Category Archives: security

Court decision on TSA searches

I just saw Bruce Schneier’s blog post on a ruling I’m glad to see- a US District Court, in a ruling last month, that TSA is authorized to search for weapons and explosives, and nothing more. Fake passports taken from a passenger in the case were tossed out as evidence.

“The extent of the search went beyond the permissible purpose of detecting weapons and explosives and was instead motivated by a desire to uncover contraband evidencing ordinary criminal wrongdoing,” Judge Marbley wrote.

It will be interesting to see if there are moves to better train the TSA screeners in the future, or a legislative reaction expanding the powers granted. (um, how far away is that mid-term election again…? :-)

Wired: “The Untold Story of the World’s Biggest Diamond Heist”

Wow.

In February 2003, Notarbartolo was arrested for heading a ring of Italian thieves. They were accused of breaking into a vault two floors beneath the Antwerp Diamond Center and making off with at least $100 million worth of loose diamonds, gold, jewelry, and other spoils. The vault was thought to be impenetrable. It was protected by 10 layers of security, including infrared heat detectors, Doppler radar, a magnetic field, a seismic sensor, and a lock with 100 million possible combinations. The robbery was called the heist of the century, and even now the police can’t explain exactly how it was done.

“PKI-me-harder”

The saag list has a thread discussing “SHA-1 to SHA-n transition”, with all the expected bumps, wrinkles, and sad realities. But entertaining and thoughtful. My favorite comment at the moment is one of Peter Gutmann’s:

It looks like we’re nowhere near admitting that we have a
problem yet if the response to the failure of PKI is PKI-me-harder.

It’s a little like the problem of building a boat in your basement, and then seeing you can’t get it out. Is this a design issue, a deployment issue, or have we fundamentally misunderstood the project? (Once you add local zoning and construction regulations, it’s not long before you wish you’d never started this damn boat.)

Big Brother gets Big Shoulders

Mayor Daley has argued that security and terrorism won’t be an issue if his Olympic dreams come true because, by 2016, there will be a surveillance camera on every street corner in Chicago.

Wow.

During a December test, live video was used to catch a petty thief in the act of sticking his hand in a Salvation Army kettle outside Macy’s on State Street.

I would respectfully suggest that Chicago would do better to install monitoring cameras in the offices of politicians.

Mayor Daley needs to think beyond his next law-and-order bumper sticker. The experience in London is nothing we should seek to imitate. As Timothy Garton Ash writes in The Guardian, Liberty in Britain is facing death by a thousand cuts.

The East Germans are now more free than we are, at least in terms of law and administrative practice in such areas as surveillance and data collection. Thirty years ago, they had the Stasi. Today, Britain has such broadly drawn and elastic surveillance laws that Poole borough council could exploit them to spend two weeks spying on a family wrongly accused of lying on a school application form.

Jedi Bathroom Tricks

I’ve passed through Amsterdam’s Schiphol Airport a few times in my travels. Unbeknownst to me, I have been experimented on each time…

The flies in the men’s-room urinals of the Amsterdam airport have been enshrined in the academic literature on economics and psychology. The flies — images of flies, actually — were etched in the porcelain near the urinal drains in an experiment in human behavior.
After the flies were added, “spillage” on the men’s-room floor fell by 80 percent. “Men evidently like to aim at targets,” said Richard Thaler of the University of Chicago, an irreverent pioneer in the increasingly influential field of behavioral economics.

That’s pretty cool. I never knew this. This is the sort of thinking we need more of in tackling user-facing security problems. The biggest challenges aren’t math- people are the weak point in any system. If we can nudge people into doing the right thing, in any discipline, and amuse them along the way, we’ll have done the world a service.

Conference Crime

James Duncan Davidson describes his frightening experience with “A Postmodern Crime at TED2009“. Davidson, a professional photographer, was assaulted outside the conference by someone demanding his pass. I think it’s interesting to note that it was an “all-access pass to the show and to its attendees”.

I’ve put some thought over the last year or so into “personal threat modeling”, and have knocked around ideas for a presentation of some sort with friends.

What can we know about how very specific behavior exposes us to new threats? My context is as a technologist, and so the threat includes my personal technology, and the information/data I have spread between myself and my various toys.

Suppose that I wanted to steal information on Black & Decker’s latest electric screwdriver design. I might do my homework, and see when a B&D employee from their design group was giving a conference presentation, possibly easy task given that conference schedules are usually online. This might tell me useful things, like:

  1. Who my target is, often with a brief bio that may give me other useful intelligence.
  2. Where they will be at a specific time.
  3. Bonus: When they will have their laptop with them.

My challenge at this point, is to get into the conference and separate him from his laptop. Many opportunities exist in such high-distraction environments, and an all-access pass only makes this much, much easier. (For example, the “Speaker’s Lounge” is usually deliberately off in some quiet corner of the facility.)

Stealing such a laptop, with whatever email or other info I might find, is obviously just one sort of motive. I can imagine an attacker having a variety of goals that might make it well worth the time and risk of physically assaulting someone, particularly someone bearing a particularly privileged access pass. Industrial espionage is just the start of a long list of evil possibilities here.

Passport wardriving

Chris Paget demos a portable system to sniff RFID tags. A half-hour of cruising around San Francisco gave him 3 of the new EDL licenses, and a couple of passports… [video]

As usual, official reaction is either “no comment”, or “no problem”

He plans to release the code at the upcoming shmoocon. Leave your passport in your hotel room, boys and girls.

via The Register