Bill Ryan's Other Blog

Bruce Schneier links to a story over at f-secure about a scam as brilliant as it is evil..  As far as scams go, it’s not ‘evil’ in the sense of taking you to the cleaners (it attempts at getting you to pay $400.00  so I guess the damage largely depends on where you’re sitting at the time) but it’s evil b/c as Schneier puts it, “the level of detail is impressive.”

What it does is basically pops up a warning indicating that you have software on your machine that violates copyright law.  It then demands $400.00 payment to clear up the matter.  There’s a very official looking website and for all intents and purposes, it looks ‘real’.  There’s no typos on it for one thing (I’ll never cease to be amazed at how few scammer ever bother to spell/grammar check their content or bother to get a native language speaker write the content.  It’s really not that hard to find someone who speaks English as their native language. And it’s a highly guarded secret  that there are different dialects of English and most of the major languages.  Typos, culturally incorrect spelling {realise vs. realize if you’re sending it to someone in the US}, usage errors and the like are commonplace in just about every scam I’ve encountered). The e-commerce components appear to work perfectly.  The folks at f-secure already went ahead and looked up the domain registration and while it’s registered to someone already well known in the scamming community, most lay people wouldn’t recognize the name.  All in all, they did their homework and paid a lot of attention to detail.

Then again, considering how little respect some in the law enforcement community regard copyright law, I’m amazed anyone’s actually paying them

[tags] ICPP Copyright Foundation [/tags]

This post and all others on this site are subject to the current Copyright as well as the Sites Terms of Use. Any reproduction, duplication or publication without express written permission from the author is strictly prohibited.

Yesterday, I wrote a post describing a hypothetical situation where two adversaries were trying to gain intelligence on each other (Need someone’s email or access to their computer?). I would have written this follow up last night, but Sarah and I went to dinner a little late and by the time we got home, I was too tired to write. And when we arrived, there was a whole lotta Proliferating going on in our living room. So I spent the last 20 minutes of the evening engaging in some hard core counter proliferation of Poopy Nice Nice (I didn’t have time to conduct full Counter Proliferation i.e. Bungholian Analysis  so I have yet to identify the culprit but rest assured, it’s going down tonight) .  The Sausage Dog of Doom is a very evil Creature, but I digress.

In that post, I described a few different attack vectors and the +/- of each approach.  And I showed what one could accomplish if they loaded the right software on an adversary’s machine.  I did this without giving too many specifics to show people how easy this is to do. And I asked repeatedly, if you were the target, would this attack work on you?  I think in many cases it would.

Now, one of the key pieces isn’t technological, it’s Social Engineering. [Remember that humans are almost always the vulnerability that attackers take advantage of on successful exploits.  In all of Kevin Mitnick’s attacks, almost all of them were based on successful Social Engineering.  In The Art of Intrusion, he goes through a time when he actually used it to show some big shots at the Pentagon how vulnerable there were) A target might be reluctant to open any attachments that came  from you.  In this case, the ‘evil step mother’ didn’t respect the children’s privacy and would read through the kid’s email looking for information about the other parents or negative stuff the kids were saying about her.  So I showed how you might get someone like that to bite.  You put something intriguing sounding in the Subject line – something you know that would get the person’s attention. It should be enough to make sure they want to read more, but not bad enough it could be used against you.  Then, in the body of the message, reference some instructions in the attachment and make the contents sound like a smoking gun of sorts. Now, instead of trying to convince Maria to open the attachments, Maria will WILLINGLY and AMBITIOUSLY take it upon herself to open the attachment, which is how you could install the Keystroke Logger. B/c she has her eye on scandal stuff in the kid’s email, she isn’t thinking about possible infections. In fact, she’ll  likely bypass/ignore any warning the system puts up (assuming any were) b/c they really want to see what’s in the document. And b/c they took it upon themselves to do this, and b/c it’s the kid’s account they were looking through – they’ll be convinced it’s legitimate contraband and doubtfully will ever look back.  At this point, if you don’t put anything juicy in there, they’ll be mad and might smell a rat. On the other hand, if you give them too much red meat, they could use it against you. So meet in the middle. Come up with something that’s mildly offensive.  Something that you know will anger them (just b/c they get angry easy) but that a reasonable person would say Oh, come on, that’s really nothing to.  This gives them their pound of flesh and in this case Maria would be dying to get ANYTHING on Sallie, so she’d be satisfied with anything that she had where Sallie said something negative about Maria in.  Of course, you could just go nuclear, but remember that has the potential to be used against you.  If you don’t put anything in there, the target will wonder what’s going on and will be much likely to think long and hard about the attachment.  If you get them to do it themselves, and it conforms to their suspicions, they’ll never think twice about it. Remember, once you had the keystroke logger on their machine (Rather, I want you to think about what would happen if they got the keystroke logger on YOUR Machine), all of your passwords are probably theirs too. Any email or chat account is there. And God knows what can be mined from Email and Chat accounts.  Any Browsing. Any site passwords. Any banking passwords (heck, they’d even be able to see your challenge responses).  This is about as bad as it could get for most people.

While this is a hypothetical, you can see where stuff like this would really apply. what I was trying to show is the thinking you must engage in to get the other person to drop their guard. After all, once you got the keystroke logger, you’d be able to access their personal emails on external accounts like Yahoo, AOL, Hotmail or Gmail. You’d be able to see what sites they visited. You’d be able to see contents of Chats they engaged in. You’d be able to see documents they were typing.  In short, you would have a gold mine of information.  And if the target was indeed doing something underhanded, dishonest or immoral – you’d have all the details you’d need to crush them.  Even if it wasn’t admissible in court, you’d know enough information to help you ‘coincidentally’ send the right subpoenas or find the dead bodies and smoking guns. 

Let’s say you had the same case, but the adversary respected the children’s privacy. Or, let’s say there weren’t any children.  What would you do then?  One thing you could do is send a copy of a legitimate legal document to them (you could take a legit court document, insert the malware in there and be done with it. They’d be much more likely to ignore any warnings they got b/c it’s something they expect, from a source they ostensibly trust. And if it was discovered, the assumption would be that it started at the source, not with you). 

You could similarly send an ‘official letter’ to them with a title and subject that would make them really want to open it.  Or, you could spoof an email address pretending to be someone they knew (like a supervisor) and attach documents that look like something that might normally be sent.  Call their office and find out who is in charge of Payroll.  Look on the Contact Me form of their company to see the Email Address format that’s used (like FirstName.LastName@companyname.com).  Spoof that email and send a PDF with ‘Payroll Receipt for period ending XX.XX.XXXX”) And just put nothing in it.

If you used an exploit like this one found in Adobe PDF, the possibilities of what you could do are endless. Maybe instead of the boss, you could pretend to be their parents. And in the document, send it with a title that is something they might expect to get.  They open the document, it’s empty so they won’t think much of it, but they’re now infected and you’re able to log into their email accounts and read through everything. You could get extra clever and pretend to be a close friend or relative. Let’s say Maria had a brother named Bill – certainly her ex-husband would know this. Let’s say Bill normally used Bill.MariasBrother@hotmail.com – Sallie could create an account that’s Bill.MariasBrother@yahoo.com – she could spoof the From: part of the email so it comes from Hotmail.com. But she could use the Yahoo account for the Reply To.  Unless Maria is really savvy and pays close attention to this stuff, it’s doubtful she’d ever catch it (in fact, unless she hit reply, she wouldn’t ever even be able to see the Reply To)

Maria:

Hey, it’s me, Bill. I need a favor, Here’s a copy of something I wanted to get mom for her birthday.  (Common Friend) had some trouble opening it so if you open it up and it’s blank, try downloading the new Acrobat reader. If it still doesn’t open, I can resend it to you as an image format.  Let me know what you think. If you like it, I’ll go ahead and order it and sign all of our names.

Maria opens it and there’s nothing there. (Her machine is now infected and her worst enemy now owns her computer.) Because “Bill” already mentioned it as a possibility,  Maria isn’t suprised by the blank PDF document.  So she follows the instructions and downloads the latest Adobe reader and gives it one more try. Again, nothing. So she hits Reply on the email and says:

Bill, I tried opening the document, but couldn’t. I even got the new Acrobat but it still didn’t show up. Can you send me the picture instead?

This time though, it goes to the Yahoo account so the real “Bill” would never know of what happened. Maria already saw the email came from “Bill” originally, so it’s doubtful she’d pay attention the the Reply To address, especially when it’s so similar anyway.  Even if she noticed it, she very likely would just ignore it. ( I use a different Reply To address most of the time and have only had a handful of people ever mention it to me or ask about it. ) A few days later when they spoke, Maria would mention it to Bill. Bill would have no idea or think Maria’s talking about something else or that it got eaten in the spam filter.  When they synced up, chances are they’d just assume it’s spam when they couldn’t figure it out.

And even if they do, at this point, it’s too late. All the counter proliferation measures in the world won’t save them now. Even if they suspected something bad, it’d likely be at least a few hours later, and she’d almost certainly have checked her email by then. She almost certainly will have typed a password to the machine in by then.  So even if they suspected something – there’d be nothing apparent on the machine. By this time, the logger should be deactivated so it’d be really hard to detect (especially if they wrote it themselves, b/c it wouldn’t match any known definitions and even well known ones are good at hiding themselves). Even if Maria and Joe found it, they’d have no idea what it was or what it did and if it was homemade, they'd have to decompile it and have a savvy coder figure out what it did.  Doubtful.  But this would almost never happen. Most people just delete spyware assuming they can find it. How many people do you know that have spyware infections decompiled and looked through?  I’m a software developer and I wouldn’t even go through that hassle. In fact, I can’t imagine ever wasting that much time or energy on it.

Even if they did all of this, it would take forever. By then, the attacker would own their email accounts, chats and most other things.  Here’s the beautiful part.  Since the Logger is deactivated, there’s no indication it’s running (or very little indication).  Let’s say Maria decided to change her password (or just did it as a routine course of action).  Sallie tries to get in and it doesn’t work this time.  No problem.

Sakkue just goes to the configuration, tells the Logger to activate itself, and depending on the product, turn itself off once the file gets to X kb or shortly after the words http://www.aol.com or http://www.yahoo.com are typed.  While not 100% foolproof, this would be 99% foolproof and if somehow it turned off prematurely, Sallie could just try again.  If Joe and Maria cleaned the stuff off of there then it’d be game over temporarily, but it’s doubtful.  And once Sallie has the password, she can get into the email and do all sorts of things to help ensure the Maria’s computer gets reinfected.

Again, I ask you, if you were the target, how would you fare? If someone had a keystroke logger on your machine, what would they be able to discern? If they had all your email passwords, what would they be able to find?  If they saw your new passwords after you changed them, are you still hyper vigilant about checking the IP Addresses that access your accounts? What about the  PDF exploit? Would you think much about it if you got a blank PDF? What if you aren’t in a court case or criminal case.. well, do you think there aren’t criminals out there who’d love to clean out your bank accounts? If they had all your challenge question responses and passwords, what could they do?  Ask some of the victims of DB.Singles.Org who had their Paypal accounts drained (all b/c they reused passwords and ONE SITE THEY USED had weak security measures. Wanna bet at least one site you use has equally lame security?)

Take this stuff seriously and guard yourself against it, whether its a court case or your banking information, you don’t want to ever let yourself fall victim to this, especially when it’s so easy and essentially free to protect against. Spyware and malware are rampant and if you don’t take the responsibility for counter proliferation of spyware and malware on your machines, don’t expect anyone else to either. I know I make a lot of counter proliferation jokes but when it comes to proliferation of spyware, it’s not joking matter. Counter Proliferation of Dog Poop on the other hand, is definitely a joking matter – in fact, while Sarah and I were out at Dinner last night, we had a ton of proliferation  going on.

I have had a few people ask about consulting for them. I’m pretty busy but do have some availability to do assessment, audits and create a strategy to protect yourself with.  Contact me at blogcommenter@williamgryan.com to discuss this further. I’d be glad to help out with basic stuff for free, so feel free to post comments and I’ll do my best to answer them. If it’s more involved and will take some time, then just email me at the address above.

LET ME EMPHASIZE THAT NONE OF THE CHARACTERS DESCRIBED ARE REAL PEOPLE OR BASED ON REAL PEOPLE. THE ENTIRE STORY IS COMPLETELY FICTIONAL. THE ISSUES RAISED ARE REAL AND SO IS THE ADVICE (WHICH IS OFFERED FOR FREE, WITHOUT ANY WARRANTY BLAH BLAH BLAH) BUT NONE OF THE CHARACTERS ARE.  ANY RESEMBLANCE TO REAL PEOPLE IS PURELY COINCIDENTAL (THERE ARE PROBABLY MORE THAN A FEW FAMILIES OUT THERE WITH DIVORCED PARENTS, TWO CHILDREN, A REMARRIED FATHER AND AN EVIL STEP-MOTHER WHO HATES THE KIDS). THE NAMES, CHARACTERS, EVERYTHING – IT’S ALL MADE UP. AGAIN, EVERY CHARACTER AND THE SITUATION ARE JUST FICTION AND ARE NOT REAL PEOPLE OR BASED ON ANYONE REAL SO ANY SIMILARITIES ARE PURELY COINCIDENTAL)

This post and all others on this site are subject to the current Copyright as well as the Sites Terms of Use. Any reproduction, duplication or publication without express written permission from the author is strictly prohibited.

[tags]Email Security, Keystroke Logger, Internet Privacy, Internet Security, db.singles.org, Kevin Mitnick, The Art of Deception[/tags]

Bruce Schneier posted this earlier today and my draw hit the floor:

I really don’t know where to begin. Lock My PC 4 bills itself as a “better way to lock your computer”. The main product pages describes it as follows:

Lock My PC™ is an easy in use, powerful and compact tool to lock your computer from unauthorized use. When you leave your computer unattended, the program disables the hot keys (including Ctrl+Alt+Del), mouse, locks CD/DVD ROM doors and displays a lock screen. Nobody can access your system without providing the correct unlock password.

Unlike another similar computer lock software that cannot lock Ctrl+Alt+Del on a computer running Windows XP, our Lock My PC runs own keyboard driver to block such key combinations. Moreover, bulletproof startup lock guarantee that when your computer locaked at startup, this lock cannot be bypassed even in safe mode!

Why Lock My PC ?

You don’t like snoopers. They are always prying into your e-mail messages, programs, data, files, etc. Lock My PC allows you to lock your computer with a password while you leave it unattended. You can lock your computer manually, with a menu or hotkey, or set up auto lock when your computer is idle.

Hmmm, I guess one could overlook one typo on a corporate page, but looking through this, there are quite  few.   That alone might lead you to question their attention to details, something that’s absolutely critical for security software.

“Well Bill, they are probably from another country where English isn’t their first language. So just b/c they don’t have perfect grammar, it’s not fair to assume they are careless elsewhere.”

I buy that argument in principal, but either way I’d say it would make me look really carefully for other signs of carelessness. It might be unimportant b/c after all, English isn’t their first language or they’re computer scientists not English professors. 

This should clear up any confusion one might have as to how seriously they take security:

From: Bugs NotHugs <bugsnothugs () gmail com>
Date: Wed, 7 Apr 2010 04:23:55 -0600

---

Vendor: FSPro Labs [http://www.fspro.net/]
Product: Lock My PC 4 [http://www.fspro.net/lock-pc/]

---------- Forwarded message ----------

[request for help on locked PC]

Hello,

Please try engineering password:
19740619

Best regards,
FSPro Labs Customer Service

Technical Support  -- support () fspro net
Sales Department   -- sales () fspro net
Information Center -- info () fspro net

The support forum isn’t secure, anyone can browse directly to it.  And if you did, you’d be able to access a Master Password for their product that will let you unlock any version of it.  And I don’t mean unlock as in licensing – I mean Unlock as in Circumvent precisely what this product is supposed to protect against.

This would be patently irresponsible for a software company that sold software that had little in the way of security implications.  For a company that sells a security solution, it’s a sheer and utter disgrace.

I know people make mistakes. I know tech support people have high turnover so you frequently have new people with little product familiarity. I know tech support guys get gunned at all day by rude, annoying and/or idiotic people and often are willing to do anything to make customers happy.  But for this to happen, several things must be in place.

First off, the company has a “Master” password for all of their products. This isn’t item dependent (which would still be bad. Would you still consider buying this product if you knew up front it had a backdoor in it?). Any disgruntled former employee could access it, put it on the web or do God knows what else with it. Next, the password isn’t even kept very secret. If you’re going to have something like this which could expose all of your trusting customers to serious breaches, you should at least safeguard the hell out of it (although I’d maintain you shouldn’t have it at all). Next, the tech wasn’t apparently trained well enough in security to even realize what he was doing was ‘really irresponsible and dangerous.  And no one up the chain of command apparently reviews what their people say in the support forums so it’s stayed up there for a while. You might argue this isn’t necessarily true, it’s possible a higher up reviewed this and found it ok.  That’s certainly true. But if it is the case, it’s infinitely worse than them not reviewing what their subordinates are doing.  It’s one thing for a new low level support tech to make a mistake like this, if anyone who’s been there a while or has any position of authority were to do this – they don’t deserve to be in a position of trust like this.

Sadly, this doesn’t surprise me.  It was just a few months ago I know of a commercial web site that was breached by employing a SQL Injection Attack.  Mind you, this was in 2010.  How anyone can leave an injection vulnerability open after all the publicity is beyond me.  I also know of quite a few companies that do the same thing as this, some of which deal with very sensitive data.  They use master passwords (some even use SA and ‘password’ or the company name ) for all of their apps.  Many don’t ever change passwords, even after employees who knew them are terminated or leave.  And some of them even tell clients the master password, just b/c it makes tech support easier.  I don’t know what’s worse, a security oriented software company or a software company that handles private data for the government/banks/hospitals.  Either way, there’s no excuse for this.

IMHO, this will be the biggest impediment to cloud computing. At first, everyone will be thrilled by the simplicity and value.  Then there will be a high profile breach and many people will second guess the whole thing.  If there are enough high profile breaches, adoption of cloud computing could be seriously hampered.  Having worked or consulted with many software companies and having many friends who do the same, the sad truth is that stuff like this is the rule rather than the exception.  It’s almost always driven by laziness or ego (“No one is ever going to attack our stuff, how would they even know where to begin” or my personal favorite “It’s on an INTRANET, so we don’t need to worry about security”.  Think about the DB.Singles.org debacle (and think about how they ‘responded’)

Ms. Andrea R. Mitchell; Mrs. Carol Wilk Roubal; Mr. Christopher M. Mitchell; Ms. Claire E. Mitchell; Mr. Gregory Allen Mitchell; Mr. James Alexander Mitchell Andrea S Lootens Andrew Alfano Andrew Burdi CPM Andrew Cinque REALTOR Andrew D Sicko Andrew Dirga Properties Andrew Giancontieri REALTOR Andrew J. Fama Dr. Ivan Roubal – Chino Hills, California; Dr. Glen Rouse – Loma Linda, California … Dr. Andrea Rothe – Johnson City, New York; Dr. Lewis Rothman – Valhalla, New York Andrea Brose Cindy Roubal : Rufa Mae Quinto Gabrielle Lazure Ellen Ten Damme Keira Knightley Rachel Scorgie : Seana Ryan Laia Marull Jacqueline Pöggel Alex Andrea —Juliette Andréa —Janice Andreas —Starr Andreeff —Lydia Andrei —Ursula Andress —Julie Andrews —Brittany Andrews —Jacy Andrews Andrea Boykowycz, USA Andras Szigeti, Hungary Petr Roubal, Czech Republic Zoltan Vass, Hungary Taras Slobodyanyuk, Ukraine Vitaliy Levchuk, Ukraine

[tags]Security, Software Backdoor, Lock My PC 4, Bruce Schneier[/tags]

Over the years, I’ve received a good 100 or so requests from people seeking help to break into an email account or someone’s computer.  Without fail, I never knew the people and they found me via Google.  They never bothered to read the pages which the links pointed to b/c the referrals were almost always articles I had advising people how to NOT GET HACKED.  Most of the cases involved teenagers typically looking to find out if their boyfriend/girlfriend was cheating on them, wanting to get even with someone who they claimed was doing evil stuff to them or something along those lines.  A few cases were people involved in court cases looking to get dirt on their baby momma|daddy or former spouse by going through their computer or getting into their email.  Google or Bing must have indexed something I wrote recently b/c I’ve gotten two such requests this week.

Now, I’ve never once written an article or anything explaining how to hack into someone’s machine.  I’ve never once discussed how to breach someone’s privacy.  I’ve went out of my way to teach people how to AVOID this. By comparison  I’ve received probably 50 emails over the years from people asking me to help ensure they don’t get hacked or get rid of malware or spyware (then again, I’ve received a ton of comments so that might explain the disparity). 

So I decided that maybe if I write a HOW TO Article explaining how you would go about hacking someone’s email or computer, maybe that’d serve to help people counteract such measures. Before I continue, I want to warn you that in most cases, hacking into someone’s account is illegal.  Whether or not it’s illegal, it’s arguably immoral and certainly uncool.  I’ve heard all sorts of excuses from “My boyfriend is cheating on me with this girl who I think has herpes and he doesn’t wear condoms and I need to find out if he has it” to people trying to justify it by claiming their baby momma is abusing their kids. People  always have supposedly ‘good’ or ‘necessary’ reasons for breaching other people’s privacy but it’s almost always little more than rationalizations.  So let me be clear, I don’t condone hacking and I don’t condone violating people’s privacy.  I’m going to make my central points here without giving details precise enough to help you hack say, someone’s AOL account but will give you enough information to protect yourself. This isn’t a definitive work by any means but is typical of how you’d get attacked – so pretend the person in question is YOU and think about how to protect yourself.

BEFORE I CONTINUE, LET ME EMPHASIZE THAT NONE OF THE CHARACTERS DESCRIBED ARE REAL PEOPLE OR BASED ON REAL PEOPLE. THE ENTIRE STORY IS COMPLETELY FICTIONAL. THE ISSUES RAISED ARE REAL AND SO IS THE ADVICE (WHICH IS OFFERED FOR FREE, WITHOUT ANY WARRANTY BLAH BLAH BLAH) BUT NONE OF THE CHARACTERS ARE.  ANY RESEMBLANCE TO REAL PEOPLE IS PURELY COINCIDENTAL (THERE ARE PROBABLY MORE THAN A FEW FAMILIES OUT THERE WITH DIVORCED PARENTS, TWO CHILDREN, A REMARRIED FATHER AND AN EVIL STEP-MOTHER WHO HATES THE KIDS). THE NAMES, CHARACTERS, EVERYTHING – IT’S ALL MADE UP. AGAIN, EVERY CHARACTER AND THE SITUATION ARE JUST FICTION AND ARE NOT REAL PEOPLE OR BASED ON ANYONE REAL SO ANY SIMILARITIES ARE PURELY COINCIDENTAL)

Let’s come up with a typical scenario along the lines of one I’ve heard (and for the sake of argument, we’ll assume it’s a legitimate case of needing to get the information at hand).  Say Joe and Sally were married with two children, Joey Jr and Sandy. Sally has primary custody but Joe gets weekend visitation.  Sally’s a great and caring mother and Joe is the exact opposite. And no such story would be complete without an evil step-mother.  So let’s say Joe recently married Maria, the evil step-mother.  Joe recently started a suit against Sally to get his custody agreement changed wanting more time so he could pay less in child support.  Joe’s new wife is really awful to the children and while Joe used to just be a negligent father, he frequently throws his kids under the bus to keep from getting in trouble. If he keeps Maria’s the focus on them, he stays out of the crosshairs.  Sally is horrified at the thought of Maria having more time with her kids and a huge ugly mess ensues.  Maria and Joe start a vicious campaign of lies and distortions and are pulling out all the stops in trying to smear Sally.  Sally *knows* from things her children tell her that Maria is an awful person and does a lot of awful things, and that a lot of it is documented in her email account on AOL or Yahoo.  How should Sally proceed?

Sally needs access to the computer but being a loving mother, would never do anything to involve her kids.  While the kids hate Maria and want to do whatever they can to help, Sally is hesitant to let them even be remotely involved b/c they shouldn’t be in the middle (and if Maria caught them spying or anything, she’d certainly punish the kids ruthlessly).

The first thing she could do is try to guess the Password for Maria’s email account. She could navigate over to Yahoo.com or AOL.com, type in Maria’s email and guess at her password.   Since she’d almost certainly get it wrong, she could select “Forgot my Password” which would initiate the Password reset policy. She knows enough about Maria to answer all sorts of background questions (and the kids certainly could help).  So is this worth a try? Categorically NO.

Why?  Ask David Kernell.  He used this technique and was completely successful.  But it caused some major complications.  However in Sally’s case, it could be a lot worse. Here’s just a few of the problems:

1. If she can’t guess the password, Maria will almost certainly be notified that someone was trying to get into her account. Maria will then likely take much more precautionary measures making any future successes much less likely.
2. The Provider may not let you change the password, it may simply send the new email or a reset link to whatever account is listed in the profile.  This will have the same end result as Item 1.
3. The provider will very likely log the IP Address. Whether its changed successfully or not, Yahoo or AOL may send her an email with the IP Address of the attempt.  If so, Maria will not just know someone was trying to get into her account, she’ll know it was Sally
4. If she gets in, she won’t know the original password.  So the next time Maria logs into the account, she won’t be able to get in.  In such a case, each of the previous items is likely to come into play.
5. Logging in with the Password if you have it is legal, even if the person hates your guts. If you have the credentials, you can get into the account.  But using means such as this or pretending to be someone you’re not (like Sending an email to MyRealBox.com pretending to be your ex-spouse) is not legal and as such, Sally could fail at getting any new info, and give Maria all sorts of ammunition to attack back with

So the first countermeasure here is DON’T ANSWER YOUR CHALLENGE QUESTIONS WITH REAL ANSWERS.  Instead, come up with some canned answers that you know are fake.  If you went to Kiski Prep high school, answer ‘Highlands’ as your high school if asked.  If your fist pet’s name was Spot, answer with the name of the current pet you have. Whatever you do, make sure you use fake answers.  Then pick easy questions that an adversary would likely think they could answer.  By doing both, you’ll egg them into trying to access your account. They’ll fail.  And they’ll likely keep answering over and over sure they have the correct answer and that you’re just spelling it wrong.  They will have a lot of fun trying to convince a jury that they ‘accidentally’ repeatedly put your real high school’s name in the answer box. 

For Sally, the lesson here is DON’T DO ANYTHING ILLEGAL. And forget about trying to guess a password or brute force someone’s password.  It will very likely fail but in this case, Success could easily be much worse than failing.

The next thing Sally might try is having the kids look over Maria’s shoulder and guess her password.  Or she could ask the kids to try to get Maria to give it to her (“Maria, I need to log onto the computer to get my homework assignment, can you just give me the password for now?”) Most people reuse passwords so if you get one of their passwords, you’ll likely be able to use it other places. And even if not, they’ll likely use that password as a basis for another password.

This approach is a complete loser too. Here are a few reasons why:

1. It involves the children.  Any parent that intentionally sticks their kids in the middle of such disputes is an a-hole.  You might need to win, but you never need to win so bad you stick your kids in the middle of it
2. If Maria gave them the password, and then you used emails from that account, she’d almost certainly put two and two together and the kids would pay in blood.

Unlike the last approach though, if she reused passwords and she just gave the kids the computer login, you’d be set. You’d have the correct password so you wouldn’t be hacking or pretending to be them.  Unless you deleted messages or did something obnoxious, Maria would never know it happened so from a technical point of view, it’s much better than the previous method.  But it involves the kids and using your kids as a human shield is just plain f****ed up.

Here’s one last approach, which is precisely what I’d use if I was ever to go over to the dark side, sell my soul to the devil and go for broke.

Sallie could buy or have a software developer friend write her a Keystroke logger.  The logger would hopefully be sophisticated enough that it wouldn’t show up in the task bar, that it wouldn’t show up in task manager either and that it would execute transparently. Ideally, it would be able to remotely send the results to a pre-specified email account.  Here’s a few aspects of how this would work:

1. The logger would be as invisible as possible not showing that it was executing anywhere.
2. If it had to show up in Task Manager, it would use a clever name like “MS Search Indexing” or “McAfee Virus Scanner” (particularly if you knew that they used a specific brand of spyware detectors). Just adding a space in a program name is enough to differentiate it while making it ‘look’ like something legit. Svchost is always a good choice for a name – even though it’s not really a service.
3. It could be toggled off remotely and ideally uninstall itself if it needed installing in the first place
4. It could disappear and then come back to life
5. It would have to be able to be remotely installed
6. It would need to be able to transmit the results (i.e. email, ftp, http) somewhere else where it could be reviewed by Sallie
7. It would need to be subtle enough to not set off any spyware warnings

Pretty much any Keystroke Logger worth its salt would have all of these features.  Any developer with even a small amount of technical skill could write a tool like this in a day or so. Sallie would do something like this:

• She should set up a complete throwaway email account. If the Logger was able to do http or ftp file transfers, the same sort of thing should be done – have access to a throw away account
• When setting up the account, make sure nothing points back to Sallie
• Avoid accessing the account from her home or work. Instead, head to a coffee shop, or use a service like Anonymizer.  David Kernell can tell you why free public proxy servers aren’t the way to go unless Sallie is prepared to keep her mouth very quiet about it.
• Sallie should find a unsecured wireless router and sit in her car when she accesses the email account. Or she should use a Coffee shop or hotel wireless without stepping inside where the cameras can see you.  Even if they require passwords, this isn’t very hard to do (think really hard for a second about how you might do it. If you can’t come up with anything, watch the Mossad Assassination video and think about what they might do. If you still can’t figure it out, I’d highly recommend reading one or all of the following {I’d encourage reading each of them, particularly the Ostrovsky book either way). If she/you can’t figure it out after reading some of these, stay away from anything clandestine b/c you clearly have no aptitude for it.
  • By Way of Deception – Victor Ostrovsky
  • Spy Wars – Tennent Bagley
  • The Art of Deception – Kevin Mitnick
  • The Art of Intrusion – Kevin Mitnick
  • No Tech Hacking: A Guide to Social Engineering, Dumpster Diving, and Shoulder Surfing – Johnny Long
  • How to be Invisible – J.J. Luna

Now, Sallie just needs to send Maria an email with an attachment that must be opened. If she thinks Maria won’t be that cunning, well, she could have one of the kids open up their email. Better yet, if Maria is the type of insecure sociopath who violates their kid’s privacy b/c of paranoia but justifies it as parental responsibility, this is the perfect setup.  Sallie sends the email with the program attached to it as an attachment to the kids. She instructs them not to open up the email anywhere but on Maria’s computer. She should give it a compelling name that she knows Maria will go crazy over and perhaps put just enough in the body of the email to set Maria off without going so far as that it could make her look bad.  Maria sees a Title to the effect of “Is the Monster Making your life miserable” and then in the body put “Honey, I‘ve attached the instructions on what to do If Maria starts anything with you this weekend.”  Seeing that, with the taunting title, Maria will almost certainly click on the attachment to see what it is.  Even if a warning came up, Maria would likely just click “Ok” b/c she’d want to see what was in the document so badly.  This would be perfect for a Word Macro or something similar and inside the document, having something like “Just kidding” or Sallie’s home phone number with nothing in it that anyone would get excited over.

I could write volumes on how to get Maria or her counterpart to open the email but I won’t.  That’s where it crosses the line in my book so I’ll leave that up to you (rather, I’ll let you think about this for a second and think what you might do. Would you open it?  Most people would.  So keep that in mind when opening attachments, even if you think they’re legit.  Viruses and malware are only spread b/c of ‘trust’ – so think long and hard about how and why you trust things that you receive via email).

Here’s where things get fun. Sallie should now wait a few days  before retrieving the results. In fact, she should ‘make sure’ that Maria checks her email. She could for instance, send something of a legal nature or something she knows Maria would want to know about.  She could call beforehand and say “I sent you _________________________”  That would give her a time frame among other things to check against in the results dump (those things can get pretty big).

After waiting a day or two, she should now retrieve the results.  If she finds what she needs, she should immediately deactivate the logger at this point. Not uninstall it but deactivate it.  At this point, she should look for any string that has “AOL.com ” in it.  Since she knows Maria’s email address, she should look for that too.  If she sees “AOL.com” followed by “bluemaria007@aol.com” (this is a made up address – or at least I hope. If there is a blue maria 007 please accept my apologies in advance).  Sallie can be pretty confident that the password is the very next string.

She should go test it out once she thinks she has it. If it’s wrong, she should never try more than once in a 30 minute setting. Yes, I’m sure it takes more to lockout most accounts, but why push it. Patience is your friend here.  Once Sallie is in, she could elect to uninstall the Keystroke Logger , which would get rid of any trace of it. The downside is that if it’s discovered, it’ll point back to ‘her’ email address. If she followed the steps above, then not much could come from it but it would put Maria one step closer to finding out what just happened. So it’s best to just remote remove any such information if she was going to leave it installed but deactivated. There’s a gamble at this point.  The quicker She uninstalls it, the less lower the odds that it’ll ever be discovered. On the other hand, if she needs it b/c Maria changes her password or anything, she’ll need to get it reinstalled.

The Logger approach has some other benefits.  Not only will it let Sallie see passwords, she’ll see everything Maria does (and anyone else on the computer). Maybe Maria has a pr0n fetish. Maybe she’s cheating on Joe. Maybe she engages in cybersex. Maybe she’s doing something else she shouldn’t be.  The Keystroke Logger would let Sallie know about ALL OF IT.  Maybe Joe is doing some stuff he shouldn’t. Whatever the case, if they’re doing it on the computer, Sallie will know.

What should Sallie do now?

1. Use the Search feature and search for “Sallie” and each child’s name individually.
2. Search for her Last name (which may produce too many results if it’s still the same last name as Joe)
3. Search for sexual terms
4. Search for common drug names
5. Search for “affair”
6. Look at all the correspondence between Joe and Maria. Are they fighting? If so, what are they fighting about?  This will likely prove to be very useful later on.
7. NOW, SALLIE SHOULD LOOK THROUGH THE SENT ITEMS FOLDER.  She will likely find things that are YEARS old b/c most people don’t clear out their SENT Items.  She should do the same for Deleted Items
8. She should search for any other email accounts Maria or Joe might have. 
9. She should search for Facebook, Twitter, MySpace etc and any other such accounts.  Since she likely uses the same password, she should try to access any of these and see if there’s anything helpful.
10. If she find another email account that doesn’t have the same password, she should wait until about 3:00 AM on a Sunday. She should go into that account and reset the password (while having this particular email open).  She can then reset the password for the other accounts and IMMEDIATELY delete any traces of information about the reset from the existing account. Maria will try to access one of those other accounts and  not be able to get in. But unlike the earlier scenarios, she’ll likely think it’s just a glitch, or that she forgot the right password or whatever. And with all the traces deleted, she’ll never have any idea. Even if she was told there was a reset, at this point, she’ suspects nothing so she’d likely think the email provider was mistaken. Sallie needs to make sure she deletes the item from the Trash though and any Sent Item emails either. If Maria happened to be online and watching her email, she’d see the new email come in then disappear. That’s why it should be done at a time when Sallie is sure Maria isn’t using the computer.  She could always do it while calling Maria to make sure Maria is on the phone with her (although this is far from foolproof).
11. It may be the case that Maria has other email accounts (like her work account) that have all sorts of incriminating information. If she’s in trouble at work, Sallie will know. If she’s stealing money, Sallie will know. If she’s trading on insider information Sallie will know.  If she’s having an affair with a coworker, Sallie will know. This could open up all sorts of doors so it’s not something you’d want to overlook.

Legally, Sallie won’t be able to use much of this as evidence. Depending on the state’s laws, the information may or may not be accessible. So if she admits to hitting the kids, or some other emotional cruelty, it may not be admissible.  However that’s irrelevant in many cases. If she was having an affair, Sallie could make sure someone notified Joe of the details. If she was engaging in cybersex or Pr0n, Sallie could drop Joe or Maria’s boss some of the details.  You get the idea.

At this point, Sallie could search all the Sent items and trash, find stuff years old as well as new material and just save each one.  Most people have all sorts of embarrassing stuff in their emails and if she’s doing something wrong/illegal/immoral, it’s a virtual certainty there’s some record of it on the computer.

Remember, Sallie didn’t just get her email. She know is likely to have Maria’s other email accounts, Joe’s other accounts, Passwords or account information she had saved as Drafts (Drafts are frequently a Gold mine), chat details, documents she wrote to the attorney – just think about how you use the computer. Imagine your worst enemy who you were in a court battle with had full access to it without you knowing.  She could come and go as she pleased. How would that affect you?

If you haven’t read it already, I highly encourage you to read my article on the Hacking of DB Singles.org aka Operation Jesus. There are many valuable lessons to be learned there, most of which I’ll review here.  I’d also point out that in the middle of the attack, I called the computer crimes investigator for a  Sherriff’s Department close to where I live.  This is the same person that was hassling me about something so absolutely silly no one would believe me if I wrote it. Yet in the middle of a huge hacking, where thousands of dollars were stolen, where child porn was being put up on people’s Facebook  pages, where all sorts of false ‘confessions ‘ were being made about rape, molestation etc by people pretending to be the account owners – no one called me back.  Almost all of this damage could have been prevented had law enforcement known or stepped in to intervene. I had full details of what was happening.  I’ll never know why he never called me back but I can speculate. I do know however that he’s been willing to spend quite a bit of time helping someone harass a private citizen (it’s never harassment when someone in Law Enforcement is doing it though – don’t forget that).  Actually, I’m sure that not only will he read this, a friend of his will once again violate my terms of use and he’ll say nothing. By his own words, his friend admitted to doing something that is unquestionably a crime but he did nothing about it.  I guess if the authorities agree with your motivation or don’t like the victim, it’s not a crime either.  Even though I haven’t identified any names and didn’t disclose any details – I’m betting that once he reads this I’ll be questioned or arrested (b/c it’s no secret he’s just dying to arrest me for something).

I bring up the Singles.org incident for two reasons. The first is that it shows you how vulnerable many people are and they never know it. It illustrates how just doing a few small things resulted in a huge difference with respect to how much exposure people had. Some people only had their Profile pages defaced, others had thousands of dollars stolen via Paypal, had their Facebook pages hacked or had people make horrendous confessions from their email accounts – confessions which were about criminal activity in several cases and were completely untrue.

If these people would just not REUSE PASSWORDS, their exposure would have been limited to the Dating site. If they used Dummy Email accounts for public profiles they would have faced no real exposure.  In addition, you should remember to never ever ever ever open attachments unless you’re beyond positive that it’s something you want.  You should always check with the sender. In the hypothetical above, the sender would have verified that she meant to send it, but remember that it was a plant the whole time. If Sallie would have sent Marie the attachment, it would have been received with much more suspicion. You should remember that someone else could do something naive or stupid and you could still be at risk.  You should think long and hard about what you keep stored in your email accounts.  You should think about what would happen if an adversary/enemy had access to everything you were typing.  You should be very careful about keeping virus definitions up to date and what processes you allow to run in Task Manager.  Think about how I described the Logger that I would write.  Would you notice another Servicehost.exe running?  You should also think about watching all traffic coming out of your computer and network.  You should delete everything from your trash as soon as possible. You should keep your Sent Items folder cleaned out. You should use multiple email addresses and always always always use different passwords (strong passwords that are markedly different from other ones).  You may consider using a Biometric reader for account access (at our house,we have finger print readers on all the machines.  You should pay close attention to the IP Addresses that have accessed your email (do you know your IP Address?  You should make sure you know your home and work IP Addresses and take any ‘strange’ items very seriously.  You might even do what we do… That is, I don’t check email from any of my machines. Instead I use a Virtual Machine that I do all my internet surfing and emailing with.  Even if they got a logger on my box, they’d be hard pressed to get much info out of it b/c as soon as I’m done, the Virtual Machine is SHUT OFF.

There’s always a tradeoff when it comes to security and that tradeoff comes at the price of convenience.  Until recently, I never had any enemies I’d be very worried about and the best defense is always to not have people gunning at you. Even know that I know someone is out to get me and I think they’re too crazy/ignorant/psycho to, i started taking security around the house a lot more seriously.  By not doing anything bad you greatly minimize the attack vector, but we all have things some things that are private that we wouldn’t want everyone to know (if one of your parents was dying for instance).  Since it’s a tradeoff, you have to decide where your comfort zone is.  Think about the Maria hypothetical I came up with above.  If Sallie did that to you, how would you fare? If you have someone out to get you , you should assume that they might be able to do just that.

Sun Tzu (and honestly, it was Sun Tzu, not the Godfather had a lot to say about dealing with your enemies. And one of the best ways to lose to your enemy is to underestimate him. You can take this to the extreme and lock yourself in a closet, but isn’t that giving your enemy a victory in and of itself?  Instead, you need to accurately asses the threat, look at the situation as objectively as possible (in fact, you should find some contrary opinions), make sure you’re not believing your own press releases and take reasonable precautions. In most cases, just making a few small changes or taking some very basic precautions is more than enough to safeguard yourself.

And just keep in mind, if Maria used a service like Privicy, she’d never have had these problems.  But I don’t want to shamelessly plug my own products in an article about security – I just mention it b/c in reality, it will solve almost all of these sorts of problems.

[tags]By Way of Deception, The Art of Deception, The Art of Intrusion, No Tech Hacking, Kevin Mitnick, J.J. Luna, JJ Luna, How to be Invisible, www.howtobeinvisible.com, Victor Ostrovsky, Sun Tzu, Email Hacking, Spyware , Malware, Online Privacy, Email Security, Keystroke Loggers, Db.singles.org, Singles.Org, Operation Jesus[/tags]

Again, just to reiterate:

BEFORE I CONTINUE, LET ME EMPHASIZE THAT NONE OF THE CHARACTERS DESCRIBED ARE REAL PEOPLE OR BASED ON REAL PEOPLE. THE ENTIRE STORY IS COMPLETELY FICTIONAL. THE ISSUES RAISED ARE REAL AND SO IS THE ADVICE (WHICH IS OFFERED FOR FREE, WITHOUT ANY WARRANTY BLAH BLAH BLAH) BUT NONE OF THE CHARACTERS ARE.  ANY RESEMBLANCE TO REAL PEOPLE IS PURELY COINCIDENTAL (THERE ARE PROBABLY MORE THAN A FEW FAMILIES OUT THERE WITH DIVORCED PARENTS, TWO CHILDREN, A REMARRIED FATHER AND AN EVIL STEP-MOTHER WHO HATES THE KIDS). THE NAMES, CHARACTERS, EVERYTHING – IT’S ALL MADE UP. AGAIN, EVERY CHARACTER AND THE SITUATION ARE JUST FICTION AND ARE NOT REAL PEOPLE OR BASED ON ANYONE REAL SO ANY SIMILARITIES ARE PURELY COINCIDENTAL)

To quote the inimitable Glenn Reynolds, faster please.

It seems like yesterday (well 2001 but still) that I got my first phone with Wifi Access. It was the T-Mobile “PDA” phone running Windows Mobile and I could actually browse the internet and check email.  The phone was a small fortune, the service was really expensive and it was slow.  But man was it cool and while it was slow, it wasn’t any worse than the ‘fast’ dialup I had in grad school that ran me almost $200.00 a month (it wasn’t actually Dialup, it was ISDN but was considered blazingly fast at the time).

Over time, speed got a lot faster and coverage got a lot closer to ubiquitous but until 3G came out, it didn’t really cut it.  Apple did the world a huge service by putting out the iPhone which forced Microsoft (not to mention new competitors) to up it’s game.  We no longer had to suffer with non-javascript enabled (and I use that word lightly) IE 4.  4G is here and while it’s still a relative novelty, things have changed dramatically in just a few years time.

Quantum broadband is a whole different ballgame.  It’s not just that it’s fast, I mean, we’ve been seeing things get faster and faster at a consistent pace. It’s that it’s SECURE. Most people won’t appreciate this but it’s a huge deal.  Most people still don’t realize that email for instance, isn’t even remotely secure.  When you send an email, unless you encrypt it, you and a whole bunch of other people (some of whom may not be friendly to you) can read everything you write.  There are a ton of unsecured routers out there.  Most folks have no idea that a neighbor or someone sitting out near your driveway can see everything you do in many cases.  So hearing that their connections are encrypted won’t mean much.

But from a security perspective, to call it revolutionary would be the understatement of the year.  We’ve had secure communication for a while, but it involves using https or VPN tunneling – we’ve never had asymmetric encryption available by default. And that’s largely b/c there’s a decent amount of overhead associated with encrypting and decrypting everything.  Bandwidth is at a premium and on devices such as phones, processor cycles are equally valuable.  So adding on the overhead to secure the channel by default was something that just wasn’t a tradeoff most people were willing to make (at least until they got involved in a court case or something, and found out the other side was reading everything they wrote or visited, then security becomes something they’ll bother with – imagine that your opponent in a legal case or your prosecutor could read all of your email – that’s precisely what happens frequently and many people never even know).

As my readers know, my new venture, Privicy is designed specifically to address weaknesses in communication security.  Quantum broadband is a perfect compliment so far from being something I’d fear b/c of the competition, it’s something I’m extremely stoked about. The world takes security way too lightly.  People don’t pay attention to securing their data. So they often leave themselves exposed or leave their data open to prying eyes. Then, when someone sees that data, they cry foul (or worse and claim they were hacked).  There’s so much rampant stupidity around this whole issue that the mere existence of quantum broadband, imho, will start bringing these issues to light.  Very few people would leave their car doors unlocked when they head to a mall or leave their doors open to their house.  Yet this is precisely what they do with their electronic data.

Having fast and secure broadband means  a higher level of security by default. This won’t mean people can abdicate their responsibility for securing their own data and resources, but it makes it that much harder for the bad guys to snoop on things.  Which would qualify as the understatement of the year had I not just made it a few sentences beforehand.

[tags]Quantum Broadband, Broadband, GPRS, Encryption, Public Key Encryption, Asymmetric Encryption, Privicy[/tags]

This was a busy weekend indeed.  Kim’s heading out to Microsoft for the week so I’ve been trying to get everything in order before her trip.  We have a major release at work at the same time and I was in charge of building a pretty large feature (Enterprise Search for our applications).  I’ve learned more about Sql Server Full Text indexing, Solr.net and Lucene.net than I would have imagined and I’ve enjoyed it thoroughly.  I got the side benefit of getting to use WCF for the service facade so my WCF game is stronger than ever.

I’m simultaneously trying to get Privicy ready to launch and things are going well there.  There is a pretty in depth WCF Service infrastructure backing Privicy and I’ve updated some of my personal services I run at the house.

I’ve updated both the EvilDevilCuckooBot and the Roubot with tons of new features.  The EvilDevilCuckooBot and Roubot both have Authentication using OpenID now and I’ve wrapped a few other features in them.  The EDC Bot is the type of thing that’ll likely get me in trouble so I’m not releasing it publicly yet but I’ll have the Roubot back up on CodePlex later tonight.

The Roubot will now let you use TOR to make your requests and I’ve got some other IP goodness inside of it (You’ll have to look for yourself if you want to see).  I’ve got the Enterprise library Crypto library wrapped up as well.  It has an updated Disenvoweler which can integrate with WordPress 2.9.x. Probably the coolest feature supported by the latest version of Roubot is the duplex chat which is fully encrypted. It’s nothing amazing in terms of functionality, secure chat is hardly something new but it’s easy to use and from a WCF POV, there’s some neat tricks in there.  Privicy is all about supplying secure, confidential communications which can’t be repudiated but it was always an email based approach.  A good friend suggested that many chat users could benefit from the same functionality so I added it in.

Together, the Roubot and EvilDevilCuckoobot encompass most of the services I’m employing on Privicy – but I’m making them available for free. Coupled with the Tor/Proxy support, I think anyone interested in secure communication will like them.  I’ll update this later tonight with source code and if you’re interested in beta testing, drop me a line.

(And yes, for those more astute readers, I did use the Roubot to post a blog post about the Roubot – recursion at its finest)

[tags]WCF, Windows Communication Foundation, Sql Server Full Text Indexing, Solr.net, Solr, Lucene, Bots, Roubot, EvilDevilCuckooBot[/tags]

Being the optimistic fellow I am, having a great week is nothing unusual.  Last week was so amazingly good I thought it would be ages before I had another one that good.  Then Monday came around and things have just kept getting better.  I didn’t think anything could top yesterday, and well, today somehow managed to do so. 

In the course of 24 hours, every sucky thing in my life went away (ok, not totally away, but away enough for my taste – Metaphorically, I’d liken it to getting cured of Ebola, except Ebola is nowhere near as fugly, dresses better and is infinitely more pleasant to be stuck with).

I’m back to being able to focus on value added activities now which among other things involves the launch of my entrepreneurial dream – Privicy.net (it’s just the default MS landing page now but the beta will be up in two weeks). I’ve already managed to learn more about .NET 4.0 and WCF than I could ever want but this has forced me to learn a lot of things I always avoided, like front end work.  One of the coolest things I’ve got to work with is OpenID. I’ve also been able to work with Andriod development quite a bit which was getting really cool – until the Windows Mobile 7 SDK was announced.  I guess now it’s bye bye Java and hello Silverlight. 

I’ve already received a ton of interest over Privicy and I need to have it done by May 2, 2010 or I’ll lose out on a good bit of money.  I’m going to try to , where possible, post some of the cooler stuff that I came across while developing the site.

Anyway, I’m back and have a lot of content ready to go – I’m going to brave the Upgrade to WordPress 2.9.2 and get at it.  Considering my luck with WordPress Upgrades, I need to do it this week while life is smiling so favorably upon me

Read on…

[tags] GSM, Encryption, Snooping, Cracking[/tags]

It’s well documented that we can’t cut taxes without cutting vital government services.  There’s no waste in the government and they are very careful with our tax dollars.  And we know that private corporations are run by greedy bastards whereas government agencies are run by altruists.  Somehow, the mere act of receiving a paycheck from the government instead of private sector makes one immune to greed, avarice and most other vices afflicting the private sector (I can’t believe I wrote that without barfing).

When a private company does something, directly or indirectly if you will, that hurts private citizens, there’s never a shortage of opportunist politicians wagging their fingers and promising that the bad guys get their due. When it’s a Senator/Congressman/Governor/President that does it, an Ethics Committee is convened and the person is almost always cleared of all wrongdoing (unless his crime is politically incorrect.  Stealing money and taking bribes is almost always OK).

What’s really offensive though is how things are handled when the government’s actions hurt people.  Every year hundreds of thousands of people die or suffer needlessly b/c the FDA won’t allow them access to experimental drugs that might kill them.  The US Government says Pot is bad but pretty much makes research to support or refute this claim illegal.   Virtually every major aspect of the housing meltdown can be attributed to government action.  Milton Friedman’s Free to Choose catalogs a ton of such instances and that book was written way before any of this housing nonsense.

So in the latest instance of government incompetence that would lead to arrests if a private sector company did it on their own…

The US government is huffing and puffing about the evils of governments that spy on their citizens.

Obama administration issued statements of support for Google, and members of Congress are pushing to revive a bill banning U.S. tech companies from working with governments that digitally spy on their citizens. [editor’s note:  I have no doubt that if the other party was in power, their position would be no different]

I commend them on their support for the non-ruling members of the world and I share their outrage.  There’s a problem or two though::

The 1994 CALEA law required phone companies to facilitate FBI eavesdropping, and since 2001, the NSA has built substantial eavesdropping systems in the United States. The government has repeatedly proposed Internet data retention laws, allowing surveillance into past activities as well as present

CALEA, also known as Communications Assistance for Law Enforcement Act had a pretty noble purpose no doubt, but the implications seem pretty, uhhh, Orwellian? Totalitarian? What do you think Stalin, Mao, Chavez or Castro would think about such a law compared to say a Churchill or a Ghandi?

CALEA’s purpose is to enhance the ability of law enforcement and intelligence agencies to conduct electronic surveillance by requiring that telecommunications carriers and manufacturers of telecommunications equipment modify and design their equipment, facilities, and services to ensure that they have built-in surveillance capabilities, allowing federal agencies to monitor all telephone, broadband internet, and VoIP traffic in real-time

Then there was that pesky CARNIVORE (And to think that Taxpayer money was used to pay someone to come up with such a ‘brilliant’ name. It’s amazing that it didn’t receive a warmer welcome with such a friendly name, non?)

After the dust settled from the Carnivore PR disaster, the best and the brightest decided to soften the image of their totalitarian snooping initiatives and Total Information Awareness was born.  Just to be clear, these are a few of many such power grabs.  So pretty much every time you turn around, our government, just like the governments of most other countries, tries to come up with some new way to snoop on its citizens.

Sweden, Canada and the United Kingdom, for example — are rushing to pass laws giving their police new powers of Internet surveillance, in many cases requiring communications system providers to redesign products and services they sell.

They keep trying and wait for the right moment to claim such intrusions are necessary.  (For the record, President Bush SIGNED the Patriot Act on October 26, 2001. That means it was written, debated, voted on and confirmed in 6 weeks and 3 days.  It was introduced to the House of Representatives within a week of 9/11.  Check it out for yourself.  Do you really believe that it was all written After 9/11?  Or was it already sitting around as a solution waiting for a problem?) 

So we sit here today with Congress in high dudgeon about the Chinese Governments snooping and we’re ready to really stick it to any government that spies on it’s citizens, yet these same people demanded that companies like Google put backdoors into their software so the government could spy on its citizens.  And because of that mandated back door, Chinese Hackers were able to infiltrate Google’s Gmail service and retrieve who knows what.  This cost Google substantial embarrassment and G*d only knows how much in monetary damages.  Who does Google call to get their reputation or money back? (And for the record, I’m not a huge Google sympathizer – it’s just in this case, I think they got the shaft pretty bad).

While we’re taking a trip down memory lane.  Do you remember the early days of the internet?  Remember any time you installed most major software there was all sorts of text making you promise you wouldn’t export anything that contained encryption?  Remember International Traffic in Arms (ITAR) Regulations?  Do you remember Phil Zimmerman?  This is a prime example of what happens when people who DON’T UNDERSTAND TECHNOLOGY DIRECTLY OR INDIRECTLY , TRY TO LEGISLATE IT INCLUDING BUT NOT LIMITED TO WRITING INTEROGATORIES, OR LEGAL PROPOSALS, BY YOU.  In a nutshell, ITAR made it illegal to export strong cryptography.  Here’s the genius part of it:

You could write the source code that built the cryptography and send it out of the country, even directly to a known terrorist and not break the law.  You could put it in a text file and email it and not break the law.  You could send the source code, a compiler and instructions on how to compile the program and still not run afoul of ITAR.  But if you compiled the source and transmitted it to a specific list of actors, even if you did so accidentally, you were now a federal criminal.  To show how stupid this is, I downloaded the source for PgP along with an old Borland Compiler.  It took me a total of 6 mouse clicks (Open the program, File->Open->PgpSource-Select All-Compile) to build the application to make the program in question. If you include creating the email, downloading the instructions and attaching the compiler, the whole process takes less than 20 mouse clicks.  So we made something a FEDERAL CRIME and a damn serious one at that (try to get hired with “I Broke federal arms trafficking laws” on your record), where the threshold between completely legal and federal criminal was < 20 mouse clicks.  God knows no bad guys would ever know how to download source code or install a basic C, C++ compiler.  It’d be the hitting F5 that would throw them. 

So we have repeated examples of the government screwing up (and as Friedman pointed out, in many cases causing screw ups that lead to lives lost) over and over again. We know that many in the Prison Industrial Complex sit around waiting for an opportune time to get around the Constitution.  We know that Congress often doesn’t read the text of legislation they vote on.  We know many of them don’t have a clue about technology (and in some cases, ideas so utterly stupid most people couldn’t begin to understand them).  Tell me again why we are so willing to let them make laws related to technology?  (Or much else for that matter)

[tags]Total Information Awareness, CARNIVORE, PGP, Phillip Zimmerman, ITAR, International Traffic in Arms, Google – China, Chinese Hacking of Gmail, CALEA, Milton Friedman, Cryptography, Patriot Act  [/tags]

Thank God people write articles like this that clearly explain things instead of sensationalizing them.  Then again, if everyone in America read articles like this, the technology reporters at media outlets would be out of jobs. 

This article is great for many reasons and is a very informative read for many different audiences.  Experienced developers will appreciate the way he explains the issues even though they (better be) should be familiar with the subject matter.  In it, he covers the following:

• SQL Injection
• Cross Site Scripting Attacks
• Cross Site Request Forgery
• Remote File Inclusion
• Phishing
• Clickjacking

For non-technical people, there’s a good explanation of big picture stuff and has some easy to read graphs explaining security problems.  The advice provided is useful but I have a few things I’d add (probably a good idea for a blog post)

Hat Tip:  Bruce Schneier

[tags]Internet Attacks, Internet Security, Sql Injection, Cross Site Scripting, Cross Site Request Forgery, Remote File Inclusion, Phishing, Clickjacking, Bruce Schneier[/tags]

I wouldn’t have.  Bruce Schneier links to an incredibly impressive skimmer that was recently found live, in use, in California.  Check out the pictures and think about whether or not you’d suspect anything funny. And even if you do catch  it, read the whole article and consider if you caught every aspect.   Like Schneier says, he didn’t catch any of it either, and that’s the whole point.

[tags]ATM Skimmer, ATM, Bruce Schneier[/tags]

Say it ain’t so:

Former FBI agent Mike German, now a terrorism expert with the American Civil Liberties Union (ACLU), said that using the Terrorist Screening Database (TSDB) of 400,000-plus names to screen airline passengers was not realistic, and added that it was “fundamentally ridiculous” to think the list was not flawed.

 

The more I’ve read about these watch lists, the more absurd I’ve found them to be.  Bruce Schneier is absolutely right about this (and pretty much everything else), this is all just part of security theater. By the government’s own admission, a misspelled name is all it takes to get you on or off of the list improperly (well, overlooked is probably the better way of saying it). Now that the cat is out of the bag, I’m guessing that most future attempts will employ some version of intentionally misspelling of names.

The two big problems I see are as follows (other than of course, there’s not much evidence these things work. They flag grandmothers with no criminal history, they let known terrorist walk by).

1. Intel isn’t all that great when it comes to aspiring terrorist, particularly in the countries where we need it most. If we don’t know of the person, they’re not on the list.  It’s not like every terrorist has a Facebook page or anything, and it’s not that hard to stay under the wire. Additionally, it seems that in many cases, radicalization happens pretty quickly.  There’s a good chance that whoever the next one will be, he will have recently become radicalized.  So it’s very possible he’ll be off the grid. 
2. False Positives, False Negatives.  We’ve heard countless stories about people who are incorrectly put on these lists and have nightmarish experiences each time they try to travel. That’s bad and it’s a huge waste of resources. What’s worse, if these people protest or get mad b/c they shouldn’t be on the list, they run the risk of retaliation from govt employees.  Trust me, there are definitely some people working for the govt who are vindictive, evil and petty enough that they wantonly use their position to hassle people.  I don’t want to downplay this but it’s not nearly as bad as false negatives.  Even though I’m 75% Czech, my father is Irish and I have an Irish Surname.  In undergrad, there were 6 different William Ryans and two different William G Ryan’s. And that was at a very small school.  Ryan is a very common Irish Surname so assume someone with the same name was an IRA terrorist. How many other people with the same name would crop up (answer:  Lots). Just like getting 1 trillion results on a Bing Search, too much information makes the results next to worthless. What about Muslim names, say Muhammad?  The same situation ensues.  Add in the State Dept’s admission about misspelled names and you have a whole lot of room for people to slip through the cracks

I’m not the first to note it, but only with government does a monumental screw up mean you get more power.  Only in govt does a screw up get ‘cleaned up’ by the same folks that caused the screw up.  We’ve made DHS and are we really safer because of it?  We had to unionize Airport Screeners like that’s really the problem here.  There’s so much done for political reasons it’s disgusting.  And so they come up with the favor for a constituency and retrofit the reason as something that will improve security. If you complain about it, you’ll hear brilliant arguments like “Can you say with 100% certainty that it won’t improve security” (when you hear an argument like that being made against you, rest assured you’re absolutely on the right side of the discussion.

This is all a waste, it’s stupid, it’s expensive and it distracts us from doing things that’ll work.  But hey, let’s trust them with our health care system too.  Make sure to read “Google is better than US Intelligence” it’s a real eye opener.  Although Google is also a lot more user friendly, a lot more competent and a hell of a lot cheaper.  Maybe we should just listen to Mr Schneier and be done with it, I for one would feel much safer if he was calling the shots.

[tags]Transportation Security Administration, TSA Watchlist, Watchlist,Google is better than US Intelligence,  Bruce Schneier[/tags]

From Instapundit:

STILL MORE ON THAT TSA/BLOGGER CASE. “Frischling told Threat Level that the two agents threatened to get Frischling fired from his KLM contract and indicated they could get him designated a security risk, which would make it difficult for him to travel and do his job, unless he identified his source.” I’m sure they wouldn’t have treated a reporter from a newspaper this way. But read the whole thing, including this evidence of top-flight talent at the TSA:

The agents searched through Frischling’s BlackBerry and iPhone, but couldn’t find anything from the source. The agents then told Frischling that they wanted to take an image of his hard drive. They went to WalMart to buy a hard drive, but when they returned, they were unable to get it to work.

Judging from the photo, TSA Special Agent John Enright doesn’t look like a guy who knows his way around a hard drive. The country’s in the very best of hands.

Of course, none of this can be true.   A federal agent would never try to have an innocent person fired from their job.  They would never file a garbage police report for a non-crime in an attempt to hassle an adversary. They would never abuse their position.  And God knows they’d never demand to see all sorts of private information that has no material relation to the matter at hand just so they could hassle and inconvenience someone.

Then there’s that last paragraph:

Judging from the photo, TSA Special Agent John Enright doesn’t look like a guy who knows his way around a hard drive. [ed. Bold Added]

You mean there are federal agents who have no clue what in the hell they are talking about with technology, speaking to technological issues?  Say it ain’t so.  OMG, and they actually put an Agent’s name in a blog post?  Doesn’t this blogger understand that  ‘He has endangered our family by posting information that is not publicly accessible [even though it all was] onto the internet …’?

[tags] TSA Subpoena, Frischling, John Enright [/tags]

I believe I was a college freshman when The Iceberg/Freedom of Speech… Just Watch What You Say came out. The Wikipedia Entry says it was 1989 but I’m thinking it might be off a little b/c I was a huge ICE-T fan, but who’s going to quibble over a few months.

One song in particular, titled not unsurprisingly Freedom of Speech, Just Watch What you Say was IMHO, one of the more brilliant jams.  ICE-T is a deep thinker and although I don’t always agree with him, I always respect him (and the things I disagree with him on are few and far between).  When it comes to freedom of speech, he’s about as awesome as Nate Hentoff IMHO.

So here’s what happened. The TSA put up a document that wasn’t classified or even secured.  A few bloggers got a hold of it and posted it online. It contained some ridiculous/outrageous stuff and the TSA got really butthurt over it.  Here’s the first part of Wired’s story on it:

Two bloggers received home visits from Transportation Security Administration agents Tuesday after they published a new TSA directive that revises screening procedures and puts new restrictions on passengers in the wake of a recent bombing attempt by the so-called underwear bomber.

Special agents from the TSA’s Office of Inspection interrogated two U.S. bloggers, one of them an established travel columnist, and served them each with a civil subpoena demanding information on the anonymous source that provided the TSA document.

The document, which the two bloggers published within minutes of each other Dec. 27, was sent by TSA to airlines and airports around the world and described temporary new requirements for screening passengers through Dec. 30, including conducting “pat-downs” of legs and torsos. The document, which was not classified, was posted by numerous bloggers. Information from it was also published on some airline websites.

“They’re saying it’s a security document but it was sent to every airport and airline,” says Steven Frischling, one of the bloggers. “It was sent to Islamabad, to Riyadh and to Nigeria. So they’re looking for information about a security document sent to 10,000-plus people internationally. You can’t have a right to expect privacy after that.”

Transportation Security Administration spokeswoman Suzanne Trevino said in a statement that security directives “are not for public disclosure.”

“TSA’s Office of Inspections is currently investigating how the recent Security Directives were acquired and published by parties who should not have been privy to this information,” the statement said.

You really need the rest to see how ridiculous this whole thing is.  They say power corrupts and absolute power absolutely corrupts.  That seems to be particularly true in law enforcement.  Take your average beat cop.  sure, there are some outrages here and there but by and large, your local cops are rock solid – mine here in Duncan, SC sure are.  If I think about my various encounters with the DEA, I cringe. I was unfortunate enough to be near someone they were looking for (I had never met them, had new idea who they were and had no dealings whatsoever).  It was one of the first times in my life I was really scared, and trust me, i don’t scare easily.  I remember back when I had to deal with a multi-agency raid at a company I was working at.  No violent crimes were even alleged and the owner was a very affluent respected member of the community. Yet the FBI and several other agencies came in, with full body armor, Glocks and Sigs ready for action.  Our legal counsel on staff was calling our corporate law firm when a FBI agent said “everyone step away from your desks”.  The thing was, he had just gotten permission from the FBI Agent who was in charge of everything.  This officer told Joe (a name I’m just making up) to step away from his desk.  Joe identified himself as legal counsel (the nameplate on his door said the same thing) and said Agent So and So just said it was ok.  He said again, put the phone down. Joe repeated himself and asked that Agent So and So be called over to verify. He reminded the agent of his legal right to make this call. At that point, the agent unclipped his holster and grasped his gun.There were so many other abuses it’d warrant a post of itself.

I have had dealings with other federal agents and I can’t think of one time I’ve not seen an abuse of power.  For the record, in the first case with the DEA – after searching me and having the dogs come out and sniff everything, I was completely cleared and allowed to go on my way. This was after 3 hours of detainment of me and about 25 other people – all of which were completely innocent and had nothing to do with the supposed drug dealer.  The company I was at was also completely cleared and one of the prosecutors was ultimately removed for misconduct on another case.  However the $1,000,000.00 dollars and time lost for my old boss was never recouped or returned.

Anytime you say anything that a Federal Agent doesn’t like, watch it.  First they’ll probably accuse you of lying. When you defend yourself, they’ll use the material you used to defend yourself as proof that you disclosed something improperly. And of course, they’ll say you put their life or lives of their family in jeopardy.   Telling the truth about anything  improper agents do ALWAYS means you’re revealing something they’ll take issue with.  They usually get really indignant about the assertion that they’d abuse their power. If you see all of this happening –BANK ON IT, you’re in for a fight.  I have also received ‘anonymous’ information before along the same lines. It’s not uncommon for people who want  a story to get out but are afraid of retaliation to send out the information to people they know will publish it.  I’ll be posting it in the near future and it’ll definitely ruffle some feathers. My point though is that this isn’t uncommon and what’s happened here can happen to a whole lot of people. It’s truly an outrage.

Fortunately, we have plenty of means to publicize such abuses. And such abuses can’t exist with daylight shown on them.  The more people that stand up, the more bloggers that cover such abuses, the less they can get away with it.  Ice-T was right though.  We do have Freedom of Speech, you just really better watch what you say (and whatever you do, don’t ‘compile’ the top three hits on Google. Even though Google’s search results already compiled them, if you do the same  prepared for a lot of BS.  Thank God the bloggers have decided to fight back.  And the best way to do that is to publish all the crap they receive. If the govt is really right, it’ll be self-evident. If it’s a matter of people covering up incompetence and screw ups, it’ll be readily evident too.

I’ll give the local cops and even state police the benefit of the doubt all day long – IMHO, they truly deserve it.  Until Federal Law Enforcement cleans up its act, well, Not so much.

Look at these poor guys.  Read what they went through .  Read the Official BS Line. Read the dramatic language the feds used (do they teach you how to make everything sound so freaking dramatic in Fed school or something?)  Then re-read this:

“They’re saying it’s a security document but it was sent to every airport and airline,” says Steven Frischling, one of the bloggers. “It was sent to Islamabad, to Riyadh and to Nigeria. So they’re looking for information about a security document sent to 10,000-plus people internationally. You can’t have a right to expect privacy after that.”

…..“They were indicating there would be significant ramifications if I didn’t cooperate,”

…”The agents searched through Frischling’s BlackBerry and iPhone and questioned him about a number of phone numbers and messages in the devices. One number listed in his phone under “ICEMOM” was a quick dial to his mother, in case of emergency. The agents misunderstood the acronym and became suspicious that it was code for his anonymous source and asked if his source worked for ICE — the U.S. Immigration and Customs Enforcement.”

 

You can read the blogs referenced here, here and here.

One last thing.  This is a big screw up right?  Remember that big screw up called 9/11? Anyone want to give me the names of everyone that was fired as a result of it?  I’ll gladly give you $1,000.00 for each one. This is clearly a screw up even by the TSA’s own admission.  After all

Five TSA workers were put on leave pending an internal investigation into how that document got posted

Anyone want to take bets that this will be the last we here of it?  Anyone want to bet it’s PAID LEAVE (It always is when they don’t mention it one way or the other).  Paid leave is called  a freaking vacation last time I looked  but I don’t know for a fact that it’s paid leave so I don’t want to jump to conclusions.  I’m betting right now no one will be fired, no one will be seriously disciplined either. Any takers?

[tags] Transportation Security Administration, TSA,  Christopher Elliott, , Steven Frischling, Suzanne Trevino[/tags]

2009 was a pretty mediocre year overall, but Kim decided to end it with a bang.  She finally accepted the fact that she’s married to a geek and embraced the geek chic while shopping for me.  One of the things she got me was a Cisco WVC210 Wireless G PTZ Internet Video Camera.  We’d been talking about installing some Doggy Cams for a while, but I really wasn’t expecting this.

Historically, the little bit of talent I have resided exclusively in the software realm.  When it came to wiring up anything, I could make a mess or an accidental explosion, not much more.  Trudging through the learning curve though, I started making some progress.  My crowning success for the year WAS turning the interior of my car into a fully functioning T-Mobile Hotspots (I really didn’t think much about having built-in BlueTooth in my car at first, I’ve since learned to really love it b/c with Wi-Fi and the Hotspot, it’s all kinda wireless).

This whole thing started as a father/daughter project and grew.  Santa brought her a NetBook to use with her Webcams so between the XBox Live acct and this, she’s going to be the highest tech kid in SC.  I tried getting it working in the car, not b/c it’s practical or even desirable, but just to see if I could get it to work.  As you drive, you roam and the IP Address is reassigned regularly (in this case, I’m roaming a lot so that’s the most likely culprit) so the forwarding is problematic.  Basically, you can see what the camera is looking at from a computer in the car even while moving. You can look at it over the internet if you sit still.  But for now, that’s all I was able to pull off.  I’ll be checking with the DynDNS.org folks to see if I can get something working while driving, but for now, I’m not expecting any miracles.

The WVC210 sat in the box for a day while we attended to other holiday duties (Santa brought me DJ Hero as well which took precedence).  Setup couldn’t have been easier and here’s what it took from start to finish (Finish being defined as ‘available and on the internet’):

1. Setup requires a CAT5 connection from the camera to the switch (or router).       
2. You need to connect the power cable.                                                  1 minute w/ #1 combined
3. Stick the install CD into a computer and start wizard.                            1 minute
4. Software needs to find the device.                                                         2 minutes
5. Walk through the wizard.                                                                     4 minutes
6. If all works correctly, here’s what you’ll see.
7. Add user accounts.                                                                                              3 minutes
8. Login to account (I used DynDNS.org)                                                                     1 minute
9. Retrieve your settings and write them down or commit them to memory.                  30 Seconds
10. Login to Router and set up Port Forwarding.                                                            3 Minutes
11. Go  to Internet and verify everything works.                                                                2 minutes
12. Enjoy

From start to finish, the whole thing took just about 15 minutes.  There’s one thing I sort of fibbed about.  DynDNS.org is awesome and very easy to use but I screwed up Port Forwarding the time around.  I tweeted asking if anyone knew how to troubleshoot.  Within a few minutes, Chris at DynDNS.org wrote me back and offered direct support.  I took a stab at the Port Forwarding on my own and it worked like a charm, but the whole DynDNS.org was awesome and I’m hooked.

Now a few months ago, someone cracked our doorbell chime.  I’m definitely not qualified to play with electric so it’s just sort of been sitting in limbo for a while. The additional cameras are perfect for such tasks.  Instead of looking like a lame a55 that can’t fix a doorbell, I look way cool for having video monitoring at the front door.  Coupled with some of the X10 (yep, after years of rolling her eyes, Kim has seen the light on X10 and become a fiend believer) stuff we bought recently, home automation has made a lot of progress recently and it’s been absolutely painless.

Anyway, once I got everything hooked up, the final step was removing the wires so it was fully wireless.  That was as hard as unplugging the cable and viola’, it was good to go.

Nothing big or impressive about a Webcam so what makes this blog worthy other than bragging about a wife cool enough to support my inner geek?  Here’s a few:

• It’s cake plugging in additional cameras.
• It provides two way audio which makes it perfect for a doggy tormentor cam or a door monitor.  The Sausage Dog of DOOM has reported back that he does not like me and mommy being able to watch him destroy our living room. What’s more, he really hates that we can say “NO!”  or “Stop it Nikki!” without having to be there.  From my point this is a huge plus, from an evil Sausage Dog’s perspective, it’s a bug.
• You can fully control the camera remotely.
• You can turn on motion detection so it follows around what’s moving.  Coupled with the previous item, this makes it an ideal Doggy cam .  This feature allows you to have emails sent to you directly when motion is detected and you can do really slick stuff like this too.  If only I could get it to recognize gestures, like, a small sausage like dog lifting up his rear left leg… I know I read an article a few years back of a guy that did something similar for his cat.  The cat would drag in dead animals which was a real pisser since he was often out on business for a few days at a time. So he wired the webcam to the cat door and if it detected an anomaly (i.e. a cat shaped critter with a a really wide thing in its mouth, it would lock the door)
• You can record sessions – disk space is your only real limitation. This makes it great for surveillance in business or home scenarios.
• It’s wireless so you can place it in strategic places without “those wires” which drives wives and anally retentive geeks nuts.
• There’s a very easy to use, web based administrative console. 
• Everything is URL addressable
• Features such as Panning and Tilting are available right out of the box.
• All of the functionality can be used w/out any programming

The downsides are few and in all fairness, I’ve only really had it a day or so and I haven’t dug in deep enough to be sure all of these are in fact, valid:

• The instruction manual is really thin. There’s a quick start and that’s pretty much it.  There is comprehensive online documentation however
• You may have to reset the camera once or twice before it can be seen by the software.  I had to reset it twice before it was recognized.  All in all though, this only took about a minute to accomplish
• There is very little guidance along the lines of security.
• I don’t know if there’s an exposed API. The control panel is pretty decent and does everything I need it to but it’d be nice to be able to write custom software to take advantage of it.  My guess is that there is something I’ve just missed it.  The viewer an ActiveX control but I’m going to try sniffing the wire and see if I can recognize any of the traffic.  If you run it securely this won’t work but it may give me a starting point of where to look.
• It appears you have to have it plugged in (i.e. no battery). Coupled with the size, it makes it kinda obvious that it’s there. This is a bug or a feature depending on what you’re using it for.

[tags] Cisco, Video Surveillance, Cisco WVC210, Internet Video Camera, DynDNS, BlueTooth, X10, Home Automation [/tags]

The resplendent Christopher Hitchens nails it once again:

Why do we fail to detect or defeat the guilty, and why do we do so well at collective punishment of the innocent? The answer to the first question is: Because we can’t—or won’t. The answer to the second question is: Because we can. The fault here is not just with our endlessly incompetent security services, who give the benefit of the doubt to people who should have been arrested long ago or at least had their visas and travel rights revoked. It is also with a public opinion that sheepishly bleats to be made to “feel safe.” The demand to satisfy that sad illusion can be met with relative ease if you pay enough people to stand around and stare significantly at the citizens’ toothpaste. My impression as a frequent traveler is that intelligent Americans fail to protest at this inanity in case it is they who attract attention and end up on a no-fly list instead. Perfect.

This whole thing is so silly.  Has a single terrorist attack been thwarted b/c someone answered “Yes” to those idiotic questions they ask about baggage?  Has a single incident been stopped by pulling out women’s vibrator’s from their personal luggage?  How much safety have we gotten by forcing everyone to remove their laptops from laptop bags? Seriously, are laptops somehow different from every other freaking electronic device? I didn’t have to take my PS3 out of it’s case but man, if you forget to pull out your laptop.  TSA’s best and brightest told me that the PS3 wasn’t a computer, but if it was, it’d need to be removed.  Brilliant.  Probably the same folks who pull out their guns and clear the house every time the wind blows a door closed….ooops. Aren’t you glad these folks are here to protect us?  After all, they are trained professionals, and what’s more, many have specifically been trained to handle firearms around kids.

[tags]TSA, Detroit Metropolitan Airport, Umar Farouk Abdulmutallab [/tags]

Any reader of this blog knows I’m a huge Bruce Schneier fan.   It would be hard to describe the smartest thing he’s ever written, but today’s post has to be at the top of any list:

Only two things have made flying safer [since 9/11]: the reinforcement of cockpit doors, and the fact that passengers know now to resist hijackers

Only one carry on? No electronics for the first hour of flight? I wish that, just once, some terrorist would try something that you can only foil by upgrading the passengers to first class and giving them free drinks.

[tags] Bruce Schneier, TSA, Detroit[/tags]

My main purpose with my previous post was merely to inform you about the realities of email privacy.  It’s practically an oxymoron.  Most of us don’t talk about stuff so sensitive that we need to worry much about it.  However if you search through your email for financial information, or other private stuff along those lines, I bet you’ll find it.  The longer you have an account, the more likely you are to have such information stored in it.  Keep in mind that if you had an adversary that didn’t like you and they could get access to your primary email account, they’d have in all likelihood, mounds of information they could use against you, all stored in one nice semi-organized place.  It’d even be in digital form so they could search it easy.  They wouldn’t directly be able to do a lot with it without getting in trouble, but just knowing secrets and details about your life could cause you more misery than you’d ever imagined.  The best solution is to not have any enemies.  But even then, there are hackers and all sorts of other miscreants out there who just like making trouble.  Instead of working on their own marriages and lives, they put all their energy into destroying others, destroy destroy destroy destroy I say.

Encrypting is a pain and it’s not always necessary.  Even if you are willing to encrypt everything, chances are most of your recipients won’t so that’s a dead end right out of the gate. At least at this point in time.  The main thing though is to be aware of the risks.  It’s one thing to keep every email and never encrypt anything b/c you don’t have anything of concern in your emails.  It’s another to think you have safety and privacy.  The last thing I want to do is scare anyone – we have way too much irrational fear about ‘hackers’ as it is.  Hollywood makes it look like every 15 year old with a laptop can hack into banks and missile installations in 10 seconds.  That’s not the case.  But technology isn’t usually the point of failure.  Look at the Palin hack.   The technology didn’t enable it to happen, bad security policies on Yahoo’s end did.   So if you do your part, you can rest assured that you’ll probably never encounter a data breach.  If you do, it’ll be a fluke, like getting hit by lightning.  As computers get more powerful and the internet gets more prevalent, you can rest assured the government is going to do all it can to get access to anything you have stored digitally – if they need it.  And if they can access it, there will be loopholes and failures so other not so good guys will be able to .  A little bit of knowledge goes a long way here and not believing in myths gets you pretty much 99% of where you want to be.  So hopefully this post helped do that for a few folks.

Until the db.singles.org incident, I used strong passwords, changed them every few months and didn’t think much about it.  After that incident, I changed my thinking a lot.  I started segregating accounts so that if someone breached one, they would only be able to get a limited set of data.  I started archiving my data too.  I’d pull out the older stuff, encrypt it and store it on a password protected drive.  By segregating things and archiving, that limits the damage that could happen if my accounts got hacked.  That’s not to say that someone still couldn’t cause me a lot of problems by getting full access to one of my accounts. They could. But it’s a lot less than what it was before I saw the light.  I never posted the full details of the fallout from db.singles.org but I know of a few people that really suffered bad from it. They never thought for a second their information wasn’t safe.  And they never thought (at least I don’t think they did) that a breach in the db.singles.org account would have led to breaches in PayPal, Facebook, Gmail, Yahoo and everything else. I’m sure they also had an expectation that a service they paid for would guard their information. It was repeated screw ups that allowed things to happen as they did.  Think about it though, when someone can write a script on the fly, to pull down all that information for every account, in under a few minutes, something is seriously wrong.  What’s worse, db.singles.org didn’t do squat afterward.  They didn’t even let the people know what happened.  It was shameful, particularly for a site that fancies itself Christian in nature.  But that stuff happens.  They aren’t the only people who’ve handled stuff like this poorly. They aren’t the only ones who tried to brush it under the rug. They aren’t the only ones who tried to dodge responsibility.  The Data Loss Database is a frightening testimony to how widespread data breaches are.  Don’t take my word for it, look for yourself. Read through a few and see how common this is. Look at how frequently it’s not a technology failure rather, a human is the point of failure.  I bet if you go through it and compare it to how frequently you hear about breaches, you’ll see a big mismatch.  And look at how frequently it’s the GOVERNMENT That has the breaches.  That’s the same government that has all sorts of sensitive information of yours. And it’s not just our government or US corporations, it’s widespread.

The fact that you can do some very simple things to add a huge layer of security to your data is very reassuring.   I’d offer  a few of my own.

If someone ever gets access to your email account, they have enough information to make your life hell.  This isn’t an opinion, it’s a fact.  This is why Plaintext email is so dangerous.  If it contains anything sensitive, you don’t want it stored in plaintext indefinitely. I know, it’s a huge convenience.  I know, email services don’t provide encryption with a few exceptions.  I know, much of the sensitive information in your email account will be attached to stuff sent to you – not the other way around.  I highly encourage you to read the whole db.singles.org drama (I covered it in depth, but you can Bing Operation Jesus for more information).  If you can’t keep sensitive information out of your email archives for practical reasons, use a password for your email that you don’t use for any other account.  Use fake answers that you specifically distort for your Password Reset Challenge questions (Sarah Palin can tell you why).  Use big long strong passwords and change it regularly. Never write it down and don’t give it to anyone.  Three people can keep a secret if two of the people are dead.  You may trust your spouse, mother, father etc to never do anything malicious to you, but that doesn’t mean they’ll never do something careless that could put you in really hot water.  Don’t give out your password, ever. If you have to for some reason, change it immediately.

The fewer people that know a secret, the less likely it is to get out.  There’s no reason for anyone else to know your personal account passwords, ever.  If you need shared access, then like I said, create a shared account that is limited to only information both people need.  Accidents happen and even the best intentioned people might mess up and breach the password.  That’s the thing, no one ever intends to give away  a password yet it happens. No one ever means to compromise security, but it happens.  No one needs to know your passwords. If they do, create a new account you both have access to and only use it to forward those emails/documents that you both need. 

Please don’t fall for the “We’re a couple, we share everything” thing as a reason to share passwords.  That’s beyond silly.  No couple shares everything.  I’ve heard people argue this before but it’s simply not true. Do they share a toothbrush?  Do they share undergarments? Do they share all of their clothes? Do they share a purse?   Do they share a jockstrap? Do they share shoes? (Ok, for a same sex couple sharing might be a little more feasible, but even there, no one shares everything).  Would you share cancer medication if only one person had cancer? Of course not.  So get past the whole “We share everything”.  It was cute back in high school, but in real life, it doesn’t fly.  By the time you’re married, you should already know if you can trust your spouse or not. If you don’t know, then passwords are the least of your problem.  

I keep all of my passwords in Password Safe. I have a big long password for it that I only use for it.  Kim knows it.  So if she needed to get into one of my accounts for some reason, she could.  Password Safe is a great utility and is very helpful if you want to stop reusing passwords and want to use strong passwords wherever possible (again, not everything needs locked down – but if you’re going to give something a pass, make sure there’s NOTHING that can be problematic).  From a ‘sharing everything’ POV, I do think that I should be willing to share everything with my wife if need be.  So if she needed my password and I wouldn’t give it to her, that’s a problem. But the # of times someone needs access to your email is so rare, this isn’t really an issue – I’m actually shocked I hear people bring it up so much b/c it’s about as much of a non-issue as I can think of.

[tags]Password Safe, Email Security, Online Privacy[/tags]

It amazes me that there are people who use email regularly but still don’t understand this.  If I send you an email, say from my work account to your work account and I have ‘private’, ‘sensitive’ or whatever information in it, I’m a complete moron if I want to demand it stay private. If anything, complete moron isn’t strong enough of a phrase.

Because I want to stay out of the fray, I’ll leave the parties out of it (if you follow tech news at all, you’ll know who the parties are).  A blogger posted some footage of a media person on his blog.  The purpose of his post was specifically to rebut some accusations that the media person made about him.  Stated another way, had the media person not made some nasty accusations about this person, he wouldn’t have felt the need to defend himself and his response would never have happened.  Anyway, his post along with the video made the media person look like a complete and utter liar/phony/jackass/fool.  Not surprisingly, the media crybaby got butthurt and threw out the war cry of the impotent “You’ll be hearing from my attorney!” via email.  In the bottom of the email he had the standard boilerplate idiocy commonly known as an Email Disclaimer.  It said the typical stuff, you can’t use this without my permission, if you’re the unintended recipient you’re not allowed to look at it, blah blah blah.  My friend and super lawyer Chris insists that this is necessary to establish the communication as valid if you want to assert attorney/client privilege.  But even a diehard like him is acknowledging that this is a pretty weak claim. He’s been reduced to acknowledging that it at least lets him make the case which is better than nothing. Fine, but most of these pieces of stupidity don’t come from attorneys emailing their clients.  In this case, neither party was an attorney.  The text did say that the receiver wasn’t allowed to publish the contents without the author’s permission.  The blogger however, had a firm statement that he’d publish any email that was sent to him regarding the blog if he felt like it. And he made clear that any threats, legal or otherwise, would absolutely positively be published.

So he published it.  Now, the media person who already looked like a complete jackass looked like a much bigger jackass.  He got even more butthurt and threatened to call his attorney even more, or faster, or maybe a better attorney –hell I don’t know but he made an even bigger “You’ll be hearing from my attorney” threat.

The blogger laughed and published that email too.  That infuriated said douchebag even more.  He started ranting and raving that the blogger was invading his privacy. By posting his private email, he broke the law and subjected him (media douchebag) to all sorts of harassment.  As is ALWAYS the case with crybabies of this sort, the “my life is in danger” claim was made.

I’m not lawyer and I don’t play one on TV. But I’ve been down this road before.  For I too maintain a “If you send me an email and I don’t like it, I’m posting it on my blog and anywhere else I damn well feel like posting it” policy. I’ve been threatened a few times about emails I’ve published, in all but one case the people (or a friend of theirs) came back, apologized and begged me to take it down – which I did. 

Here’s a few pertinent points – keep in mind that many aspects of internet law are still in their infancy. Others, like email, are fairly well established.  The points I make are ones I’ve made many times before and will continue to in the future, just b/c hearing ignorant statements is so frustrating.  I’ve provided several links for substantiation and further reading but I didn’t include all the legal research behind it (pretty much everything below is information I’ve obtained from legal counsel over the years.  Well, everything that discusses law) If you would like substantiation or want to argue the finer points here, feel free to email me and I’ll be glad to discuss it further.  I’m not the only person to feel this is a noteworthy issue and countless people have written on it. Many think this is a legal gray area. Hardly.  I encourage you to read an account that’s completely independent of my own – you’ll find the similarities are so strong they are virtually identical accounts:

1. Something doesn’t carry legal weight just b/c you say so. You can say “it’s an invasion of privacy” all year long, it doesn’t make it so.
2. Unless you’ve spoken with an attorney FAMILIAR with the matter at hand, you’re very likely to be wrong about any given legal claim you make.
3. Even if an attorney familiar with that area of law and the particulars of the case says you’re right, that doesn’t make it so either. If it did, judges wouldn’t have much to do.
4. The “Right to Privacy” isn’t something in the Constitution like Freedom of the Press.  It’s a creation from interpretation (which is still every bit as valid as anything else). Nonetheless, a Right to Privacy doesn’t mean what most people thinks it means.
5. A big part of invasion of privacy cases revolve around a reasonable expectation of privacy. You’re free to claim you had a high expectation of privacy when you sent out an email all you want, there’s no there there.  If the recipient agreed beforehand that he/she would keep the contents private, you have a much stronger case.  But simply demanding that they do so means just about nothing. If it did, I could demand that by receiving my email, you owe me $10,000,000,000.00  You’d laugh in my face if I made such a demand, but that demand is no more ridiculous from a legal perspective than anything else we’ve discussed so far is.
6. Encrypting an email is another action that can raise the expectation of privacy (b/c you’re taking steps to ensure that only you and the recipient are privy to the email.  But even that isn’t as legally compelling as some would have you believe.)
7. Plaintext emails are fair game.  That’s because from the time you send it to the time I get it, neither of us could know how many people could see it.  We could do an after the fact analysis and narrow down that number, but that still wouldn’t let you know with much precision.  If 20 different people have access to the contents of the email, any expectation of privacy goes out of the window.
8. Pleading ignorance doesn’t change the law or culpability.
9. Emails from public email hosts (AOL, Hotmail, Gmail etc) carry a little more weight than corporate ones, but they are still pretty much fair game if you send an email from one. Think about this for a second. If you’ve ever used Gmail, when you read a message, tailored ads appear around it. That’s what supports the ‘free’ service. A computer is doing all the analysis and suggesting but in a fraction of a second, your email is scanned, analyzed and targeted ads are posted.  That proves how easy it is to scan messages.  But do you really think all that information just goes bye bye?  I’m not making any paranoid accusations here, you give up a little privacy in exchange for the service and google has a vested interest in keeping things secure.  But anything that easy to scan will not just sit idle.
10. Sending email from or to a corporate email account completely wipes out any privacy claims you might have.  The courts have repeatedly held that companies have every right in the world to monitor employee email.  Most companies do have some form or another of email monitoring.  Among those that don’t most have the capability of monitoring it if they needed to.  Additionally, almost all companies of any size backup their mail servers so your private emails are probably sitting around on countless backup tapes where all sorts of people can see them.
11. If you send anything private from your corporate email account, or to someone else’s corporate email account, it’s almost a certainty that someone in the IT department at either company has either read it, or at least could read it if they wanted to.
12. If you doubt anything I’ve said in the past few items, ask your company or agency HR Director to see the Acceptable Use Policy for Internet and/or Electronic correspondence.  Virtually every company of any size has an acceptable use policy (and every government agency does) which discusses what you are and aren’t allowed to do with your email account.  Most strictly prohibit personal correspondence being transmitted through their email servers. Most also have a de minimus provision of some sort.  These basically say that while sending personal stuff is a violation, if you do it once in a blue moon, it’s ok as long as it complies with other aspects of the policy
13.  Principals are responsible for the actions of their agents.  This is one of the primary legal tenets that allow companies and govt agencies to monitor email and internet use.  Since a company is responsible for anything sent out by its employees, it has a vested interest in being able to know everything that’s sent out.
14. If you send email from a corporate/govt agency email account, you are necessarily representing yourself as an agent. (I can’t find the link for this at the moment
15.  S*** happens.  All the time.  I could fill terabytes of examples of this.  Some is malicious, some isn’t.  Some of the worst ones are just accidents.  When you have humans in the equation, you have mistakes.  So even if you do everything by the book, a simple mistake could lead to data loss of your emails.

These are all relevant to the case at hand b/c they all come into play in one form or another.  One of the biggest points though is that the media douchebag in question sent out his threats to the blogger from his work account.   While the media clip that in question was one made while in the employ of the company who’s email he was using, the company wasn’t the one complaining.  Again, he had made several derogatory comments about the blogger and had made several accusations against him. In those allegations, he claimed the blogger was being dishonest and was making libelous accusations.  The old , Truth in an absolute defense thing came into play, and the blogger decided to answer the ridiculous accusations by Proving they were false.

When the media guy sent out the email, he brainlessly included what looked like an autosig at the bottom (right above the big scary legal disclaimer) of the email that included several pieces of personal information (but he included a VCard that had several pieces of very personal info about the guy’s family). The blogger, mentioned that he had all of this but didn’t publish any of it – the only thing he published was the contents of the email – verbatim (which included the email headers.)  His stated reason was that he didn’t want accused of distorting the context or printing anything false.  The media guy said this was a bogus claim, for he could have redacted all of the identifying information and still kept the integrity of the message intact – hence, he asserted the blogger published all of it to be malicious. This claim fell flat b/c of other elements of the case

The blogger also mentioned that in the past, he received emails from the media guy from media guy’s personal email accounts.  In each case when he received a demand or threat, it typically came from the corporate email.  He intimated that he believed the media guy did this on purpose, to remind him of who he was dealing with and to give off the impression that his employer stood behind him on this. To that end, the blogger had recourse against the media guy’s employer.  There’s a lot to that issue that really has nothing to do with email (it concerns itself with nuances of Principal/Agent relationships) so I’ve left it out of this discussion.

In the end, keep this in mind:

• In general, email is about the least private way you can communicate. If it’s private or personal, email isn’t the venue you want to send it through.
• The advice “Don’t send anything in an email message that you wouldn’t be comfortable showing up on the front page of a newspaper”.  Beat it into your head – THERE’S NO SUCH THING AS A PRIVATE EMAIL. Encryption cam keep it private for a period of time, but if anyone else can decrypt it, you can’t count on it staying private.  Want to know why this adage is so important?
• Backup and storage are very cheap.  Years ago, many companies would save money by getting rid of logs/records/emails older than X years, the opposite is the case now.  Moreover, if you work at a publicly traded company, a private company that contracts with/for the government, or a government agency, there are probably laws requiring that all of those records are kept for a long time.  That varies depending on the nature of the entity, but items like Section 802 of Sarbanes-Oxley have pretty strict requirements for email retention.
• Email disclaimers are pretty much worthless.  Even assuming that one was written perfectly and a sympathetic judge was hearing the case, at best they allow you to seek redress.  They can’t ever stop someone from sharing the information.  Think about the current case of a famous golfer who was having extramarital affairs.  A disclaimer might (and that’s a big ‘might’) have given him recourse to sue anyone who published his emails, but would that do him any good?  Would the amount of money he could recoup from a blogger or one of the women possibly do much for him in comparison to what the revelations have cost him?  There’s no way to sue for your wife and kids back or those endorsements to reappear.  There’s no way to sue for future endorsements that will never materialize.  So even if the disclaimers had teeth, they are a day late and a dollar short.
• Your email will hit several servers between the time it’s sent from your account and the time it’s received by your recipient.  It’s hard to know with certainty how many, or what servers the message will route through.  Additionally, it’ll be very difficult if not impossible to know who all had access to the message. It’s also impossible to know who all will get access or who all will see the message.  It could be sitting on a ton of different backup tapes at each node along its route.  So even if no one read it today, you’re not off the hook yet, someone could look it up and read it 3 years from now.
• Companies and govt agencies have every right to monitor communications sent out through their servers.  Many companies do monitor email. Some more than others and some not at all.  But keep in mind, just b/c your company doesn’t monitor your emails today, there’s nothing stopping them from doing it tomorrow.  Additionally, companies and agencies vary greatly in how much they publicize their monitoring. Some make it well known in hopes of a deterrent. Others do it quietly in hopes of catching the bad guys.  And like everything else, there’s no rule saying they can’t change how much they publicize it.
• Even if a company has a diminimus provision, remember that anything you write on their computers and send through their servers is theirs.  Just b/c the subject matter is your family or your personal info, unless you have it written otherwise, you can rest assured they have legal claim to it.
• VCards might seem like a good idea, but I’d be hard pressed to think of any situation highly personal information such as birth dates, SSN’s, family member’s names or anything else should be included.
• If you put personal information in your autosig, remember that many people you didn’t intend to read it will have access to that information.   If you’re a high profile celebrity , business titan or what have you and you maintain public and private contact points, think long and hard before you include this stuff in an autosig.
• Remember that the correct metaphor for unencrypted email is a Post Card. If anything, the post card metaphor is inadequate b/c email is much more public than a post card.

——————————————————————————————

[tags]db.singles.org, Operation Jesus, Email Security, Privacy, online privacy, password safe[/tags]

In a massive security breach , the Transportation Security Agency (TSA) inadvertently posted online its airport screening procedures manual, including some of the most closely guarded secrets regarding special rules for diplomats and CIA and law enforcement officers.

$10.00 says that the people responsible will not only not be fired but won’t get anything worse than a slap on the rest (like paid vacation aka “paid administrative leave”.

At the risk of building a straw man, let’s assume that’s the case – that they won’t be fired or if they are, they won’t be looking at any jail time.  Now let’s say that I, as a private citizen, had that document sent to me by some disgruntled TSA employee. And let’s say I penned a blog post that had all that information contained in it.  I saved it to Drafts but accidentally queued it to be published.  And it got published. In which case I realized my mistake a few hours later and took it down.

Anyone want to argue that somehow I wouldn’t be put through hell by our all loving benevolent Department of Homeland security?  I’d be fined to death and probably do some time. If not, I’d at least have to spend enough on attorney’s fees that I’d wish I was locked up instead.

Bruce Schneier is so incredibly correct on the whole TSA and all of their stupid screening procedures (aka Security Theater). How can anyone seriously defend the TSA’s existence?  I could post a terabyte hard drive full of their abuses and those are just the ones we know about.  They’re expensive, rude, incompetent and worthless.  Since we’ve reinforced cockpit doors, how can anyone say we need them?  All we need is a few dogs that can sniff explosive materials and a bunch more scanners. 

As someone who travels a lot, and has flown outside of the US quite a bit, all I can say is that the whole TSA is one big, unfunny, expensive joke.  Oh yah, we had to make them federal employees b/c private sector companies couldn’t be trusted.  Sure.  The private sector couldn’t possibly find that many incompetent a33holes in one place to hire, but other than that, I’m not buying it. And why do I call them that? Am I just bitter or something b/c I get hassled a lot? Nope, I never get hassled.  Out of 200+ flights, I’ve only been singled out for search once.  But I’ve watched so many people get abused that I forgot count of them all. In just 2009, I’ve seen 7 instances (and yes, all but one were at the same airport) of a TSA employee being so abusive that a supervisor had to come over, pull them out of the line and talk to them and then apologize to the victim.  If you want to hassle people b/c they don’t speak very good English, you should at least be able to speak decent English yourself, especially when it’s your first language.

But Bill, there hasn’t been a single hijacking since 9/11.  Brilliant reasoning in that argument.  Since I was 25 I’ve spent most of my work time travelling and I’ve travelled a lot. In that whole time, I don’t recall a single plane being hijacked – you know, back when screening  consisted of them asking you “Hey, you haven’t taken any packages from strange looking middle eastern men have you?  You don’t plan on blowing up the plane do you?”  I’ll add this – and again, it’s hard to verify b/c it’s in the future – but if a plane is hijacked or blown up , it won’t be from a passenger sneaking stuff on the plane.  The largest attack vector is baggage. Right now, if you tried to pull a knife or whatever, there’d be a full scale bumrush on your a55.  Even if you were some martial arts ninja, you aren’t going to be able to fend off flying laptops and boiling coffee from everyone else so not much can happen there.  With reinforced doors, you wouldn’t be able to bumrush the cabin either.  If we fired every sideshow act TSA employee, went back to pre TSA screening procedures and spent all of that money on scanning equipment and dogs, there’d never be another hijacking again.  Air Marshalls could fill any other perceived gaps b/c unlike screeners, they actually provide value.

But this will never happen b/c the TSA (like a whole lot of DHS, is little more than a job’s program. Except in the TSA’s case, it’s a jobs program for the otherwise unemployable) is a govt fiefdom.  Seriously, next time you fly, look at all the people in each of the lines.  Other than the really young folks for whom this is a starting point in their careers, ask yourself What could I see this person doing if they weren’t working here? And be honest.  You’ll see that I’m right.

The TSA is without a doubt the most worthless agency under the DHS umbrella. It along with one other one I can think of , are just shameful.  Now when it comes to the majority of the agencies, say the FBI, the NSA, the CIA etc, love them or hate them, the rank and file employees are quite competent and well intentioned.  There is certainly some political deadweight at each, but most FBI agents for instance could easily work in the private sector earning a lot more money. 

UPDATE: 12.10.2009

I’ve seen reports that 5 people were employees were put on administrative leave.  I’m not familiar enough with govt regs to know if that necessarily means paid , unpaid or can’t tell without more information but I’ll throw this out – can you think of any private company you’ve worked for where something like this wouldn’t lead to termination of at least one person?  Ok, maybe it will in the future but I’m betting the under and will eat all the crow you want if I’m wrong.  I’d also add that every report I’ve found doesn’t mention paid or unpaid. In my experience, an omission like this is telling, like when there’s a political scandal and they don’t tell you the party of the person involved.  You KNOW what party they belong to when it’s excluded.  The govt is quick to throw people under the bus and find fall guys (or people to be politically correct) and that includes mentioning it when its unpaid in most cases.  So let’s see.

Bruce Schneier pointed to Boing Boing’s coverage which is freaking priceless:

BoingBoing is pretty snarky:

The TSA has published a "redacted" version of their s00per s33kr1t screening procedure guidelines (Want to know whether to frisk a CIA operative at the checkpoint? Now you can!). Unfortunately, the security geniuses at the DHS don’t know that drawing black blocks over the words you want to eliminate from your PDF doesn’t actually make the words go away, and can be defeated by nefarious al Qaeda operatives through a complex technique known as ctrl-a/ctrl-c/ctrl-v. Thankfully, only the most elite terrorists would be capable of matching wits with the technology brilliance on display at the agency charged with defending our nation’s skies by ensuring that imaginary hair-gel bombs are kept off of airplanes.

The more I read what Bruce has to say about security (and I’ve been following him for years), the more I realize how strong his argument is. That’s why he is always on the right side of these issues.   If you read him regularly, you know that the TSA is regularly mentioned in his posts (Reason, Wired and Drudge for instance, seem to do the same – wonder why that is   ) and he doesn’t have much more regard for them than I do – although he’s much more diplomatic about it.  The money quote from his piece:

TSA is launching a "full review" to determine how this could have happened. I’ll save them the effort: someone screwed up.

In a statement Tuesday night, the TSA sought to minimize the impact of the unintentional release — calling the document "outdated," "unclassified" and unimplemented — while saying that it took the incident "very seriously," and "took swift action" when it was discovered.

Yeah, right.

This whole thing is a disgrace from start to finish.  And if it were an isolated incident, I’d be singing a different tune.  But this is just one more example of the utter incompetence shown by the TSA.  But it’s not just incompetence, it’s the utter disregard for passengers and citizens (and the law for that matter).  Remember folks, Airport Security was just too freaking important to be trusted to the private sector – only Unionized Government employees could do the job adequately.  And as the advocates of turning it into a union shop constantly reminded us – this was only about security, no politics guiding the decisions at all.

Fortunately, when I get frustrated at the things my government does, I have a release valve. I just look at the insane rants from everyone’s favorite defender of liberty, justice and the American way– yaknow, the ones that were sent to people who may not be as friendly as one thinks.  Maybe I’ll go reread Hi Ken.doc or one of the other “Nothing is my fault, Bill is pure evil and evil incarnate both at the same time, the affects are adverse, he sabotages, and he wants to destroy destroy destroy destroy, all he does is spend every waking moment trying to destroy, destroy, destroy, It’s not lying when I do it but it is when Bill tells truths I don’t like because he’s Pure Evil & Evil Incarnate and all he does is destroy destroy destroy destroy. Did I mention he’s evil? And that he likes to destroy destroy destroy destroy? Oh yes, and nothing is my fault. Ever. All the problems encountered, caused by the Destroyer/Saboteur/Attacker of Duncan. It’s never my fault. It’s always someone else’s fault but it’s never my fault. Even when it is it isn’t” themed ones… those are always good for a laugh or two. 

And when I’m done with my chuckle, I’ll find something to destroy, destroy, destroy, destroy until I find a way to break you, never tiring, never taking a breath (or even a dump for that matter – if that’s not commitment, what is) and spending all my free time determined to do the following:

Console.WriteLine(“What does Bill do, what’s the only thing he does?”);

for(Int32 i = 0; i < 4; i++){

     Console.WriteLine(“Destroy\r\n”);

}

[tags] TSA, Bruce Schneier, TSA Security Breach, Privacy, Security, DHS, Department of Homeland Security [/tags]