[Quote]:

The storyline:

1. TSA screener finds two pipes in passenger’s bags.

2. Screener determines that they’re not a threat.

3. Screener confiscates them anyway, because of their “material and appearance.”

4. Because they’re not actually a threat, screener leaves them at the checkpoint.

5. Everyone forgets about them.

6. Six hours later, the next shift of TSA screeners notices the pipes and — not being able to explain how they got there and, presumably, because of their “material and appearance” — calls the police bomb squad to remove the pipes.

7. TSA does not evacuate the airport, or even close the checkpoint, because — well, we don’t know why.

I don’t even know where to begin.

Feel safer yet?

[Quote]:

Even though a public outcry has prompted Homeland Security to move away from adding X-ray machines to airports–it purchased 300 body scanners last year that used alternative technology instead–it appears to be embracing them at U.S.-Mexico land border crossings as an efficient way to detect drugs, currency, and explosives.

[..]

For its part, Homeland Security says the dose is safe and based on commonly accepted government standards established by the National Council on Radiation Protection and Measurement, which would permit 2,500 scans a year for each person.

I suggest, to make sure these devices are properly calibrated, the Director/CEO of the TSA and his family should undergo 2,500 scans a year.

[Quote]:

Mike Cardwell claims that T-Mobile UK are silently disrupting VPNs and secure connections to mail-servers, using packet-injection techniques more often found in the Great Firewall of China. He documents his findings in detail, and has found someone on the T-Mobile customer forums who claims that a senior technician there stated that it was a deliberate policy decision at T-Mobile to keep mail from being sent through any servers apart from their own.

The consequence of this is that you must communicate over T-Mobile’s 3G network in a way that allows them to snoop on you and read your email. And since 3G security has been compromised for years, it also means anyone within range of your cell tower can also snoop on you. Mike borrowed techniques from those who fight the Great Firewall of China to build a system that lets him tunnel securely and keep his sensitive data secret, but unless you run your own servers, you’re screwed if you’re a T-Mobile customer.

[Quote]:

Have you wondered what $1.2 billion in airport security gets you? The TSA has compiled its own “Top 10 Good Catches of 2011“:

10) Snakes, turtles, and birds were found at Miami (MIA) and Los Angeles (LAX). I’m just happy there weren’t any lions, tigers, and bears…

[...]

3) Over 1,200 firearms were discovered at TSA checkpoints across the nation in 2011. Many guns are found loaded with rounds in the chamber. Most passengers simply state they forgot they had a gun in their bag.

2) A loaded .380 pistol was found strapped to passenger’s ankle with the body scanner at Detroit (DTW). You guessed it, he forgot it was there…

1) Small chunks of C4 explosives were found in passenger’s checked luggage in Yuma (YUM). Believe it or not, he was brining it home to show his family.

That’s right; not a single terrorist on the list. Mostly forgetful, and entirely innocent, people. Note that they fail to point out that the firearms and knives would have been just as easily caught by pre-9/11 screening procedures.

[Quote]:

When you give out money based on politics, without any accounting, this is what you get:

The West Michigan Shoreline Regional Development Commission (WMSRDC) is a federal- and state-designated agency responsible for managing and administrating the homeland security program in Montcalm County and 12 other counties.

The WMSRDC recently purchased and transferred homeland security equipment to these counties — including 13 snow cone machines at a total cost of $11,700.

Wait. It gets funnier:

“It is used to attract people so they can be educated and prepared for homeland security,” Dey said from his office in Muskegon. “More importantly, they (homeland security officials) felt in a medical emergency the machine was capable of making ice packs which could be used for medical purposes.”

This is excellent commentary.

Feel safer yet?

[Quote]:

To walk through an airport with Bruce Schneier is to see how much change a trillion dollars can wreak. So much inconvenience for so little benefit at such a staggering cost.

[..]

“We’re spending billions upon billions of dollars doing this—and it is almost entirely pointless. Not only is it not done right, but even if it was done right it would be the wrong thing to do.”

[Quote]:

Computer scientists have discovered a weakness in smartphones running Google’s Android operating system that allows attackers to secretly record phone conversations, monitor geographic location data, and access other sensitive resources without permission.

Handsets sold by HTC, Samsung, Motorola, and Google contain code that exposes powerful capabilities to untrusted apps, scientists from North Carolina State University said. These “explicit capability leaks” bypass key security defenses built into Android that require users to clearly grant permission before an app gets access to personal information and functions such as text messaging. The code making the circumvention possible is contained in interfaces and services the device manufactures add to enhance the stock firmware supplied by Google.

[..]

Unlike out-of-the-box iPhones, which allow users to install only apps that have been approved by Apple, the official Android Market performs no security checks on the wares it offers. To compensate, Google built the permission-based security model into the mobile OS to give users control over the personal information apps get to access. Before a new program runs for the first time, it lists the sensitive resources it will access. Users who are uncomfortable with the permissions then have an opportunity to cancel the installation.

The researchers found that the manufacturer-supplied enhancements offer a way to circumvent this permissions-based model.

Again, not Google’s fault - unless you count allowing others to modify your software before release.

[Quote]:

A cyber warfare expert claims he has linked the Stuxnet computer virus that attacked Iran’s nuclear program in 2010 to Conficker, a mysterious “worm” that surfaced in late 2008 and infected millions of PCs.

Conficker was used to open back doors into computers in Iran, then infect them with Stuxnet, according to research from John Bumgarner, a retired U.S. Army special-operations veteran and former intelligence officer.

“Conficker was a door kicker,” said Bumgarner, chief technology officer for the U.S. Cyber Consequences Unit, a non-profit group that studies the impact of cyber threats. “It built out an elaborate smoke screen around the whole world to mask the real operation, which was to deliver Stuxnet.”

[Quote]:

In October, a foreign national named Mike Fikri purchased a one-way plane ticket from Cairo to Miami, where he rented a condo. Over the previous few weeks, he’d made a number of large withdrawals from a Russian bank account and placed repeated calls to a few people in Syria. More recently, he rented a truck, drove to Orlando, and visited Walt Disney World by himself. As numerous security videos indicate, he did not frolic at the happiest place on earth. He spent his day taking pictures of crowded plazas and gate areas.

None of Fikri’s individual actions would raise suspicions. Lots of people rent trucks or have relations in Syria, and no doubt there are harmless eccentrics out there fascinated by amusement park infrastructure. Taken together, though, they suggested that Fikri was up to something. And yet, until about four years ago, his pre-attack prep work would have gone unnoticed. A CIA analyst might have flagged the plane ticket purchase; an FBI agent might have seen the bank transfers. But there was nothing to connect the two. Lucky for counterterror agents, not to mention tourists in Orlando, the government now has software made by Palantir Technologies, a Silicon Valley company that’s become the darling of the intelligence and law enforcement communities.

The day Fikri drives to Orlando, he gets a speeding ticket, which triggers an alert in the CIA’s Palantir system. An analyst types Fikri’s name into a search box and up pops a wealth of information pulled from every database at the government’s disposal. There’s fingerprint and DNA evidence for Fikri gathered by a CIA operative in Cairo; video of him going to an ATM in Miami; shots of his rental truck’s license plate at a tollbooth; phone records; and a map pinpointing his movements across the globe. All this information is then displayed on a clearly designed graphical interface that looks like something Tom Cruise would use in a Mission: Impossible movie.

As the CIA analyst starts poking around on Fikri’s file inside of Palantir, a story emerges. A mouse click shows that Fikri has wired money to the people he had been calling in Syria. Another click brings up CIA field reports on the Syrians and reveals they have been under investigation for suspicious behavior and meeting together every day over the past two weeks. Click: The Syrians bought plane tickets to Miami one day after receiving the money from Fikri. To aid even the dullest analyst, the software brings up a map that has a pulsing red light tracing the flow of money from Cairo and Syria to Fikri’s Miami condo. That provides local cops with the last piece of information they need to move in on their prey before he strikes.

Scenario: a friend needs to fertilize his lawn, and I want to help him. I borrow his car, and on the way to the store I fill it up (with diesel, it’s a small truck). I pay with my debit card, of course, and I do the same at the store. Before I get back to his place, I am arrested for making a bomb. After all, the apartment I live in has no garden, and I drive a petrol car myself – so why would I buy diesel and fertilizer if I wasn’t planning to create a bomb, right?

Feel safer yet?

[Quote]:

If there are any SCADA administrators out there who haven’t already replaced their ’1234′ and ‘admin’ passwords, then they might consider this a reminder.

[Quote]:

The European Union on Monday prohibited the use of X-ray body scanners in European airports, parting ways with the U.S. Transportation Security Administration, which has deployed hundreds of the scanners as a way to screen millions of airline passengers for explosives hidden under clothing.

The European Commission, which enforces common policies of the EU’s 27 member countries, adopted the rule “in order not to risk jeopardizing citizens’ health and safety.”

[Quote]:

Yet another web authentication authority has stopped issuing secure sockets layer certificates after discovering a security breach that allowed hackers to store attack tools on one of its servers.Netherlands-based KPN Corporate Market said it was taking the action while it investigated the compromise, which may have taken place as long as four years ago. The breach came to light after tools for waging distributed denial-of-service attacks were found on its network.

[Quote]:

A Houston area law enforcement agency is prepared to launch an unmanned drone that could someday carry weapons, Local 2 Investigates reported Friday.

The Montgomery County Sheriff’s Office in Conroe paid $300,000 in federal homeland security grant money and Friday it received the ShadowHawk unmanned helicopter made by Vanguard Defense Industries of Spring.

[..]

Michael Buscher, chief executive officer of manufacturer Vanguard Defense Industries, said this is the first local law enforcement agency to buy one of his units.

He said they are designed to carry weapons for local law enforcement.

“The aircraft has the capability to have a number of different systems on board. Mostly, for law enforcement, we focus on what we call less lethal systems,” he said, including Tazers that can send a jolt to a criminal on the ground or a gun that fires bean bags known as a “stun baton.”

“You have a stun baton where you can actually engage somebody at altitude with the aircraft. A stun baton would essentially disable a suspect,” he said.

Gage said he has no immediate plans to outfit his drone with weapons, and he also ruled out using the chopper for catching speeders.

Well, I feel safer already.

[Quote]:

Most air travelers now endure naked scans or genital pat-downs by gloved agents of the government without surprise or complaint. But before invasive security became normal, there was a backlash. And at its height, Transportation Security Administration boss John Pistole said something revealing. "I see flying as a privilege that is a public safety issue. So the government has a role in providing for the public safety and we need to do everything we can in partnership with the traveling public, to inform them about what their options are," he told reporters. "I clearly believe that passengers have a number of options as they go through screening. But the bottom line is, if someone decides they don’t want to have screening, they don’t have the right to get on the plane."

You don’t really have to drive your car either, right?

[Quote]:

You’re probably used to seeing TSA’s signature blue uniforms at the airport, but now agents are hitting the interstates to fight terrorism with Visible Intermodal Prevention and Response (VIPR).

"Where is a terrorist more apt to be found? Not these days on an airplane more likely on the interstate," said Tennessee Department of Safety & Homeland Security Commissioner Bill Gibbons.

Tuesday Tennessee was first to deploy VIPR simultaneously at five weigh stations and two bus stations across the state.

Agents are recruiting truck drivers, like Rudy Gonzales, into the First Observer Highway Security Program to say something if they see something.

"Not only truck drivers, but cars, everybody should be aware of what’s going on, on the road," said Gonzales.

Feel safer yet?

[Quote]:

Recent news stories (based on research by Stanford student Feross Aboukhadijeh) state that an Adobe bug made it possible for remote sites to turn on a viewer’s camera and microphone. That sounds bad enough, but that’s not the really disturbing part. Consider this text from the Register article:

Adobe said on Thursday it was planning to fix the vulnerability, which stems from flaws in the Flash Player Settings Manager. The panel, which is used to designate which sites may access feeds from an enduser’s camera and mic, is delivered in the SWF format used by Flash.

…

Because the settings manager is hosted on Adobe servers, engineers were able to close the hole without updating enduser software, company spokeswoman Wiebke Lips said.

That’s right — code on a remote computer somewhere decides whether or not random web sites can spy on you. If someone changes that code, accidentally or deliberately, your own computer has just been turned into a bug, without any need for them to attack your machine.

From a technical perspective, it’s simply wrong for a design to outsource a critical access control decision to a third party. My computer should decide what sites can turn on my camera and microphone, not one of Adobe’s servers.

The policy side is even worse. What if the FBI wanted to bug you? Could they get a court order compelling Adobe to make an access control decision that would turn on your microphone?

[Quote]:

We’ve seen before that organizations don’t seem to react well to outside security folks pointing out vulnerabilities in their systems. They very often take a “blame the messenger” approach — as if pointing out a flaw suddenly makes that flaw come into existence. But one company seems to be taking it to another level. That Anonymous Coward points us to a story in which a security professional found a big and ridiculously obvious bug in the website of an Australian investment fund, First State Superannuation. Apparently you could see other people’s accounts by merely changing the account numbers in the URL. Increase the number by one, and see the next user in line. This is the kind of extraordinarily basic mistake that I thought had been eradicated a decade ago. Apparently not.

But the company that runs the fund, Pillar, went quite crazy about this. While the company did fix the security hole, it also sent the police to interrogate the security researcher, Patrick Webster. Pillar also sent a letter to customers (pdf) in which it suggests that Webster created this massive security flaw, rather than their own dreadful programming:

It has come to our attention that a member of First State Super, who has online access to their account, devised a way to view an image of your statement.

And then, to add insult to injury, Pillar sent Webster a letter saying he broke the law, they were closing his account, and may seek money from him to fix the vulnerability

[Quote]:

A virus has made its way into the operating center of the US drone fleet — and no one is quite sure what the infection is up to. The virus runs a keylogger that records every movement of the people operating our drones. So far, it hasn’t tried to make contact with any outside source to transmit that information

Ruh-oh. I’m sure the computers in the operating center are not connected to the Internet, right? Right?

[Quote]:

n what appears to be a crucial false-positive, Microsoft’s security tools are removing Chrome from Windows machines, marking it as a variant of the notorious Zeus (Zbot) malware family.

*grabs popcorn*

[Quote]:

You may have heard about the Cellebrite cell phone extraction device (UFED) in the news lately. It gives law enforcement officials the ability to access all the information on your cell phone within a few short minutes. When it became known that Michigan State Police had been using the tool to access cell phones during traffic stops, it raised concern with the ACLU. Now, everyone is wondering if cops will be using devices like this elsewhere. Will this new law enforcement tool be abused, or will it be used responsibly in the pursuit of justice?

Call us paranoid, but we obtained a law-enforcement-grade software extraction tool for the iPhone to see exactly what data is up for grabs. You’d be surprised to see just how much data today’s smartphones can store — and police can access.

The weird thing is, it can also insert data. See: http://www.cellebrite.com/images/stories/ufed%202/UFED_PA_user_guide.pdf Staring under “Create a new call”

What court would ever accept anything by this software as evidence?

I guess I’ll have to start carrying around a second phone so I can hand over innocent data…

Quote

The United States is looking at building fences along the border with Canada to help keep out terrorists and other criminals.

…

Ironically, the moves come as Canada and the U.S. try to finalize a perimeter security arrangement that would focus on continental defences while easing border congestion. It would be aimed at speeding passage of goods and people across the Canada-U.S. border, which has become something of a bottleneck since the 9/11 terrorist attacks.

The line formerly known as the Longest Undefended Border in the World  is crossed, at Buffalo, by the Peace Bridge. Should this be renamed the Bridge of Uneasy Vigilance?

Mexico-US border fence

[Quote]:

Het bedrijf Diginotar is dinsdag failliet verklaard. Dat heeft het moederbedrijf Vasco Data Security bekendgemaakt.

Translation: Diginotar is bankrupt.

[Quote]:

"If you’re not doing anything wrong, you have nothing to worry about."

Many Americans have said this, or heard it, when discussing the expanded surveillance capabilities the government has claimed since 9/11.

[..]

The question should be, “If you’re not doing anything wrong, why is the government snooping on you?”

[Quote]:

TAHERI-AZAR’S INCOMPETENCE as a terrorist is bewildering. Surely someone who was willing to kill and die for his cause, spending months contemplating an attack, could have found a more effective way to kill people. Why wasn’t he able to obtain a firearm or improvise an explosive device or try any of the hundreds of murderous schemes that we all know from movies, television shows, and the Internet, not to mention the news? And once Taheri-Azar decided to run people over with a car, why did he pick a site with so little room to accelerate?

Even more bewildering is that we don’t see more terrorism of this sort, a decade into the "global war on terror" launched by the United States in response to the attacks of Sept. 11, 2001. If every car is a potential weapon, then why aren’t there more automotive attacks? Car bombs have been around since the 1920s, when the first one was detonated on Wall Street in New York City, but they require a fair bit of skill. Drive-through murder, on the other hand, takes very little skill at all. People have been killing people with cars ever since the automobile was invented, and the political use of automotive assault was immortalized in a famous 1966 film, The Battle of Algiers, in which two Algerian revolutionaries drive into a bus stand full of French settlers. Yet very few people resort to this accessible form of terrorism. Out of several million Muslims in the United States, it appears that Taheri-Azar was the first to attempt this sort of attack; so far he has been followed by two possible copycats, leading to one fatality.

[Quote]:

Belgian security firm GlobalSign has temporarily stopped issuing authentication certificates for secure websites.

It comes after an anonymous hacker claimed to have gained access to the company’s servers.

If confirmed, it would be the second security breach at a European certificate authority in two months.

Hundreds of bogus DigiNotar authentications were issued following an intrusion into its systems.

According to the State Department’s recent report, fifteen American private citizens died in terrorist attacks in 2010: thirteen in Afghanistan and one each in Iraq and Uganda.

More people die of peanut allergy each year.

[Quote]:

Here is an important question: What single organization is responsible for more terror plots in the USA than any other?

Possible answers: Al Qaida. That would no doubt be the popular answer but it would be wrong. The KKK. Way past their prime, so that is not it. The Jewish Defense League. Good guess, but still not it. So what is the correct answer?

It is the Federal Bureau of Investigation, AKA the FBI. Don’t believe me? Well, just read Trevor Aaronson’s expose entitled “The Informants” published in the September/October 2011 issue of Mother Jones.

[Quote]:

It would appear that a Florida bank has been the victim of a $13 million ATM heist, but just how did the cyber-robbers pull it off?

Although the security breach which led to the ATM fraud itself seems to have taken place in March, and was disclosed in the first quarter earnings statement for Fidelity National Information Services Inc (FIS) back in May, details of exactly what happened are only just starting to leak from the FBI probe that followed.

[Quote]:

“I forward this file to you for review. Please open and view it.”

[Quote]:

The LA Times, and most people who denounce these spending "inefficiencies," have the causation backwards: fighting Terrorism isn’t the goal that security spending is supposed to fulfill; the security spending (and power vested by surveillance) is the goal itself, and Terrorism is the pretext for it. For that reason, whether the spending efficiently addresses a Terrorism threat is totally irrelevant.