of their bottles of water, lipstick and other things, apparently we can’t pick up a freaking stick of dynamite in someone’s luggage. Seriously, WTF? While this may turn out to be “nothing,” in the end, like much that TSA does, I wonder how such things that might even look like a stick of dynamite would be allowed through.
3 thoughts
Much better than ours:
[from Accordion Guy via Emergent Chaos]
1 thought
Bruce Schneier hits the nail on the head:
Our politicians help the terrorists every time they use fear as a campaign tactic. The press helps every time it writes scare stories about the plot and the threat. And if we’re terrified, and we share that fear, we help. All of these actions intensify and repeat the terrorists’ actions, and increase the effects of their terror.
[...] The implausible plots and false alarms actually hurt us in two ways. Not only do they increase the level of fear, but they also waste time and resources that could be better spent fighting the real threats and increasing actual security. I’ll bet the terrorists are laughing at us.
[...] The surest defense against terrorism is to refuse to be terrorized. Our job is to recognize that terrorism is just one of the risks we face, and not a particularly common one at that. And our job is to fight those politicians who use fear as an excuse to take away our liberties and promote security theater that wastes money and doesn’t make us any safer.
Amen, brother. Politicians see this is a way to cow the public into submission, to further cement their stranglehold on power. We have to stop chasing movie-plot threats, and stop trying to keep everyone scared with some asinine “threat color coded index” that seems to get manipulated around elections. Prepare for “disaster,” but the insanity of the airports and other places does nothing but give the terrorists what they want.
4 thoughts
The Bush Administration, in its continual Orweillian effort to classify the truth has decided to reclassify 1971 information that has been declassified for years:
Once-public documents on U.S. missile defenses in the 1970s have been ordered sealed from view by the Bush administration, The Washington Post reports.
The newspaper said an open House Armed Services Committee heard in March 1971 the United States had 30 strategic bomber squadrons, 54 Titan intercontinental ballistic missiles and 1,000 Minuteman missiles, But those numbers are redacted in a copy of the chart obtained by the National Security Archive’s researchers in January, archives officials said.
“It’s yet another example of silly secrecy,” said Thomas Blanton, the archive’s director.
However, Bryan Wilkes, a spokesman for the National Nuclear Security Administration, defended the reclassification.
“There’s no question that current classified nuclear weapons data was out there that we had to take back,” Wilkes said. “And in today’s environment, where there is a great deal of concern about rogue nations or terrorist groups getting access to nuclear weapons, this makes a lot of sense.”
This is just idiocy. Do people really think that a few numbers about our capabilities in 1971 are even in the least bit interesting for anyone concerned about security today? It’s interesting for history, but not for “terrorists.” This is the knee-jerk reaction that I have witnessed for years now in DC where everything is classified unless you sue the hell out of them to declassify it. Even then, you get stupid things redacted.
What are these people afraid of? Oh right, truth, and the history that will eventually be written about their incompetence. Things like this just get caught in the crossfire of their paranoia.
No thoughts
As I’ve privately mentioned to a lot of people, the idea of RFID-driven passports is an insanely stupid one. RFID is trivially snoopable, and quite honestly, I never trusted the brain-trust that was behind most of the security ideas. It seems my distrust was well placed:
In a demonstration for Wired News, Grunwald placed his passport on top of an official passport-inspection RFID reader used for border control. He obtained the reader by ordering it from the maker—Walluf, Germany-based ACG Identification Technologies—but says someone could easily make their own for about $200 just by adding an antenna to a standard RFID reader.
He then launched a program that border patrol stations use to read the passports—called Golden Reader Tool and made by secunet Security Networks—and within four seconds, the data from the passport chip appeared on screen in the Golden Reader template.
Grunwald then prepared a sample blank passport page embedded with an RFID tag by placing it on the reader—which can also act as a writer—and burning in the ICAO layout, so that the basic structure of the chip matched that of an official passport.
As the final step, he used a program that he and a partner designed two years ago, called RFDump, to program the new chip with the copied information.
The result was a blank document that looks, to electronic passport readers, like the original passport.
I feel safer, don’t you?
Now, some people will say that the RFID is for convenience, but “the U.S. State Department and others say will help thwart document forgery” which has been a huge and growing problem. Of course, the fact that it was basically developed in a security vacuum, and by people who pride themselves on thinking inside miniscule boxes means that the problems, which many of us have been worried about, are of course all true.
No thoughts
The FBI has a colorful and vibrant history of incompetence when it comes to their own security. An article in today’s Washington Post further contributes to this storied history. Let’s dive right in, shall we?
A government consultant, using computer programs easily found on the Internet, managed to crack the FBI’s classified computer system and gain the passwords of 38,000 employees, including that of FBI Director Robert S. Mueller III.
The break-ins, which occurred four times in 2004, gave the consultant access to records in the Witness Protection Program and details on counterespionage activity, according to documents filed in U.S. District Court in Washington. As a direct result, the bureau said it was forced to temporarily shut down its network and commit thousands of man-hours and millions of dollars to ensure no sensitive information was lost or misused.
The government does not allege that the consultant, Joseph Thomas Colon, intended to harm national security. But prosecutors said Colon’s “curiosity hacks” nonetheless exposed sensitive information.
Let’s note what’s not mentioned in here. First, no mention of any effort to remediate the issue or prevent it in the future, simply “clean-up” effort in the “millions of dollars.[1]” This is especially troubling when we find out what really happened:
Colon used a program downloaded from the Internet to extract “hashes”—user names, encrypted passwords and other information—from the FBI’s database. Then he used another program to “crack” the passwords by using dictionary-word comparisons, lists of common passwords and character substitutions to figure out the plain-text passwords. Both programs are widely available for free on the Internet.
So basically, he used the same technique that has been useful for 20+ years, and the real issue is really weak passwords. Way to protect information. And how was he able to get access to the underlying “encrypted”[2] passwords to run this again?
So why did this happen?
Colon’s lawyer said in a court filing that his client was hired to work on the FBI’s “Trilogy” computer system but became frustrated over “bureaucratic” obstacles, such as obtaining written authorization from the FBI’s Washington headquarters for “routine” matters such as adding a printer or moving a new computer onto the system. He said Colon used the hacked user names and passwords to bypass the authorization process and speed the work.
And there-in lies the truth of the matter. The minute security gets in the way of legitimate use, people will find a way around it. Sometimes it’s just a trash can propping a door open, sometimes it’s people writing their 49 passwords down so they can remember, and sometimes it’s people cracking passwords so they can get their job done. The reality is that until you address these underlying issues, you will never find a way to tighten security.
Unfortunately, the FBI seems to be missing the point as usual.
1 This is likely a bogus PFA number like so much else in security tends to be. A few people probably worked a few hours to clean up after this, but their time is valuable dammit.
2 Hashed or encrypted is a general assumption. For all I know, these are people who think ROT-13 is the right way to do this.
No thoughts