Entries Tagged "secrecy"

Page 14 of 21

German Minister's Fingerprint Published

This is 1) a good demonstration that a fingerprint is not a secret, and 2) a great political hack. Wolfgang Schauble, Germany’s interior minister, is a strong supporter of collecting biometric data on everyone as an antiterrorist measure. Because, um, because it sounds like a good idea.

Here’s the story directly from the Chaos Computer Club (in German), and its Engligh-language guide to lifting and using fingerprints. And me on biometrics from 10 years ago.

Posted on April 1, 2008 at 2:37 PMView Comments

Unshredding

Using software, of course. The context is shredded and torn East German Stasi documents, but the technology is more general of course:

The machine-shredded stuff is confetti, largely unrecoverable. But in May 2007, a team of German computer scientists in Berlin announced that after four years of work, they had completed a system to digitally tape together the torn fragments. Engineers hope their software and scanners can do the job in less than five years ­ even taking into account the varying textures and durability of paper, the different sizes and shapes of the fragments, the assortment of printing (from handwriting to dot matrix) and the range of edges (from razor sharp to ragged and handmade.) “The numbers are tremendous. If you imagine putting together a jigsaw puzzle at home, you have maybe 1,000 pieces and a picture of what it should look like at the end,” project manager Jan Schneider says. “We have many millions of pieces and no idea what they should look like when we’re done.”

Posted on January 23, 2008 at 4:19 PMView Comments

Gitmo Manual Leaked

A 2003 “Camp Delta Standard Operating Procedures” manual has been leaked to the Internet. This is the same manual that the ACLU has unsuccessfully sued the government to get a copy of. Others can debate the legality of some of the procedures; I’m interested in comments about the security.

See, for example, this quote on page 27.3:

(b) Upon arrival will enter the gate by entering the number (1998) in the combination lock

(c) Proceed to the junction box with the number (7012-83) Breaker Box and open the boc. The number for the lock on the breaker box is (224).

Posted on November 20, 2007 at 6:49 AMView Comments

Hiding Data Behind Attorney-Client Privilege

Interesting advice:

He cites a key advantage to bringing in lawyers up front: “If you hire a law firm to supervise the process, even if there are technical engineers involved, then the process will be covered by attorney-client privilege,” Cunningham said.

He noted that in a lawsuit following a data theft, plaintiffs usually seek a company’s records of “all the [data-security] recommendations that were made [before the breach] and whether or not you followed them. And if you go and hire technical consultants only, all that information gets turned over in discovery. [But] if you have it through a law firm, it’s generally not.”

Gregory Engel has some good comments about this:

This isn’t a “prevention initiative” for data security, it’s a preemptive initiative for corporate irresponsibility.

I’m not sure it will work, though. I don’t think you can run all of your data past your attorney and then magically have it imbued with the un-subpoena-able power of “attorney-client privilege.”

EDITED TO ADD (10/22): This talk from Defcon this year is related.

Posted on October 21, 2007 at 6:39 AMView Comments

New TSA Report

A classified 2006 TSA report on airport security has been leaked to USA Today. (Other papers are covering the story, but their articles seem to be all derived from the original USA Today article.)

There’s good news:

This year, the TSA for the first time began running covert tests every day at every checkpoint at every airport. That began partly in response to the classified TSA report showing that screeners at San Francisco International Airport were tested several times a day and found about 80% of the fake bombs.

Constant testing makes screeners “more suspicious as well as more capable of recognizing (bomb) components,” the report said. The report does not explain the high failure rates but said O’Hare’s checkpoints were too congested and too wide for supervisors to monitor screeners.

At San Francisco, “everybody realizes they are under scrutiny, being watched and tested constantly,” said Gerald Berry, president of Covenant Aviation Security, which hires and manages the San Francisco screeners. San Francisco is one of eight airports, most of them small, where screeners work for a private company instead of the TSA. The idea for constant testing came from Ed Gomez, TSA security director at San Francisco, Berry said. The tests often involve an undercover person putting a bag with a fake bomb on an X-ray machine belt, he said.

Repeated testing is good, for a whole bunch of reasons.

There’s bad news:

Howe said the increased difficulty explains why screeners at Los Angeles and Chicago O’Hare airports failed to find more than 60% of fake explosives that TSA agents tried to get through checkpoints last year.

The failure rates—about 75% at Los Angeles and 60% at O’Hare—are higher than some tests of screeners a few years ago and equivalent to other previous tests.

Sure, the tests are harder. But those are miserable numbers.

And there’s unexplainable news:

At San Diego International Airport, tests are run by passengers whom local TSA managers ask to carry a fake bomb, said screener Cris Soulia, an official in a screeners union.

Someone please tell me this doesn’t actually happen. “Hi Mr. Passenger. I’m a TSA manager. You know I’m not lying to you because of this official-looking laminated badge I have. We need you to help us test airport security. Here’s a ‘fake’ bomb that we’d like you to carry through security in your luggage. Another TSA manager will, um, meet you at your destination. Give the fake bomb to him when you land. And, by the way, what’s your mother’s maiden name?”

How in the world is this a good idea? And how hard is it to dress real TSA managers up like vacationers?

EDITED TO ADD (10/24): Here’s a story of someone being asked to carry an item through airport security at Dulles Airport.

EDITED TO ADD (10/26): TSA claims that this doesn’t happen:

TSA officials do not ask random passengers to carry fake bombs through checkpoints for testing at San Diego International Airport, or any other airport.

[…]

TSA Traveler Alert: If approached by anyone claiming to be a TSA employee asking you to take something through the checkpoint, please contact a uniformed TSA employee at the checkpoint or a law enforcement officer immediately.

Is there anyone else who has had this happen to them?

Posted on October 19, 2007 at 2:37 PMView Comments

NSA's Public Relations Campaign Targets Reporters

Your tax dollars at work:

Frustrated by press leaks about its most sensitive electronic surveillance work, the secretive National Security Agency convened an unprecedented series of off-the-record “seminars” in recent years to teach reporters about the damage caused by such leaks and to discourage reporting that could interfere with the agency’s mission to spy on America’s enemies.

The half-day classes featured high-ranking NSA officials highlighting objectionable passages in published stories and offering “an innocuous rewrite” that officials said maintained the “overall thrust” of the articles but omitted details that could disclose the agency’s techniques, according to course outlines obtained by The New York Sun.

Posted on October 4, 2007 at 3:11 PMView Comments

Interview with National Intelligence Director Mike McConnell

Mike McConnell, U.S. National Intelligence Director, gave an interesting interview to the El Paso Times.

I don’t think he’s ever been so candid before. For example, he admitted that the nation’s telcos assisted the NSA in their massive eavesdropping efforts. We already knew this, of course, but the government has steadfastly maintained that either confirming or denying this would compromise national security.

There are, of course, moments of surreality. He said that it takes 200 hours to prepare a FISA warrant. Ryan Single calculated that since there were 2,167 such warrants in 2006, there must be “218 government employees with top secret clearances sitting in rooms, writing only FISA warrants.” Seems unlikely.

But most notable is this bit:

Q. So you’re saying that the reporting and the debate in Congress means that some Americans are going to die?

A. That’s what I mean. Because we have made it so public. We used to do these things very differently, but for whatever reason, you know, it’s a democratic process and sunshine’s a good thing. We need to have the debate.

Ah, the politics of fear. I don’t care if it’s the terrorists or the politicians, refuse to be terrorized. (More interesting discussions on the interview here, here, here, here, here, and here.)

Posted on August 24, 2007 at 6:30 AMView Comments

Conversation with Kip Hawley, TSA Administrator (Part 3)

This is Part 3 of a five-part series. Link to whole thing.

BS: Let’s talk about ID checks. I’ve called the no-fly list a list of people so dangerous they cannot be allowed to fly under any circumstance, yet so innocent we can’t arrest them even under the Patriot Act. Except that’s not even true; anyone, no matter how dangerous they are, can fly without an ID ­or by using someone else’s boarding pass. And the list itself is filled with people who shouldn’t be on it—dead people, people in jail, and so on—and primarily catches innocents with similar names. Why are you bothering?

KH: Because it works. We just completed a scrub of every name on the no-fly list and cut it in half—essentially cleaning out people who were no longer an active terror threat. We do not publicize how often the no-fly system stops people you would not want on your flight. Several times a week would low-ball it.

Your point about the no-ID and false boarding pass people is a great one. We are moving people who have tools and training to get at that problem. The bigger issue is that TSA is moving in the direction of security that picks up on behavior versus just keying on what we see in your bag. It really would be security theater if all we did was try to find possible weapons in that crunched fifteen seconds and fifteen feet after you anonymously walk through the magnetometer. We do a better job, with less aggravation of ordinary passengers, if we put people-based layers further ahead in the process—behavior observation based on involuntary, observable muscle behavior, canine teams, document verification, etc.

BS: We’ll talk about behavioral profiling later; no fair defending one security measure by pointing to another, completely separate, one. How can you claim ID cards work? Like the liquid ban, all it does is annoy innocent travelers without doing more than inconveniencing any future terrorists. Is it really good enough for you to defend me from terrorists too dumb to Google “print your own boarding pass”?

KH: We are getting at the fake boarding pass and ID issues with our proposal to Congress that would allow us to replace existing document checkers with more highly trained people with tools that would close those gaps. Without effective identity verification, watch lists don’t do much, so this is a top priority.

Having highly trained TSOs performing the document checking function closes a security gap, adds another security layer, and pushes TSA’s security program out in front of the checkpoint.

BS: Let’s move on. Air travelers think you’re capricious. Remember in April when the story went around about the Princeton professor being on a no-fly list because he spoke out against President Bush? His claims were easily debunked, but the real story is that so many people believed it. People believe political activity puts them on the list. People are afraid to complain about being mistreated at checkpoints because they’re afraid it puts them on a list. Is there anything you can do to make this process more transparent?

KH: We need some help on this one. This is the biggest public pain point, dwarfing shoes and baggies.

First off, TSA does not add people to the watch-lists, no matter how cranky you are at a checkpoint. Second, political views have nothing to do with no-flys or selectees. These myths have taken on urban legend status. There are very strict criteria and they are reviewed by lots of separate people in separate agencies: it is for live terror concerns only. The problem comes from random selectees (literally mathematically random) or people who have the same name and birth date as real no-flys. If you can get a boarding pass, you are not on the no-fly list. This problem will go away when Secure Flight starts in 2008, but we can’t seem to shake the false impression that ordinary Americans get put on a “list.” I am open for suggestions on how to make the public “get it.”

BS: It’s hard to believe that there could be hundreds of thousands of people meeting those very strict criteria, and that’s after the list was cut in half! I know the TSA does not control the no-fly and watch lists, but you’re the public face of those lists. You’re the aspect of homeland security that people come into direct contact with. Some people might find out they’re on the list by being arrested, or being shipped off to Syria for torture, but most people find out they’re on the list by being repeatedly searched and questioned for hours at airports.

The main problem with the list is that it’s secret. Who is on the list is secret. Why someone’s on is secret. How someone can get off is secret. There’s no accountability and there’s no transparency. Of course this kind of thing induces paranoia. It’s the sort of thing you read about in history books about East Germany and other police states.

The best thing you can do to improve the problem is redress. People need the ability to see the evidence against them, challenge their accuser, and have a hearing in a neutral court. If they’re guilty of something, arrest them. And if they’re innocent, stop harassing them. It’s basic liberty.

I don’t actually expect you to fix this; the problem is larger than the TSA. But can you tell us something about redress? It’s been promised to us for years now.

KH: Redress issues are divided into two categories: people on the no-fly list and people who have names similar to them.

In our experience, the first group is not a heavy user of the redress process. They typically don’t want anything to do with the U.S. government. Still, if someone is either wrongly put on or kept on, the Terrorist Screening Center (TSC) removes him or her immediately. In fact, TSA worked with the TSC to review every name, and that review cut the no-fly list in half. Having said that, once someone is really on the no-fly list, I totally agree with what you said about appeal rights. This is true across the board, not just with no-flys. DHS has recently consolidated redress for all DHS activities into one process called DHS TRIP. If you are mistaken for a real no-fly, you can let TSA know and we provide your information to the airlines, who right now are responsible for identifying no-flys trying to fly. Each airline uses its own system, so some can get you cleared to use kiosks, while others still require a visit to the ticket agent. When Secure Flight is operating, we’ll take that in-house at TSA and the problem should go away.

BS: I still don’t see how that will work, as long as the TSA doesn’t have control over who gets on or off the list.

Part 4: Registered Traveler and behavioral profiling

Posted on August 1, 2007 at 6:12 AMView Comments

Buildings You Can't Photograph

Very Kafkaesque:

The bottom line is that McCammon was caught in a classic logical trap. If he had only known the building was off-limits to photographers, he would have avoided it. But he was not allowed to know that fact. “Reasonable, law-abiding people tend to avoid these types of things when it can be helped,” McCammon wrote. “Thus, my request for a list of locations within Arlington County that are unmarked, but at which photography is either prohibited or discouraged according to some (public or private) policy. Of course, such a list does not exist. Catch-22.”

The only antidote to this security mania is sunshine. Only when more and more Americans do as McCammon has done and take the time and effort to chronicle these excesses and insist on answers from authorities will we stand a chance of restoring balance and sanity to the blend of liberty and security that we are madly remixing in these confused times.

Here’s the relevent map. It’s the building on the NW/upper-left side of the intersection.

Posted on July 19, 2007 at 2:25 PMView Comments

1 12 13 14 15 16 21

Sidebar photo of Bruce Schneier by Joe MacInnis.