Free gropes for travellers

Over at BoingBoing, Cory points to a USA Today story at NewsIsFree about more screening. There seem to be four components:

  • Explosives Detection Secondary screening will now always include nitrate detection swabbing. This is a fine step, but why has it taken 3 years to come in? (In fact, every time I’ve been thrown into the secondary system, my bags have been swabbed, so I’m surprised that it’s new.)
  • Outer garment removal Remove bulky outer clothing. Again, I thought this was already in place.
  • More discretion “TSA screeners will be given greater authority to refer passengers for extra scrutiny if clothing looks bulky, misshapen or otherwise suspicious. Some passengers also will receive expanded pat-downs when screeners consider it warranted.” I have very mixed feeling about this. On the one hand, it may make the life of a terrorist harder. The 9/11 hijackers knew what they were allowed to take, and the screeners didn’t have much discretion. On the other hand, it’s going to lead to more abuses where the screeners make strange or offensive decisions. Those incidents (“drink your own milk,” “drop your trousers”, etc) will greatly outnumber terrorists caught, however good the screeners are. There are a lot more innocents than terrorists traveling and so the silly-season perception of screeners will increase.

    As to the “groping,” it was inevitable. If the goal is to keep all knives off planes, then you need to rub-frisk every passenger. Maybe they can at least hire better looking screeners to do it?

  • Document scanners “For traces of explosives,” they claim. No, its more reliable data capture, and an attempt to cut down on fake ID being used. As if any of the terrorists ever travelled with fake ID. They travelled on fraudulently issued ID, a market driven by the immigration and work policies of the US.

Qui Custodes Custodiat?

There’s a brilliant post over at Orcinus about the 9/11 commission, whose (outstanding) report I’m just getting around to reading.

Really, if the Kerry campaign is serious about persuading the American public that Bush is a serious liability when it comes to securing the nation from the terrorist threat, this should be Exhibit A: Bush fought the formation of the 9/11 commission for a year, and continued to fight its work throughout.

This isn’t about politics as it seems to be practiced today, with a storm of invective and attacks. It’s about an honest look at what went wrong, and preventing it from happening again. That’s a process that requires openness and honesty, not blind trust, and not requests for such.

During the fights over cryptography laws in the 90s, we spent a great deal of time on the claim from high-ranking government officials, “If you knew what we knew, you’d agree with us.” This claim was put to rest by a dozen generals, admirals, ambassadors, and former spies who served on the National Research Council’s report Cryptography’s Role in Securing the Information Society. That report plainly stated that while details of operations needed to remain secret, the arguments themselves had all been discussed openly. In much the same way, those details that have come out have argued strongly against secrecy. Condoleezza Rice’s description of the (then classified) “Bin Ladin determined to strike in US” Presidential Daily Brief as “purely historical” is exhibit A.

Bin Laden Unit downsided?

The New York Times reports:

he Central Intelligence Agency has fewer experienced case officers assigned to its headquarters unit dealing with Osama bin Laden than it did at the time of the attacks, despite repeated pleas from the unit’s leaders for reinforcements, a senior C.I.A. officer with extensive counterterrorism experience has told Congress.

A senior official disputes this:

A senior intelligence official who asked not to be identified strenuously disputed Mr. Scheuer’s criticism about the resources assigned to the war against Al Qaeda. “The assertions are off the mark,” the official said. “There are far more D.O. officers working against the Al Qaeda target both at C.I.A. headquarters and overseas than there were before Sept. 11,” the official said, using the abbreviation for the Directorate of Operations, the C.I.A.’s clandestine arm. “Our knowledge of and substantive expertise on Al Qaeda has increased enormously since 9/11. The overall size of the counterterrorism center has more than doubled, and its analytic capabilities have increased dramatically.”

But are the claims really incompatible? One official refers to the Bin Laden unit, the other to Al Qaeda and counter-terrorism. It seems to me that all the claims may be true.

Bin Laden may be effectively isolated. His communications need to go through chains of couriers, and thats slow and difficult. So focusing on more active players may make some sense.

Then there’s the question of what you do if you find him. If you kill him, you risk making him a martyr. If you capture him, do you bring him to trial? Recall that he’s already been indicted over the first set of World Trade Center attacks.

(Ecto seems to be losing parts of posts on me. Feh!)

Microsoft JPG Bug, Patch, Tool

Microsoft has released a critical advisory (or, less-technical version) regarding a problem with the way JPEG files are parsed. Microsoft has released patches for their applications, and also a tool to scan for vulnerable apps.

I’m not sure what to think about the tool. On the one hand, good for them! Helping customers secure their systems by finding problems is a good, even if some people don’t think so. On the other hand, Microsoft could have sent a note to all their MSDN (Developer Network) customers about the problem. So why the effort for a tool? A tool, I think, is in line with what John Pescatore was suggesting, which is customer pressure on vendors to release more secure code.

Microsoft has something of a head start on this, having trained their entire staff. Is this the start of an “Unbreakable” campaign from Microsoft, or perhaps something more subtle? Either way, nicely done.
[Update: Fixed OIS link. Thanks, Max!]

Apple Security Updates

Apple has released an updated Security Advisory, to fix two problems introduced in the previous rev. Not a big deal, unless you happened to be trying to deal with their ftpd. As we’ve pointed out (PDF) in the past, security updates are a race between attacks and defense, and there are trade-offs you can make.

I’m still trying to find out what’s in Apple Remote Desktop security update, to make a good decision about if I should install it.

Holy Lousy Security, Batman!

Britons seemed startled by the ease with which palace security was overrun by two men in super hero costumes carrying an extension ladder….Police used a crane to extract him from the ledge as his supporters chanted “free Batman” from behind a police cordon.

From the New York Times story. Or, Google News has more. The men were protesting for more father’s visitation rights after divorces, and the right to carry ladders in public, which will shortly be banned in England. An exception will be made for those who have a builder’s license, pass a background check, and pay an annual fee.

"Want more Secure Software?"

SecurityFocus points to a nice short article over at Silicon.com suggests that

Gartner advises that for companies building their own software, developers should be pushed to put security at the head of their list. It’s not just in-house tech makers that need a word in their ears – the analysts suggest end users should give vendors grief about tightening up their security procedures too.

John Pescatore, the analyst in question, nails it. If you want more security from your vendor, you’ve got to make it a buying criteria. If you want more security from your developers, you’ve got to make time for it in the schedule, and you’ve got to give them tools and training to know what to do. Better security isn’t hard, it just costs some money. Do you prefer to spend that up front, or on operations later?