January 2012 Archives

Possibly the Most Incompetent TSA Story Yet

The storyline:

  1. TSA screener finds two pipes in passenger's bags.

  2. Screener determines that they're not a threat.

  3. Screener confiscates them anyway, because of their "material and appearance."

  4. Because they're not actually a threat, screener leaves them at the checkpoint.

  5. Everyone forgets about them.

  6. Six hours later, the next shift of TSA screeners notices the pipes and -- not being able to explain how they got there and, presumably, because of their "material and appearance" -- calls the police bomb squad to remove the pipes.

  7. TSA does not evacuate the airport, or even close the checkpoint, because -- well, we don't know why.

I don't even know where to begin.

Posted on January 31, 2012 at 5:03 PM81 Comments

Biases in Forensic Science

Some errors in forensic science may be the result of the biases of the examiners:

Though they cannot prove it, Dr Dror and Dr Hampikian suspect the difference in contextual information given to the examiners was the cause of the different results. The original pair may have subliminally interpreted ambiguous information in a way helpful to the prosecution, even though they did not consciously realise what they were doing.

[...]

This one example does not prove the existence of a systematic problem. But it does point to a sloppy approach to science. According to Norah Rudin, a forensic-DNA consultant in Mountain View, California, forensic scientists are beginning to accept that cognitive bias exists, but there is still a lot of resistance to the idea, because examiners take the criticism personally and feel they are being accused of doing bad science. According to Dr Rudin, the attitude that cognitive bias can somehow be willed away, by education, training or good intentions, is still pervasive.

Posted on January 31, 2012 at 11:13 AM18 Comments

Liars and Outliers Update

According to my publisher, the book was printed last week and the warehouse is shipping orders to booksellers today. Amazon is likely to start shipping books on Thursday. (Yes, Amazon's webpage claims that the book will be published on February 21, 2012, but they'll ship copies as soon as they get them -- this ain't Harry Potter.) The Kindle edition is already shipping.

Those of you who ordered signed copies from me are likely going to have to wait a couple more weeks. My copies will arrive from the publisher eventually; then I will sign them and ship them on to you.

Reviews are starting to come out. I expect more in the coming month.

At the end of February, I'll be at the RSA Conference in San Francisco. In addition to my other speaking events, Davi Ottenheimer will interview me about the book at something called The Author's Studio. I'll be doing two one-hour book signings at the conference bookstore. And, and this is the best news of all, HP has bought 1,000 copies of the book and will be giving them away at their booth. I'll be doing a couple of signings there as well.

Posted on January 30, 2012 at 1:59 PM44 Comments

British Tourists Arrested in the U.S. for Tweeting

Does this story make sense to anyone?

The Department of Homeland Security flagged him as a potential threat when he posted an excited tweet to his pals about his forthcoming trip to Hollywood which read: 'Free this week, for quick gossip/prep before I go and destroy America'.

After making their way through passport control at Los Angeles International Airport (LAX) last Monday afternoon the pair were detained by armed guards.

Despite telling officials the term 'destroy' was British slang for 'party', they were held on suspicion of planning to 'commit crimes' and had their passports confiscated.

There just as to be more than this story. The DHS isn't monitoring the Tweets of random British tourists -- they just can't be.

EDITED TO ADD (1/30): According to DHS documents received by EPIC, the DHS monitors the Internet, including social media.

In February 2011, the Department of Homeland Security announced that the agency planned to implement a program that would monitor media content, including social media data. The proposed initiatives would gather information from "online forums, blogs, public websites, and messages boards" and disseminate information to "federal, state, local, and foreign government and private sector partners." The program would be executed, in part, by individuals who established fictitious usernames and passwords to create covert social media profiles to spy on other users. The agency stated it would store personal information for up to five years.

[...]

The records reveal that the DHS is paying General Dynamics to monitor the news. The agency instructed the company to monitor for "[media] reports that reflect adversely on the U.S. Government, DHS, or prevent, protect, respond government activities."

[...]

The DHS instructed the company to "Monitor public social communications on the Internet." The records list the websites that will be monitored, including the comments sections of [The New York Times, The Los Angeles Times, the Huffington Post, the Drudge Report, Wired, and ABC News.]"

Still, I have trouble believing that this is what happened. For this to work General Dynamics would have had to monitor Twitter for key words. ("Destroy America" is certainly a good key word to search for.) Then, they would have to find out the real name associated with the Twitter account -- unlike Facebook or Google+, Twitter doesn't have real name information -- so the TSA could cross-index that name with the airline's passenger manifests. Then the TSA has to get all this information into the INS computers, so that the border control agent knows to detain him. Sure, it sounds straightforward, but getting all those computers to talk to each other that fast isn't easy. There has to be more going on here.

EDITED TO ADD (1/30): One reader points out that this story is from the Daily Mail, and that it's prudent to wait for some more reputable news source to report the story.

EDITED TO ADD (1/30): There's another story from The Register, but they're just using the Daily Mail.

EDITED TO ADD (1/30): The FBI is looking for someone to build them a system that can monitor social networks.

The information comes from a document released on 19 January looking for companies who might want to build a monitoring system for the FBI. It spells out what the bureau wants from such a system and invites potential contractors to reply by 10 February.

The bureau's wish list calls for the system to be able to automatically search "publicly available" material from Facebook, Twitter and other social media sites for keywords relating to terrorism, surveillance operations, online crime and other FBI missions. Agents would be alerted if the searches produce evidence of "breaking events, incidents, and emerging threats."

Agents will have the option of displaying the tweets and other material captured by the system on a map, to which they can add layers of other data, including the locations of US embassies and military installations, details of previous terrorist attacks and the output from local traffic cameras.

EDITED TO ADD (1/30): New reports are saying that customs was tipped off about the two people, and their detention was not a result of data mining:

"Based on information provided by the LAX Port Authority Infoline -- a suspicious activity tipline -- CBP conducted a secondary interview of two subjects presenting for entry into the United States," says the spokesperson, who notes that the CBP "denies entry to thousands of individuals" each year. "Information gathered during this interview revealed that both individuals were inadmissible to the United States and were returned to their country of residence."

This makes a lot more sense to me.

Posted on January 30, 2012 at 10:52 AM113 Comments

The Nature of Cyberwar

This was pretty good, I thought:

However, it may be difficult to write military doctrine for many aspects of cyberconflict that are truly revolutionary. Here are no fewer than 10 to consider:

  1. The Internet is an artificial environment that can be shaped in part according to national security requirements.

  2. The blinding proliferation of technology and hacker tools makes it impossible to be familiar with all of them.

  3. The proximity of adversaries is determined by connectivity and bandwidth, not terrestrial geography.

  4. Software updates and network reconfigurations change cyberbattle space unpredictably and without warning.

  5. Contrary to our historical understanding of war, cyberconflict favors the attacker.

  6. Cyberattacks are flexible enough to be effective for propaganda, espionage, and the destruction of critical infrastructure.

  7. The difficulty of obtaining reliable cyberattack attribution lessens the credibility of deterrence, prosecution, and retaliation.

  8. The "quiet" nature of cyberconflict means a significant battle could take place with only the direct participants knowing about it.

  9. The dearth of expertise and evidence can make victory, defeat, and battle damage a highly subjective undertaking.

  10. There are few moral inhibitions to cyberattacks, because they relate primarily to the use and abuse of data and computer code. So far, there is little perceived human suffering.

Posted on January 30, 2012 at 6:02 AM31 Comments

Password Sharing Among American Teenagers

Interesting article from the New York Times on password sharing as a show of affection.

"It's a sign of trust," Tiffany Carandang, a high school senior in San Francisco, said of the decision she and her boyfriend made several months ago to share passwords for e-mail and Facebook. "I have nothing to hide from him, and he has nothing to hide from me."

"That is so cute," said Cherry Ng, 16, listening in to her friend's comments to a reporter outside school. "They really trust each other."

We do, said Ms. Carandang, 17. "I know he'd never do anything to hurt my reputation," she added.

It doesn't always end so well, of course. Changing a password is simple, but students, counselors and parents say that damage is often done before a password is changed, or that the sharing of online lives can be the reason a relationship falters.

Ethnologist danah boyd discusses what's happening:

For Meixing, sharing her password with her boyfriend is a way of being connected. But it's precisely these kinds of narratives that have prompted all sorts of horror by adults over the last week since that NYTimes article came out. I can't count the number of people who have gasped "How could they!?!" at me. For this reason, I feel the need to pick up on an issue that the NYTimes let out.

The idea of teens sharing passwords didn't come out of thin air. In fact, it was normalized by adults. And not just any adult. This practice is the product of parental online safety norms. In most households, it's quite common for young children to give their parents their passwords. With elementary and middle school youth, this is often a practical matter: children lose their passwords pretty quickly. Furthermore, most parents reasonably believe that young children should be supervised online. As tweens turn into teens, the narrative shifts. Some parents continue to require passwords be forked over, using explanations like "because I'm your mother." But many parents use the language of "trust" to explain why teens should share their passwords with them.

Much more in her post.

Related: a profile of danah boyd.

Posted on January 27, 2012 at 6:39 AM43 Comments

Evidence on the Effectiveness of Terrorism

Readers of this blog will know that I like the works of Max Abrahms, and regularly blog them. He has a new paper (full paper behind paywall) in Defence and Peace Economics, 22:6 (2011), 583–94, "Does Terrorism Really Work? Evolution in the Conventional Wisdom since 9/11":

The basic narrative of bargaining theory predicts that, all else equal, anarchy favors concessions to challengers who demonstrate the will and ability to escalate against defenders. For this reason, post-9/11 political science research explained terrorism as rational strategic behavior for non-state challengers to induce government compliance given their constraints. Over the past decade, however, empirical research has consistently found that neither escalating to terrorism nor with terrorism helps non-state actors to achieve their demands. In fact, escalating to terrorism or with terrorism increases the odds that target countries will dig in their political heels, depriving the nonstate challengers of their given preferences. These empirical findings across disciplines, methodologies, as well as salient global events raise important research questions, with implications for counterterrorism strategy.

EDITED TO ADD (2/14): The paper.

Posted on January 26, 2012 at 10:36 AM27 Comments

Federal Judge Orders Defendant to Decrypt Laptop

A U.S. federal judge has ordered a defendant to decrypt her laptop.

EDITED TO ADD (2/14): The ruling. And a good analysis.

Posted on January 25, 2012 at 1:56 PM121 Comments

Supreme Court Rules that GPS Tracking Requires a Warrant

The U.S Supreme Court has ruled that the police cannot attach a GPS tracking device to a car without a warrant.

EDITED TO ADD (1/26): It seems I was wrong when I said that the ruling forces the police to get a warrant before placing a GPS tracking device on a car. The ruling is much more complicated and nuanced.

Posted on January 25, 2012 at 12:54 PM14 Comments

Research into an Information Security Risk Rating

The NSF is funding research on giving organizations information-security risk ratings, similar to credit ratings for individuals:

Existing risk management techniques are based on annual audits and only provide a snapshot of a partner's security posture. However, new vulnerabilities are discovered everyday and the industry needs a solution that enables a business to continuously monitor changing risk posture of all its partners and proactively manage assumed risks. The Phase II research objective is to build a scalable fully-automated ratings system. The research will focus on identifying and incorporating new data sources, improving the statistical properties of the ratings model, and making the ratings predictive of future behavior.

Historically, credit scoring has been a "cost and time-saving technology" that has provided tremendous value to lenders and borrowers alike by reducing costs, predicting future performance, and improving credit accessibility and affordability. Unlike credit scoring, no industry standard scoring service exists to rate business with respect to their information security risk. With Saperix's ratings service, businesses and government will have the potential to reap the same time and cost savings that lenders do from credit scoring services. If the research is successful, Saperix's solution would provide market incentives for improving security outcomes, which would be a significant change in how security investments are viewed by businesses.

I have no idea if this is snake oil or if it actually works, but note that this is a Phase II award. There was already a Phase I award, and the NSF must have liked the results from that.

Posted on January 25, 2012 at 6:44 AM14 Comments

Using Plant DNA for Authentication

Turns out you can create unique signatures from plant DNA. The idea is to spray this stuff on military components in order to verify authentic items and detect counterfeits, similar to SmartWater. It's a good idea in theory, but my guess is that the security is not going to center around counterfeiting the plant DNA, but rather in subverting the systems that apply, detect, and verify the chemicals.

Posted on January 24, 2012 at 6:46 AM12 Comments

Authentication by "Cognitive Footprint"

DARPA is funding research into new forms of biometrics that authenticate people as they use their computer: things like keystroke patterns, eye movements, mouse behavior, reading speed, and surfing and e-mail response behavior. The idea -- and I think this is a good one -- is that the computer can continuously authenticate people, and not just authenticate them once when they first start using their computers.

I remember reading a science fiction story about a computer worm that searched for people this way: going from computer to computer, trying to identify a specific individual.

Posted on January 23, 2012 at 11:49 AM41 Comments

Using False Alarms to Disable Security

I wrote about this technique in Beyond Fear:

Beginning Sunday evening, the robbers intentionally set off the gallery's alarm system several times without entering the building, according to police.

The security staffers on duty, who investigated and found no disturbances, subsequently disabled at least one alarm. The burglars then entered through a balcony door.

Posted on January 19, 2012 at 6:36 AM36 Comments

Going Dark to Protest SOPA/PIPA

Tomorrow, from 8 am to 8 pm EST, this site, Schneier on Security, is going on strike to protest SOPA and PIPA. In doing so, I'll be joining Wikipedia (in English), BoingBoing, WordPress, and many others.

A list of participants, and HTML and JavaScript code for anyone who wants to participate, can be found here.


Posted on January 17, 2012 at 4:10 PM50 Comments

The Importance of Good Backups

Thankfully, this doesn't happen very often:

A US man who had been convicted on a second-degree murder charge will get a new trial after a computer virus destroyed transcripts of court proceedings.

Posted on January 17, 2012 at 7:31 AM25 Comments

PCI Lawsuit

This is a first:

...the McCombs allege that the bank, and the payment card industry (PCI) in general, force merchants to sign one-sided contracts that are based on information that arbitrarily changes without notice, and that they impose random fines on merchants without providing proof of a breach or of fraudulent losses and without allowing merchants a meaningful opportunity to dispute claims before money is seized.

It’s the first known case to challenge the heart of the self-regulated PCI security standards ­ a system that requires businesses accepting credit and debit card payments to implement a series of technological steps to secure data. The controversial system, imposed on merchants by credit card companies like Visa and MasterCard, has been called a “near scam” by a spokesman for the National Retail Federation and others who say it’s designed less to secure card data than to profit credit card companies while giving them executive powers of punishment through a mandated compliance system that has no oversight.

The PCI standards are probably the biggest non-government security standard. It'll be interesting to see how this turns out.

Posted on January 16, 2012 at 9:58 AM35 Comments

Friday Squid Blogging: Argentina Attempts a Squid Blockade against the Falkland Islands

Yet another story that combines squid and security.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

Posted on January 13, 2012 at 4:19 PM45 Comments

Recovering a Hacked Gmail Account

Long (but well-written and interesting) story of someone whose Gmail account was hacked and erased, and eventually restored. Many interesting lessons about the security of largely support-free cloud services.

Posted on January 13, 2012 at 12:58 PM33 Comments

"Going Dark" vs. a "Golden Age of Surveillance"

It's a policy debate that's been going on since the crypto wars of the early 1990s. The FBI, NSA, and other agencies continue to claim they're losing their ability to engage in surveillance: that it's "going dark." Whether the cause of the problem is encrypted e-mail, digital telephony, or Skype, the bad guys use it to communicate, so we need to pass laws like CALEA to force these services to be made insecure, so that the government can eavesdrop.

The counter-argument is the "Golden Age of Surveillance" -- that the massive increase of online data and Internet communications systems gives the government a far greater ability to eavesdrop on our lives. They can get your e-mail from Google, regardless of whether you use encryption. They can install an eavesdropping program on your computer, regardless of whether you use Skype. They can monitor your Facebook conversations, and learn thing that just weren't online a decade ago. Today we all carry devices that tract our locations 24/7: our cell phones.

In this essay, CDT fellows (and law professors) challenge the "going dark" metaphor and make the case for "the golden age of surveillance." Yes, wiretapping is harder; but so many other types of surveillance are easier.

A simple test can help the reader decide between the "going dark" and "golden age of surveillance" hypotheses. Suppose the agencies had a choice of a 1990-era package or a 2011-era package. The first package would include the wiretap authorities as they existed pre-encryption, but would lack the new techniques for location tracking, confederate identification, access to multiple databases, and data mining. The second package would match current capabilities: some encryption-related obstacles, but increased use of wiretaps, as well as the capabilities for location tracking, confederate tracking and data mining. The second package is clearly superior -- the new surveillance tools assist a vast range of investigations, whereas wiretaps apply only to a small subset of key investigations. The new tools are used far more frequently and provide granular data to assist investigators.

A longer and more detailed version of the same argument can be found in "Encryption and Globalization," forthcoming in the Columbia Science and Technology Law Review.

In a related story, there's a relatively new WikiLeaks data dump of documents related to government surveillance products.

Posted on January 13, 2012 at 6:58 AM20 Comments

Abolish the Department of Homeland Security

I have a love/hate relationship with the Cato Institute. Most of their analysis I strongly disagree with, but some of it I equally strongly agree with. Last September 11 -- the tenth anniversary of 9/11 -- Cato's David Rittgers published "Abolish the Department of Homeland Security":

DHS has too many subdivisions in too many disparate fields to operate effectively. Agencies with responsibilities for counterfeiting investigations, border security, disaster preparedness, federal law enforcement training, biological warfare defense, and computer incident response find themselves under the same cabinet official. This arrangement has not enhanced the government's competence. Americans are not safer because the head of DHS is simultaneously responsible for airport security and governmental efforts to counter potential flu epidemics.

National defense is a key governmental responsibility, but focusing too many resources on trying to defend every potential terrorist target is a recipe for wasteful spending. Our limited resources are better spent on investigating and arresting aspiring terrorists. DHS responsibilities for aviation security, domestic surveillance, and port security have made it too easy for politicians to disguise pork barrel spending in red, white, and blue. Politicians want to bring money home to their districts, and as a result, DHS appropriations too often differ from what ought to be DHS priorities.

I agree with that. In fact, in 2003, when the country was debating a single organization that would be responsible for most (not all, since the Justice Department, the State Department, and the Department of Defense were too powerful to lose any pieces of themselves) of the country's counterterrorism efforts, I wrote:

Our nation may actually be less secure if the Department of Homeland Security eventually takes over the responsibilities of existing agencies. The last thing we want is for the Department of Energy, the Department of Commerce, and the Department of State to say: "Security; that's the responsibility of the DHS."

Security is the responsibility of everyone in government. We won't defeat terrorism by finding a single thing that works all the time. We'll defeat terrorism when every little thing works in its own way, and together provides an immune system for our society. Unless the DHS distributes security responsibility even as it centralizes coordination, it won't improve our nation's security.

Back to the Cato report:

The Department of Homeland Security should be abolished and its components reorganized into more practical groupings. The agencies tasked with immigration, border security, and customs enforcement belong under the same oversight agency, which could appropriately be called the Border Security Administration. The Transportation Security Administration and Federal Air Marshals Service should be abolished, and the federal government should end support for fusion centers. The remaining DHS organizations should return to their former parent agencies.

Hard to argue with most of that, although abolishing the TSA isn't a good idea. Airport security should be rolled back to pre-9/11 levels, but someone is going to have to be in charge of it. Putting the airlines in charge of it doesn't make sense; their incentives are going to be passenger service rather than security. Some government agency either has to hire the screeners and staff the checkpoints, or make and enforce rules for contractor-staffed checkpoints to follow.

Last November, the U.S. Congressional Republicans published a report very critical of the TSA: "A Decade Later: A Call for TSA Reform."

This report is an examination and critical analysis of the development, evolution, and current status and performance of TSA ten years after its creation. Since its inception, TSA has lost its focus on transportation security. Instead, it has grown into an enormous, inflexible and distracted bureaucracy, more concerned with human resource management and consolidating power, and acting reactively instead of proactively. As discussed more fully in the Recommendations section on page 18, TSA must realign its responsibilities as a federal regulator and focus on analyzing intelligence, setting screening and security standards based on risk, auditing passenger and baggage screening operations, and ensuring compliance with national screening standards.

In a related link, there's a response to a petition to abolish the TSA. The response is by TSA administrator John Pistole, so it's not the most objective piece of writing on the topic, and doesn't actually respond to the petition:

Why TSA Exists.

TSA was created two months after the September 11 terrorist attacks, when Congress passed the Aviation and Transportation Security Act (ATSA) [.pdf] to keep the millions of Americans who travel each day safe and secure across numerous modes of transportation.

Over the past 10 years, TSA has strengthened security by creating successful programs and deploying technologies that were not in place prior to September 11, while also taking steps whenever possible to enhance the passenger experience. Here are just a few of the many steps TSA has taken to strengthen our multi-layered approach to security....

[...]

Our Nation is safer and better prepared today because of these and other efforts of the Department of Homeland Security, TSA, and our federal, state, local and international partners. TSA is constantly identifying ways to continue to strengthen security and improve the passenger experience and appreciates the feedback of the public.

Pistole just assumes that what his organization is doing is important, and never even mentions how much it costs or whether it's worth it.

Posted on January 12, 2012 at 3:04 PM54 Comments

TSA Cupcake Update

The TSA claims that the cupcake they confiscated was in a jar. So this is a less obviously stupid story than I previously thought.

EDITED TO ADD (1/13): The cupcake lady says the TSA is lying.

EDITED TO ADD (1/17): A bakery creates a TSA-compliant cupcake.

Posted on January 12, 2012 at 2:39 PM34 Comments

A Theory of Online Jihadist Sites

Very interesting:

The counterterrorism community has spent years trying to determine why so many people are engaged in online jihadi communities in such a meaningful way. After all, the life of an online administrator for a hard-line Islamist forum is not as exciting as one might expect. You don't get paid, and you spend most of your time posting links and videos, commenting on other people's links and videos, and then commenting on other people's comments. So why do people like Abumubarak spend weeks and months and years of their time doing it? Explanations from scholars have ranged from the inherently compulsive and violent quality of Islam to the psychology of terrorists.

But no one seems to have noticed that the fervor of online jihadists is actually quite similar to the fervor of any other online group. The online world of Islamic extremists, like all the other worlds of the Internet, operates on a subtly psychological level that does a brilliant job at keeping people like Abumubarak clicking and posting away -- and amassing all the rankings, scores, badges, and levels to prove it. Like virtually every other popular online social space, the social space of online jihadists has become "gamified," a term used to describe game-like attributes applied to non-game activities. It turns out that what drives online jihadists is pretty much exactly what drives Internet trolls, airline ticket consumers, and World of Warcraft players: competition.

Posted on January 12, 2012 at 12:37 PM22 Comments

Collecting Expert Predictions about Terrorist Attacks

John Mueller has been collecting them:

Some 116 of these Very People were surveyed in 2006 by Foreign Policy magazine in a joint project with the Center for America Progress. The magazine stressed that its survey drew from the "highest echelons of America’s foreign policy establishment" and included the occasional secretary of state and national security adviser, as well as top military commanders, seasoned members of the intelligence community, and academics and journalists of the most "distinguished" nature. Over three-quarters of them had been in government service, 41 percent for over ten years. The musings of this group, it was proposed, could provide "definitive conclusions" about the global war on terror.

The Very People were asked to put forward their considered opinions about how likely it was that "a terrorist attack on the scale of 9/11" would again occur in the United States by the end of 2011 -- that is, by last Saturday.

Fully 70 percent found it likely and another 9 percent proclaimed it to be certain. Only 21 percent, correctly as we now know, considered it unlikely.

I've never heard this particular quote before, and find it particularly profound:

In 2004, Russell Seitz plausibly proposed that "9/11 could join the Trojan Horse and Pearl Harbor among stratagems so uniquely surprising that their very success precludes their repetition"....

More predictions here.

Posted on January 10, 2012 at 6:56 AM28 Comments

Stealing Source Code

Hackers stole some source code to Symantec's products. We don't know what was stolen or how recent the code is -- the company is, of course, minimizing the story -- but it's hard to get worked up about this. Yes, maybe the bad guys will comb the code looking for vulnerabilities, and maybe there's some smoking gun that proves Symantec's involvement in something sinister, but most likely Symantec's biggest problem is public embarrassment.

Posted on January 9, 2012 at 12:55 PM36 Comments

The TSA Proves its Own Irrelevance

Have you wondered what $1.2 billion in airport security gets you? The TSA has compiled its own "Top 10 Good Catches of 2011":

10) Snakes, turtles, and birds were found at Miami (MIA) and Los Angeles (LAX). I’m just happy there weren’t any lions, tigers, and bears…

[...]

3) Over 1,200 firearms were discovered at TSA checkpoints across the nation in 2011. Many guns are found loaded with rounds in the chamber. Most passengers simply state they forgot they had a gun in their bag.

2) A loaded .380 pistol was found strapped to passenger’s ankle with the body scanner at Detroit (DTW). You guessed it, he forgot it was there…

1) Small chunks of C4 explosives were found in passenger’s checked luggage in Yuma (YUM). Believe it or not, he was brining it home to show his family.

That's right; not a single terrorist on the list. Mostly forgetful, and entirely innocent, people. Note that they fail to point out that the firearms and knives would have been just as easily caught by pre-9/11 screening procedures. And that the C4 -- their #1 "good catch" -- was on the return flight; they missed it the first time. So only 1 for 2 on that one.

And the TSA decided not to mention its stupidest confiscations:

TSA confiscates a butter knife from an airline pilot. TSA confiscates a teenage girl's purse with an embroidered handgun design. TSA confiscates a 4-inch plastic rifle from a GI Joe action doll on the grounds that it’s a "replica weapon." TSA confiscates a liquid-filled baby rattle from airline pilot’s infant daughter. TSA confiscates a plastic "Star Wars" lightsaber from a toddler.

In related news, here's a rebuttal of the the Vanity Fair article about the TSA and airline security that featured me. I agree with the two points at the end of the post; I just don't think it changes any of my analysis.

Posted on January 9, 2012 at 6:00 AM117 Comments

Time to Patch Your HP Printers

It's a serious vulnerability. Note that this is the research that was mistakenly reported as allowing hackers to set your printer on fire.

Here's a list of all the printers affected.

Posted on January 6, 2012 at 1:50 PM22 Comments

Improving the Security of Four-Digit PINs on Cell Phones

The author of this article notices that it's often easy to guess a cell phone PIN because of smudge marks on the screen. Those smudge marks indicate the four PIN digits, so an attacker knows that the PIN is one of 24 possible permutations of those digits.

Then he points out that if your PIN has only three different digits -- 1231, for example -- the PIN can be one of 36 different possibilities.

So it's more security, although not much more secure.

Posted on January 6, 2012 at 6:30 AM46 Comments

Liars and Outliers News

The Liars and Outliers webpage is live. On it you can find links to order both paper and e-book copies from a variety of online retailers, and signed copies directly from me. I've also posted the jacket copy, the table of contents, the first chapter, the 15 figures from the book, an image of the full wraparound cover, and all the blurbs for the book.

Last week, I chose 10 winners from the 278 people who entered the drawing for a free galley copy. Those copies have all been mailed, as have copies to potential book reviewers.

Several readers suggested that I auction some copies, and I'm going to do that now. I have two galley copies that I will auction to the two highest bidders. This is a charity auction; the proceeds from one copy will go to EFF and the other to EPIC. Leave bids in the comments below. The auction closes at the end of the day on Wednesday, January 11. (I am deliberately being sloppy about this. I'm happy to let the bidding go if it will raise more money, but eventually I'm going to call things to a close.) So check the comments for the high bidders, and please contribute to these organizations that are doing a lot to keep the Internet -- and the whole information age -- open and free.

EDITED TO ADD (1/5): There's only one auction. The top two bidders will in, and the proceeds will be split between EPIC and EFF. There's no reason to specify an organization in the bidding.

EDITED TO ADD (1/12): The winners are Tom Ehlert and Manasi. Can both of you please contact me.

Posted on January 5, 2012 at 1:39 PM41 Comments

Sending Coded Messages with Postage Stamps

The history of coded messages in postage-stamp placement. I wonder how prevalent this actually was. My guess is that it was more a clever idea than an actual signaling system. And I notice that a lot of the code systems don't have a placement that indicates "no message; this is just a stamp."

Posted on January 4, 2012 at 8:37 AM30 Comments

Allocating Security Resources to Protect Critical Infrastructure

Alan T. Murray and Tony H. Grubesic, "Critical Infrastructure Protection: The Vulnerability Conundrum," Telematics & Informatics, 29 (February 2012): 56­65 (full article behind paywall).

Abstract: Critical infrastructure and key resources (CIKR) refer to a broad array of assets which are essential to the everyday functionality of social, economic, political and cultural systems in the United States. The interruption of CIKR poses significant threats to the continuity of these systems and can result in property damage, human casualties and significant economic losses. In recent years, efforts to both identify and mitigate systemic vulnerabilities through federal, state, local and private infrastructure protection plans have improved the readiness of the United States for disruptive events and terrorist threats. However, strategies that focus on worst-case vulnerability reduction, while potentially effective, do not necessarily ensure the best allocation of protective resources. This vulnerability conundrum presents a significant challenge to advanced disaster planning efforts. The purpose of this paper is to highlight the conundrum in the context of CIKR.

Posted on January 2, 2012 at 12:33 PM9 Comments

Applying Game Theory to Cyberattacks and Defenses

Behzad Zare Moayedi, Mohammad Abdollahi Azgomi, "A Game Theoretic Framework for Evaluation of the Impacts of Hackers Diversity on Security Measures," Reliability Engineering & System Safety, 99 (2012): 45-54 (full article behind paywall).

Abstract: Game theoretical methods offer new insights into quantitative evaluation of dependability and security. Currently, there is a wide range of useful game theoretic approaches to model the behaviour of intelligent agents. However, it is necessary to revise these approaches if there is a community of hackers with significant diversity in their behaviours. In this paper, we introduce a novel approach to extend the basic ideas of applying game theory in stochastic modelling. The proposed method classifies the community of hackers based on two main criteria used widely in hacker classifications, which are motivation and skill. We use Markov chains to model the system and compute the transition rates between the states based on the preferences and the skill distributions of hacker classes. The resulting Markov chains can be solved to obtain the desired security measures. We also present the results of an illustrative example using the proposed approach, which examines the relation between the attributes of the community of hackers and the security measures.

Posted on January 2, 2012 at 6:15 AM6 Comments

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..