The Two 9/11 Commisson Reports

I’ve just finished the 9/11 commission’s report. (Or use the Pdfhack version, a fine example of what can be done in the absence of copyrights.)

One of the things that stands out for me is the stark contrast between the history and the recommendations. The history is excellent. The recommendations, less so. My largest critique is that after the largest attack on American soil since the civil war, they fail to think big. They spend time drawing lines on org. charts.

Regular readers will note that I spend a lot of time looking at airline security. The recommendations there (around page 383) are clearly weak. More ID cards will not change things. We need to consider broader changes.

For example, they could have considered the drug war. The easiest way to smuggle weapons of mass destruction into the US would be to pack them in cocaine. Perhaps changes there are in order?

I’m not the first to notice this. Elizabeth Drew wrote a long article for the New York Review of Books, and the Center For Strategic and International Studies has an
analysis (PDF) worth reading. An English professor at DeAnza college also caught my eye.

"You will eventually be caught"

I believe that if you are a low- to mid-skilled intruder physically located in the United States, you will eventually be caught. The days when hardly anyone cared about prosecuting digital crime are ending. The FBI has 13 Computer Hacking and Intellectual Property (CHIPS) units with plans to open more. The Computer Crime and Intellectual Property Section (CCIPS) are available to US Attorneys across the country. The Secret Service operates 15 Electronic Crimes Task Forces. There are 5 Regional Computer Forensic Laboratories operating now with 8 planned to open in the coming years. The Internet Fraud Complaint Center (IFCC) is taking reports from victims of cyber crime and the National White Collar Crime Center supports law enforcement efforts. All of this adds up to a lot of federal, state, and local police working to bust bad guys.

(From Richard Bejtlich’s TaoSecurity.)

This feels wrong to me. Investigating computer crimes is still a very labor-intensive process.
(I’m experimenting to see how MarsEdit handles extended entries.)

Continue reading “"You will eventually be caught"”

Firefox Software Install UI

his changed recently — spyware ‘toolbars’ started to appear for Firefox as well. It was quite a surprise to see a dialog pop up when accessing an otherwise normal-looking (though advertising-heavy) page, using my Linux desktop, prompting me to install some ‘toolbar’ .xpi file!

Firefox 1.0PR now includes code to deal with this. Here’s how it works.

Justin Mason has a good bit on how Firefox reduces the chances that spyware will end up in your system. This is a nice start. I don’t know that it will work long term. When SSL came out, there were all sorts of sites with directions for working around the security and interoperability. Things like “Your browser will issue a warning. To use this site, click “please screw me.” Spyware sites will start to issue the same sort of message around installing new software to see their dancing bunnies.

Browsers have become big complex technologies. That’s not a slam at the browser folks–users want them to do more and more. As the browser replaces one set of buggy device drivers with another, it may need to start offering an internal security model that controls what APIs different plug-ins can use, etc. It may need to start controlling what modules can access what data, much like an operating system.

Airport Screening Still Fails Tests

Do current security plans depend on no guns getting onto the planes? I hope not.

Covert government tests last November showed that screeners were still missing some knives, guns and explosives carried through airport checkpoints, and the reasons involve equipment, training, procedures and management, according to a report by the inspector general of the Homeland Security Department.

From The New York Times. Use BugMeNot if you need a login.

In other “guns on planes” news, John Miller, the head of the LAPD’s counter-terror unit was detained Thursday after forgetting about a gun in his bag.

It’s interesting that Miller got where he is via a PR and reporting background. The obvious charge is security as theater. However, reporters often end up knowing a huge amount about their subjects, and so I don’t want to throw that charge without more research than I can do before dinner.

Verisign's Kid Credentials

So Verisign has teamed up with I-safe to issue “USB tokens” to children. The ZDnet story states that it “will allow children to encrypt e-mail, to access kid-safe sites and to purchase items that require a digital signature, said George Schu [A Verisign VP].” To me that sounds a lot like an X.509 certificate, which Verisign has been trying, and failing, to flog to consumers for years. (It may be this.)

What’s unclear is the privacy implications. If this is a X.509 cert on a USB token, then what this means is that children will not have privacy in these “kid only” spaces. They’ll be subject to monitoring under their real name. This damages one of the best features of the internet, which is the ability of kids to go online and explore different identities fearlessly. Read their chatroom rules of use: Cyberdating is dangerous!

At least they’re up front in their terms of service: You are being watched. Your name will follow you. Yeah, I wanna go play there.

What's In A Name?

“BRANSON, Mo. – A Branson man has put a face to the anonymous references people often make to “they” by changing his name to just that: “They.”

Not only is he making a statement about his name, but he’s messing with the entire English language,” friend Craig Erickson said.

How can you argue with messing with the entire English language?

(From AP via Languagehat.)

"Post-Totalitarian Stress Disorder"

This – the damage done to individual psyche – and not just to the physical infrastructure and institutions of the country, is what we have to always keep in mind when assessing the progress of reconstruction and democratisation in places like Iraq. If things aren’t moving ahead as fast as expected, if cooperation is lacking and trust hard to find, and if the population seems apathetic and disengaged, it’s just the fallen regime having its final chuckle from beyond the grave.

is a fascinating piece in Chrenkoff (via Iraq The Model.)

Acceptable ID

Virginia Postrel writes about flying without ID:

Coming home today from New York, I was a little more prepared. I still didn’t have “government-issued i.d.,” but at least I knew I was headed for trouble. I got to JFK several hours early. The young security guard wasn’t sure what to do with me and asked a more senior guard. The elder guard sternly insisted that I must have a photo.

“This is a little weird,” I said to the young guard, as I opened my bag and pulled out one of the extra paperbacks I’d snagged from my publisher. “I wrote this book, and here’s my photo in it.” He laughed and let me through. This time, they didn’t even search my bags.

Below, I wrote about discretion for screeners. This is a great example of that discretion being used in a harmless and entertaining way. Of course, since anyone can get a book published, this can’t last.