Court decision on TSA searches

I just saw Bruce Schneier’s blog post on a ruling I’m glad to see- a US District Court, in a ruling last month, that TSA is authorized to search for weapons and explosives, and nothing more. Fake passports taken from a passenger in the case were tossed out as evidence.

“The extent of the search went beyond the permissible purpose of detecting weapons and explosives and was instead motivated by a desire to uncover contraband evidencing ordinary criminal wrongdoing,” Judge Marbley wrote.

It will be interesting to see if there are moves to better train the TSA screeners in the future, or a legislative reaction expanding the powers granted. (um, how far away is that mid-term election again…? :-)

Jaywalking

Need some graphics to explain things to the judge, after your next brush with the law? No worries, Patrick Crowley has you covered.

(Mac People: out solving real-world problems, and looking stylish while they do it.)

Wired: “The Untold Story of the World’s Biggest Diamond Heist”

Wow.

In February 2003, Notarbartolo was arrested for heading a ring of Italian thieves. They were accused of breaking into a vault two floors beneath the Antwerp Diamond Center and making off with at least $100 million worth of loose diamonds, gold, jewelry, and other spoils. The vault was thought to be impenetrable. It was protected by 10 layers of security, including infrared heat detectors, Doppler radar, a magnetic field, a seismic sensor, and a lock with 100 million possible combinations. The robbery was called the heist of the century, and even now the police can’t explain exactly how it was done.

UK police surveillance of political demonstrations

From The Guardian:

Photographs, names and video footage of people attending protests are routinely obtained by surveillance units and stored on an “intelligence system”. The Metropolitan police, which has pioneered surveillance at demonstrations and advises other forces on the tactic, stores details of protesters on Crimint, the general database used daily by all police staff to catalogue criminal intelligence. It lists campaigners by name, allowing police to search which demonstrations or political meetings individuals have attended.

Great.

Big Brother gets Big Shoulders

Mayor Daley has argued that security and terrorism won’t be an issue if his Olympic dreams come true because, by 2016, there will be a surveillance camera on every street corner in Chicago.

Wow.

During a December test, live video was used to catch a petty thief in the act of sticking his hand in a Salvation Army kettle outside Macy’s on State Street.

I would respectfully suggest that Chicago would do better to install monitoring cameras in the offices of politicians.

Mayor Daley needs to think beyond his next law-and-order bumper sticker. The experience in London is nothing we should seek to imitate. As Timothy Garton Ash writes in The Guardian, Liberty in Britain is facing death by a thousand cuts.

The East Germans are now more free than we are, at least in terms of law and administrative practice in such areas as surveillance and data collection. Thirty years ago, they had the Stasi. Today, Britain has such broadly drawn and elastic surveillance laws that Poole borough council could exploit them to spend two weeks spying on a family wrongly accused of lying on a school application form.

YANAL

Paul Ohm in Freedom to Tinker:

With this post, I’m launching a new, (very) occasional series I’m calling YANAL, for “You Are Not A Lawyer.” In this series, I will try to disabuse computer scientists and other technically minded people of some commonly held misconceptions about the law (and the legal system).

I’ve worked with law enforcement folks on a number of occasions, and have generally been surprised/impressed at the level of concern for civil rights, and appreciation of wider societal issues. Government abuse of civil rights absolutely happens, without any question. But as an ornery civil rights advocate, I have to say I’ve met mostly good people, who are trying to do a difficult and complex job as well as possible.

That said, you should expect the cops to understand the rules of engagement very well (i.e., almost certainly better than you), and to aggressively use the tools available to them in building cases that prosecutors can turn into convictions.

See also “Eight reasons even the innocent shouldn’t talk to the police“, which should be mandatory viewing in high school social studies classes.

Joe Biden’s Technology Voting Record

Learning more about Joe Biden’s voting record on various tech issues has not improved my mood. (My Inner Child is disillusioned enough, thank you…)

My initial reaction to Barack Obama’s choice of Joe Biden as his nominee for VP was pretty positive. Senator Biden has always seemed like a “good guy”, and I’ve found his outrage at various Bush Administration antics to be both amusing reassuring.

(In these times, it really does seem that “if you’re not outraged, you’re not paying attention”… Biden is at least paying attention.)

But it seems maybe I was not… Declan McCullagh has an excellent Iconoclast post, discussing Joe Biden’s pro-RIAA, pro-FBI tech voting record.

I really failed to grasp what a central figure Biden has been in some of the major “freedom and privacy” fights over the last decade or so, and not in a good way.

On a number of issues relating to encryption, copyright law, government surveillance, and the cloud of Freedom Fail that is the Patriot Act, Senator Biden has come down on the side of restriction, censorship, and government control. Of course, positions do change, and some of the article’s examples are from some time back, but the list is not at all comforting.

(Hey, Jon Stewart! You’ve talked to the man… Next time, ask about all this, ok? We’re depending on you.)

I was very unhappy with Senator Obama’s vote to give retroactive immunity to telecoms in the FISA bill. My hope that he’d be bringing us something other than business as usual is back to near Zero.

Rather than engage in a real debate, it’s just easier to allow the administration to set every such issue on a firm foundation of Fear, Uncertainty, and Dread. The people should be afraid of terrorists, and the politicians afraid of being branded as soft on terrorists. So afraid, in fact, that that we all forget that the point of this “American Experiment” was Freedom, and that the founding fathers were themselves very clear that this goal was not the path of quiet and safety.

Anyway, very displeased… there is just no way to get from Obama’s earlier statements on the matter to his vote in favor of this.

I’m pleased that Biden voted against the bill, in light of his other votes in this area, but I have little faith that anything useful is likely to happen regarding FISA.

Dorothy of Ruritania

While looking at a Scientific American report on “Technology’s Toll On Privacy And Security“, I saw an article by Dorothy Denning, noted apologist for the view that the government can only keep us safe if they have the keys to our underwear drawer.

Her contribution is short, and fairly gentle, as FUD goes:

The Web Ushers In New Weapons of War and Terrorism

Protesters, terrorists and warmongers have found the Internet to be a useful tool to achieve their goals. Who will bring law and order to cyberspace?

I wasn’t certain the picture was her at first, but that last line in the teaser had the familiar tone of panicked hand-wringing.

(There are strict laws about brewing and distilling, too… But if she’d said, “Home Brewers have found the Internet to be a useful tool to achieve their goals”, too many people would have caught on)

Professor Denning is smart. And I’m sure she means well.

If she was a History professor, however, she might better recall that our country wasn’t founded on the principle that law and order would make us safe. It was founded on the principle that, fed up with oppressive law, and some faraway parliament’s idea of order, We the People had to strike out on our own, if we were to have the freedom that is every person’s natural right.

Perry Metzger is also smart. And a good bit more amusing. While seeing what Professor Denning had been up to of late, I rediscovered this bit of whimsey, from back during the Crypto Wars. Light, short, and just enough clues for you to fill in the background, without having to relieve the whole angst-ridden period.

—
Ruritania
A Parable by Perry E. Metzger

There was once a far away land called Ruritania, and in Ruritania there was a strange phenomenon — all the trees that grew in Ruritainia were transparent. Now, in the days when people had lived in mud huts, this had not been a problem, but now high-tech wood technology had been developed, and in the new age of wood, everyone in Ruritania found that their homes were all 100% see through. Now, until this point, no one ever thought of allowing the police to spy on someone’s home, but the new technology made this tempting. This being a civilized country, however, warrants were required to use binoculars and watch someone in their home. The police, taking advantage of this, would get warrants to use binoculars and peer in to see what was going on. Occasionally, they would use binoculars without a warrant, but everyone pretended that this didn’t happen.

One day, a smart man invented paint…

Read the rest of Ruritania

Bookmark this on Delicious

White Worms and the Shadow Police

Joel Hruska writes in Ars Technica about the arrest by Dutch authorities of two brothers, charged with creating the “Shadow” botnet.

One twist to the story is that the Dutch police worked with Kapersky Labs, on a way to force the botnet to “commit suicide”.

Reaching out to infected users and notifying them that they are, in fact, infected is a new twist, and it uses the spammers’ own work against them.

The idea of using malware against itself has been around a while, although this case may be the most public confirmed example. The wisdom of such “White Worms”, which use viral propagation of software to clean up and repair infected systems, has been debated for some time.

Dave Aitel, CTO of Immunity called them “Nematodes – Beneficial Worms” in a 2005 presentation, explaining nematodes as “a phylum of primitive worm-like organisms often used to get rid of other pests”

Bruce Schneier wrote about Benevolent Worms later that year, beginning with an assertion from a 2003 essay on the same subject:

A good software distribution mechanism has the following characteristics:

People can choose the options they want.
Installation is adapted to the host it’s running on.
It’s easy to stop an installation in progress, or uninstall the software.
It’s easy to know what has been installed where.

A successful worm, on the other hand, runs without the consent of the user. It has a small amount of code, and once it starts to spread, it is self-propagating, and will keep going automatically until it’s halted.

He concludes that, “Patching systems is fundamentally a human problem, and beneficial worms are a technical solution that doesn’t work.”

Nicholas Weaver and Dan Ellis, in a 2006 article for the USENIX magazine ;login, agreed that “white worms don’t work”

I have some small experience with this question, from an incident back when I was running MIT’s security team. We had discovered a compromised server, which was listening for connections from machines newly-compromised by a particular strain of malware, and handing out a configuration file to all comers.

We went looking for the malware itself, and got to know its design better, particularly the part of its own installation process which downloaded that configuration file.

At this point, one of the clever people on the security team, had the idea to replace the file the server was giving out with something of our own design. We decided to try doing something useful…

When an infected machine downloaded the config file from the server at MIT (now acting as our double agent), the newly-compromised machine would happily send a mail message to a public-facing cyber-crime reporting address at the FBI…

Each message would contain information about the location and identity of the victim machine, explaining that it had been compromised by bad guys, and needed some help. We left the server running, gleefully handing out our new Trojan to newly compromised hosts, as a service to the community. (of course, we watched for any local machines that were requesting the file, and visited them as they turned themselves in.)

Some months later, in a conversation with a Boston FBI agent on another topic, I explained what we did, and asked if they’d seen any reports from the net due to our little trick.

The agent was quiet for a moment, and then said, “that was you guys??“

Apparently, the idea had been (very) successful, at least as far as generating lots of traffic to the reporting address than they had ever expected to see… After agreeing it had been a clever and interesting thing to try, they asked that we take it down.

So yes- clever idea, and possibly of use in some edge cases. But I think that as a widespread strategy, it’s hard to get this sort of thing right. Picking a useful “white worm” behavior, while anticipating any dangerous or sub-optimal side effects, is just hard. As a “civilian” tool, it’s probably not the approach I’d use.

I do wonder about the cyberwar utility of this sort of thing. When there is already significant smoke in the room, it may be easier to consider viral responses, with hopefully beneficial effects. (and, perhaps, a higher tolerance for collateral damage)

Bookmark this on Delicious

DEFCON talk on Charlie Card hacking blocked [updated]

CNET reports on yet another case of security-by-obscurity-by-court-order…

Three MIT students had planned to give a presentation at this year’s DEFCON, but the MBTA got a judge to issue a TRO preventing them from going ahead.

The presentation itself is available via the campus newspaper, as well as having been included in attendees conference materials.

Bruce Schneier recently wrote about the Mifare hacking paper that suffered a similar court challenge, although eventually allowed by the Dutch courts to be published.

The card system in Boston (and a number of other cities) uses the same technology, with the same weaknesses… (“Monoculture Bad”)

UPDATE: Discussion of the case in JOLT Digest, “An online companion to the Harvard Journal of Law & Technology”. (via saqib on The Cryptography Mailing List)

UPDATE: Nice overview from Ars Technica, highlighting the First Amendment issues in play here.

UPDATE: EFF Press Release: Judge Lifts Unconstitutional Gag Order Against MIT Students

The court found that the Massachusetts Bay Transportation Agency (MBTA) had no likelihood of success on the merits of its claim under the federal computer intrusion law and denied the transit agency’s request for a five-month injunction. In papers filed yesterday, the MBTA acknowledged for the first time that their Charlie Ticket system had vulnerabilities and estimated that it would take five months to fix.

Note that the MBTA suit is still alive, even though at least one judge apparently understands it to be a weak case. I hope that if it isn’t dropped, the expense involved comes up in the looming fare increase debate…

Bookmark this on Delicious

UPDATE: Popular Mechanics interview with Zack Anderson, one of the MIT students, on how this went down, and what happens now.

What happens next? There’s still a lawsuit from the MBTA, right?
Probably the next thing is, hopefully at this point we’ll be able to settle this and make it go away. If not, we’re going to have to file a motion to dismiss the case, but I think, and I definitely hope, that things are kind of over now. We didn’t give the talk, which was I think a primary aim that they had. That was effective on their part.