Entries tagged as ‘security’
I just saw Bruce Schneier’s blog post on a ruling I’m glad to see- a US District Court, in a ruling last month, that TSA is authorized to search for weapons and explosives, and nothing more. Fake passports taken from a passenger in the case were tossed out as evidence.
“The extent of the search went beyond the permissible purpose of detecting weapons and explosives and was instead motivated by a desire to uncover contraband evidencing ordinary criminal wrongdoing,” Judge Marbley wrote.
It will be interesting to see if there are moves to better train the TSA screeners in the future, or a legislative reaction expanding the powers granted. (um, how far away is that mid-term election again…? :-)
Categories: law · security · society
Tagged: dhs, homelandsecurity, law, politics, privacy, security, tsa
I’ve passed through Amsterdam’s Schiphol Airport a few times in my travels. Unbeknownst to me, I have been experimented on each time…
The flies in the men’s-room urinals of the Amsterdam airport have been enshrined in the academic literature on economics and psychology. The flies — images of flies, actually — were etched in the porcelain near the urinal drains in an experiment in human behavior.
After the flies were added, “spillage” on the men’s-room floor fell by 80 percent. “Men evidently like to aim at targets,” said Richard Thaler of the University of Chicago, an irreverent pioneer in the increasingly influential field of behavioral economics.
That’s pretty cool. I never knew this. This is the sort of thinking we need more of in tackling user-facing security problems. The biggest challenges aren’t math- people are the weak point in any system. If we can nudge people into doing the right thing, in any discipline, and amuse them along the way, we’ll have done the world a service.
Categories: innovation · mind · science · security
Tagged: amsterdam, economics, interesting, nudge, psychology, security, travel, xkcd
James Duncan Davidson describes his frightening experience with “A Postmodern Crime at TED2009“. Davidson, a professional photographer, was assaulted outside the conference by someone demanding his pass. I think it’s interesting to note that it was an “all-access pass to the show and to its attendees”.
I’ve put some thought over the last year or so into “personal threat modeling”, and have knocked around ideas for a presentation of some sort with friends.
What can we know about how very specific behavior exposes us to new threats? My context is as a technologist, and so the threat includes my personal technology, and the information/data I have spread between myself and my various toys.
Suppose that I wanted to steal information on Black & Decker’s latest electric screwdriver design. I might do my homework, and see when a B&D employee from their design group was giving a conference presentation, possibly easy task given that conference schedules are usually online. This might tell me useful things, like:
- Who my target is, often with a brief bio that may give me other useful intelligence.
- Where they will be at a specific time.
- Bonus: When they will have their laptop with them.
My challenge at this point, is to get into the conference and separate him from his laptop. Many opportunities exist in such high-distraction environments, and an all-access pass only makes this much, much easier. (For example, the “Speaker’s Lounge” is usually deliberately off in some quiet corner of the facility.)
Stealing such a laptop, with whatever email or other info I might find, is obviously just one sort of motive. I can imagine an attacker having a variety of goals that might make it well worth the time and risk of physically assaulting someone, particularly someone bearing a particularly privileged access pass. Industrial espionage is just the start of a long list of evil possibilities here.
Categories: security · technology
Tagged: crime, security, ted, ted2009
Chris Paget demos a portable system to sniff RFID tags. A half-hour of cruising around San Francisco gave him 3 of the new EDL licenses, and a couple of passports… [video]
As usual, official reaction is either “no comment”, or “no problem”
He plans to release the code at the upcoming shmoocon. Leave your passport in your hotel room, boys and girls.
via The Register
Categories: security · technology
Tagged: rfid chrispaget, security, shmoocon, wardriving
The crave blog over at CNET news has a great post on a Hanoi entrepreneur’s cell phone service/repair shops, and the brisk business they are doing unlocking 3G iPhones. If this sounds boring, you are probably not familiar with the process necessary to unlock this particular phone:
The technician then extracted the baseband chip, the component that controls the connection between the phone and the mobile network, from the motherboard. (This is a painstaking task as the chip is strongly glued to the phone’s motherboard. A mistake during this process could brick the phone completely.)
Once the chip was extracted, it was Tuan Anh’s turn. He used a chip reader to read information into a file. He then used a Hex editor to remove the locking data from the file, and after that, the chip got reprogrammed with the newly altered file. Now it was no longer programmed to work with only a specific provider.
Pretty hard-core. Once the soldering irons come out, you have left the Mall kiosks behind…
Hat tip to Perry Metzger and the cryptography list for the link, and the reminder that, given proper motivation, people will do unexpected and unauthorized things with technology. Assuming otherwise usually fails.
Categories: innovation · security · technology
Tagged: hacking, iphone, security
Systems responsible for digitally signing binary distributions are an obviously high-value targets for attackers. Red Hat recently detected such an intrusion, and it was determined that the intruder was able to sign a small number of OpenSSH packages. (Red Hat has released a script to detect the affected packages)
I haven’t seen an analysis yet, but you have to assume those packages have a high probability of malicious intent…
eWeek has a good overview, Red Hat Digital Keys Violated by Intruder, and related coverage is easy to find. This is a good example of the PR and systems impact of such breeches, and an excellent reminder that our notion of “malicious insider” has to include the people trusted by the people we trust. (or the systems trusted by the systems we trust)
Categories: security · technology
Tagged: crypto, linux, security
While looking at a Scientific American report on “Technology’s Toll On Privacy And Security“, I saw an article by Dorothy Denning, noted apologist for the view that the government can only keep us safe if they have the keys to our underwear drawer.
Her contribution is short, and fairly gentle, as FUD goes:
The Web Ushers In New Weapons of War and Terrorism
Protesters, terrorists and warmongers have found the Internet to be a useful tool to achieve their goals. Who will bring law and order to cyberspace?
I wasn’t certain the picture was her at first, but that last line in the teaser had the familiar tone of panicked hand-wringing.
(There are strict laws about brewing and distilling, too… But if she’d said, “Home Brewers have found the Internet to be a useful tool to achieve their goals”, too many people would have caught on)
Professor Denning is smart. And I’m sure she means well.
If she was a History professor, however, she might better recall that our country wasn’t founded on the principle that law and order would make us safe. It was founded on the principle that, fed up with oppressive law, and some faraway parliament’s idea of order, We the People had to strike out on our own, if we were to have the freedom that is every person’s natural right.
Perry Metzger is also smart. And a good bit more amusing. While seeing what Professor Denning had been up to of late, I rediscovered this bit of whimsey, from back during the Crypto Wars. Light, short, and just enough clues for you to fill in the background, without having to relieve the whole angst-ridden period.
—
Ruritania
A Parable by Perry E. Metzger
There was once a far away land called Ruritania, and in Ruritania there was a strange phenomenon — all the trees that grew in Ruritainia were transparent. Now, in the days when people had lived in mud huts, this had not been a problem, but now high-tech wood technology had been developed, and in the new age of wood, everyone in Ruritania found that their homes were all 100% see through. Now, until this point, no one ever thought of allowing the police to spy on someone’s home, but the new technology made this tempting. This being a civilized country, however, warrants were required to use binoculars and watch someone in their home. The police, taking advantage of this, would get warrants to use binoculars and peer in to see what was going on. Occasionally, they would use binoculars without a warrant, but everyone pretended that this didn’t happen.
One day, a smart man invented paint…
Read the rest of Ruritania
Bookmark this on Delicious
Categories: history · law · security · technology
Tagged: crypto, government, homelandsecurity, internet, privacy, security
Rob Fuller has a guest post on the Ziff-Davis Zero Day blog, collecting links to some of the tools released at DEFCON 16
Before anyone has a chance to post “it’s all on the DEFCON CD dummy,” I want to challenge them to try. After a weekend of googling (which came back with few results) and making contact with some of the speakers, I provide you with a mostly accurate list of “stuff” that was released at DEFCON this year. If any of the information is inaccurate, or a tool is missing, please contact me and I will update this post.
At his own site, he includes a link The DEFCON CD itself. (He notes that updates will be posted at his site, as he does not control the Zero Day blog)
Bookmark this on Delicious
Categories: security
Tagged: defcon, presentations, security, tools
CNET reports on yet another case of security-by-obscurity-by-court-order…
Three MIT students had planned to give a presentation at this year’s DEFCON, but the MBTA got a judge to issue a TRO preventing them from going ahead.
The presentation itself is available via the campus newspaper, as well as having been included in attendees conference materials.
Bruce Schneier recently wrote about the Mifare hacking paper that suffered a similar court challenge, although eventually allowed by the Dutch courts to be published.
The card system in Boston (and a number of other cities) uses the same technology, with the same weaknesses… (“Monoculture Bad”)
UPDATE: Discussion of the case in JOLT Digest, “An online companion to the Harvard Journal of Law & Technology”. (via saqib on The Cryptography Mailing List)
UPDATE: Nice overview from Ars Technica, highlighting the First Amendment issues in play here.
UPDATE: EFF Press Release: Judge Lifts Unconstitutional Gag Order Against MIT Students
The court found that the Massachusetts Bay Transportation Agency (MBTA) had no likelihood of success on the merits of its claim under the federal computer intrusion law and denied the transit agency’s request for a five-month injunction. In papers filed yesterday, the MBTA acknowledged for the first time that their Charlie Ticket system had vulnerabilities and estimated that it would take five months to fix.
Note that the MBTA suit is still alive, even though at least one judge apparently understands it to be a weak case. I hope that if it isn’t dropped, the expense involved comes up in the looming fare increase debate…
Bookmark this on Delicious
UPDATE: Popular Mechanics interview with Zack Anderson, one of the MIT students, on how this went down, and what happens now.
What happens next? There’s still a lawsuit from the MBTA, right?
Probably the next thing is, hopefully at this point we’ll be able to settle this and make it go away. If not, we’re going to have to file a motion to dismiss the case, but I think, and I definitely hope, that things are kind of over now. We didn’t give the talk, which was I think a primary aim that they had. That was effective on their part.
Categories: law · technology
Tagged: boston, defcon, hack, hacking, mbta, security
