bugfox blog

In the Risks Digest Bruce Schneier discusses the flaws in the TSA’s system for checking photo IDs at airports, flaws that would allow any reasonably competent terrorist to walk onto an airplane, even if his name is on the “no fly” list and even without using a fake ID.

This might be considered an illustration of the general incompetence of the TSA, but it also illustrates the great difficulty of setting up a secure system that will foil a reasonably clever and determined attacker. It’s not something that the average political appointee or bureaucrat without special training is likely to be able to manage.

Elliotte Rusty Harold has just returned from China and posts this disturbing comment:

Reflecting back on my recent trip to Beijing…one of the most striking things was the contrast between personal, day-to-day freedom in Beijing and the United States (especially NYC/Los Angeles/Orange County). I’m not talking about political representation or freedom to read whatever I felt like, but just the simple ability to go whereever I felt like going without being hassled. To my surprise, by that measure Beijing came off way better than the United States does these days, and that doesn’t speak well for the U.S.
…
Somehow I thought a one-party, authoritarian state would be more oppressive than this. At least in the capital, Beijing compares favorably to major U.S. cities. To be honest, that doesn’t speak well for the U.S. If we can’t be less of a police state than a one-party, nominally Communist nation like China, then something has gone seriously wrong.

(Read the whole thing)

Back during the Cold War, right-wing types used to make a big distinction between “totalitarian states” (bad) and “authoritarian states” (not so bad.)

A totalitarian state (Russia, China or Nazi Germany) would try to monitor everything its citizens did and demanded constant declarations of effusive loyalty. An authoritarian state (Franco’s Spain) would generally leave people alone if they kept quiet and stayed out of politics.

By this definition China has clearly become an authoritarian state. But if America is becoming more of a police state than China (in terms of surveillance, etc.) then what does that make us?
(more…)

Declan McCullagh has a detailed analysis of FBI Director Robert Mueller’s recent Congressional testimony in which he asked for greatly expanded surveillance powers. Currently the FBI has the technical ability to monitor just about everything that goes over the Internet, but they need to get a warrant (or a secret National Security Letter) in order to do so.

Mueller wants to convince the Internet Service Providers to change they Terms of Service to force their customers to “consent” to having the FBI monitor everything they do without a warrant. If the ISPs refuse (as they probably would for fear of lawsuits) then he wants Congress to pass legislation requiring it.

He justifies this by invoking the usual suspects (terrorism and cyberattacks) but of course the surveillance would be quickly extended to cover lesser crimes like copyright violation. It is amusing to imagine the FBI locking up millions of file sharers, but probably they would just prosecute a small number of people to serve as examples.

SmartWater is a liquid with a unique identifier linked to a particular owner. “The idea is for me to paint this stuff on my valuables as proof of ownership,” I wrote when I first learned about the idea. “I think a better idea would be for me to paint it on your valuables, and then call the police.”
…
If more people had a security mindset, services that compromise privacy wouldn’t have such a sizable market share — and Facebook would be totally different. Laptops wouldn’t be lost with millions of unencrypted Social Security numbers on them, and we’d all learn a lot fewer security lessons the hard way. The power grid would be more secure. Identity theft would go way down. Medical records would be more private. If people had the security mindset, they wouldn’t have tried to look at Britney Spears’ medical records, since they would have realized that they would be caught.

Bruce Schneier–Inside the Twisted Mind of the Security Professional (via)

This seems a little grim, but it would be a useful counterbalance to the general tendency to enthusiastly embrace any plausible-sounding proposal without thinking through the consequences.

Problem: the voting machines report numbers that don’t add up.

Attempted solution: local authorites commision an independent audit of the machines to determine the source of the problem.

Checkmate: the vendor prevents the audit by threatening to sue to protect its “Intellectual Property.”

Story on Ars Technica.

This is exactly why all voting machines should be required to use open source software throughout: to make sure that effective audits will always be possible. Of course no commercially available voting machines actually do this. As always the industry’s motto is “Trust us. Shut up. Just trust us.”

UPDATE: A judge orders the review to proceed, although the report won’t be available in time to do anything about it before the November elections.

GoDaddy’s continued willingness to shut down any site that draws complaints makes one thing clear: you should never register a domain with GoDaddy unless you are certain that your site will never offend anybody.

Who elected the registrars to serve as the all-powerful censors of the Internet?

Michael Nygard provides an unexpected reason why you should probably avoid buying the latest and greatest technology: Steve Jobs made me miss my flight.

Article from The Register. I thought of making a list of all the basic security practices being violated here, but I gave up. It just boggles the mind.

California is one of the few jurisdictions that is belatedly starting to do the right thing with electronic voting machines: subject them to rigorous testing by qualified computer security experts. Ars Technica describes the latest results here: California’s testing cracks ES&S evoting system wide open.

The bottom line seems to be that all of the electronic voting machines currently in use can easily be subverted using simple techniques available to any teenage hacker.

Most of the attention so far has focused on touch-screen voting machines, but the popular optical-scan ballot systems are also made by the same companies and have many of the same security flaws. The advantage of the optical-scan systems is that you have the paper ballots and can use them for a manual recount which should reveal any fraud. The fraud can still go undetected if you don’t suspect it and don’t order a recount.

Update to previous post: Starting with Vista Service Pack 1 (available in early 2008) Microsoft will no longer disable your computer if “Windows Genuine Advantage” decides that your copy of Vista isn’t genuine.

Instead it will bombard you with messages telling you what a wicked pirate you are and urging you to pay up at once. No doubt this will still continue to catch a lot of innocent people, but at least they won’t be locked out of their computers.

via Ars Technica.