Category: Security

The Airport Security Follies

Brilliant blog piece by author and pilot Patrick Smith in the Times. Somebody’s been reading Bruce Scheier.

New York Times Blog: Six years after the terrorist attacks of 2001, airport security remains a theater of the absurd. The changes put in place following the September 11th catastrophe have been drastic, and largely of two kinds: those practical and effective, and those irrational, wasteful and pointless.

The first variety have taken place almost entirely behind the scenes. Explosives scanning for checked luggage, for instance, was long overdue and is perhaps the most welcome addition. Unfortunately, at concourse checkpoints all across America, the madness of passenger screening continues in plain view. It began with pat-downs and the senseless confiscation of pointy objects. Then came the mandatory shoe removal, followed in the summer of 2006 by the prohibition of liquids and gels. We can only imagine what is next.

To understand what makes these measures so absurd, we first need to revisit the morning of September 11th, and grasp exactly what it was the 19 hijackers so easily took advantage of. Conventional wisdom says the terrorists exploited a weakness in airport security by smuggling aboard box-cutters. What they actually exploited was a weakness in our mindset — a set of presumptions based on the decades-long track record of hijackings.


Colossus Is Back Baby!

No, I haven’t put all that weight back on again. This is the Colossus that cracked German ciphers during WWII, rebuilt over an incredible 14 years in Bletchley Park. Valves an’ all!

I’m going to London in February to buy a whole new set of clothes, so poor old T is going to be dragged all the way to Milton Keynes. :)


Hushmail not very… Hushy?

“The amount of data which Hushmail was required to turn over to the US DEA relating to 3 email addresses.  3 + 9 = 12 CDs  What kind of and for what length of time does Hushmail store logs?”

(Via Cryptome.) 

More privacy violations at Facebook

Valleywag: “My friend got a call from her friend at Facebook, asking why she kept looking at his profile,” says a privacy-conscious source at a major tech company. Turns out Facebook employees can (and do) check out anyone’s profile. Not only that, but they also see which profiles a user has viewed — a major privacy violation. If you’ve been obsessed with a workmate or classmate, Facebook employees know. If Barack Obama’s intern has been using the campaign account to troll for hotties, Facebook employees know. Within the company, it’s considered a job perk, and employees check this data for fun.

Damien recently said “hah” on my “Wall” on Facebook. He didn’t see fit to reply when I asked what he meant – although it’s possible it has the same retarded design as Bebo’s – but at a guess I’d say he was poking fun at the fact that I’m actually on Facebook, given my larting of it in several locations. In actual fact I’ve been a member since it opened, just like I’m a member of Bebo, MySpace, and most other “Web 2.0” sites. I’m an Internet consultant, it’s my job to keep an eye on these things; plus, when your biggest clients add you to their networks, it’s generally not a good idea to tell them to fuck off.

It doesn’t stop me hating them, and their disdain for privacy. I’ve read several posts recently saying that Facebook is going to become the de facto social networking site across the board, not just for the social networking addicts, but for professionals too. And they may be right, and Facebook certainly seems to be trying to accomodate them; but that doesn’t mean that they have the best platform, or more importantly, the best practices and policies. It means they have the most sheep.

I don’t want to be a member of Facebook. I’ll stay a member because it may be good for business in the long run, but I won’t visit it unless I have to. I’d much prefer to spend my time – and money, if necessary – on something like LinkedIn. It has problems too, but it’s just better put together and better thought out. That’s where business people should be, not bleating at each other like idiots and getting nothing done on Facebook.

Google’s Dictionary

I think Google must have a special dictionary that constantly redefines the word “evil” to suit their own ends. The words “privacy” and “competition” would seem to morph about quite a bit too.

In response to a letter the German data protection commissioner wrote to the European competition commissioner, coming out against the Google-Doubleclick deal, Google responded:

“We believe that this acquisition will increase competition and benefit both consumers and advertisers”.

Perhaps if they’d put the statement the other way around it would have been more believable. Of course it will benefit advertisers, since they’ll be in a much better position to target users as a result of the merge of company data. And it will benefit users on one level, in that those ads will be more relevant to them.

What about privacy though? Damien contends that the new kids on the block don’t care about privacy, and he’s probably right, but there’s plenty of us remaining that aren’t kids. And to be perfectly frank, many of us think those partiular kids are thick-as-shit reality TV vegetables, and their own worst enemies anyway.

To add insult to injury Google and DoubleClick add that “DoubleClick does not own, and has limitations on its use of, the data it processes for its publisher and advertiser clients”, which of course ignores the fact that DoubleClick does control the data. And the limitations.

But it’s the “increase competition” line that gets me. How exactly will a merger of two of the biggest advertising firms on the planet increase competition? Answer: it won’t. That would be a lie.

Little tip for you Google: Lying Is Bad. Some might call it “evil”.

Free Dinner

Bruce Schneier highlights a “synchronization attack” on drive-through restaurants. Is this France’s way of retaliating against America for fast food?

There’ll be a few extra Glanzas in Dinos in Blackpool tonight.

vBulletin Attacks

Any other vBulletin admins notice attacks recently? was attacked in a big way this morning, with bots attempting automated logins on dozens of accounts. locks down accounts after 5 failed login attempts and emails the account holder, and I receive bounce messages if the email addresses in their profiles are incorrect. I received over a hundred of these in the space of about half an hour this morning, on multiple usernames from multiple IP addresses. These are just the ones that bounced, remember.

Mobile Phone Registration Response

The full response to my objection is attached if you’d like to read it, but roughly translated from the we-don’t-give-a-shit-what-you-think language the Greens have rapidly picked up from the Fianna Failures, it says:

“I didn’t actually read your email and have sent you this form response. Fuck you.”

And fuck you too Eamon.

“Hey, check this out!”

Bruce Schneier notes a recent study on phishing that found that over 70% of people will click on a link if it looks like it’s coming from someone they know, and jokes about men being suckers for the ladies, what with them being 15% more likely to click if the email comes from the fairer sex. (Although I should also note that, in general, women were 10% more likely to click than men. :)

I think an interesting addition to this research would be an analysis of how the baton is passed between people, and how often it does laps. In this research the names and email addresses probably came from a control set, however in reality phishers get them from address books stolen by a trojans on compromised computers.

Obviously the stolen address book must come from a common contact if both names are in it, but the ruse will be much more successful if the source or target is the owner of the address book, and the opposite number someone in it. And around we go. So what we have here is actually a Six Degrees Of Separation Möbius Strip Of Stupidity.

Another study Bruce notes only serves to highlight the naivety of modern man. Although the response rate isn’t enumerated, a professor at Indiana University has found that people are willing to respond to fraudlent emails if the attacker identifies the first four digits of their credit card number, instead of the usual last four.

You all know why they use the last four, right? If you don’t and the first four digits of your card are 4539, this is Mmbaza from Bank of Ireland and I’d like to talk to you about a trust account in the name of Mrs. Charles J. Haughey and a transaction which will fall in your favour to the tune of 10% of Thirty Million Euros.

Security Public Relations Excuse Bingo

Via Bruce, who features himself. :)

I’m going to be naughty and paste all the items, otherwise you’d be there all day hitting refresh.

  • You’re so negative
  • Our proactive technology solutions prevent that
  • Our proprietary encryption algorithms prevent that
  • We have CISSP certified engineers
  • That’s just theoretical mumbo-jumbo
  • You’ll be hearing from our lawyers
  • You’ve got a conflict of interest
  • That’s only there for backward compatibility
  • We meet all government standards
  • We meet all industry standards
  • It doesn’t need to be very secure
  • Nothing is 100% secure
  • We take security very seriously
  • We don’t comment on security matters
  • No comment
  • You are in violation of the DMCA
  • We already knew about it
  • Nobody will ever try to do this
  • What kind of a person looks for flaws?
  • No one would ever think of that
  • Our success speaks for itself
  • You’re paranoid
  • You’re just an academic
  • You’re only helping the bad guys
  • Why do you hate America?
  • You don’t understand the context
  • The product was tested by security experts
  • We employ top security experts
  • Who are you to criticize, anyway?
  • This is probably fixed in the next release
  • No one has complained before
  • No one has ever found any problems
  • It’s a feature our users want
  • Let’s see you design something better
  • You’re just looking for attention
  • You must be being paid by our competition
  • We’ve always done it this way
  • Everybody does it this way
  • We follow industry standard practices
  • We think it is secure enough
  • You’re being irresponsible
  • If you hadn’t told anyone, it would still be secure
  • La, la, la we’re not listening
  • It’s secure enough for our customers
  • We use crypto- graphy
  • We read Schneier’s book
  • What do you have against us?
  • Why are you trying to harm our industry?
  • It would be too expensive to fix that
  • Our customers love our product
  • We’re fully ISO-9001 compliant
  • Nobody’s perfect