Archive for the ‘Security Theater’ tag
Almost two years ago it was revealed that the Transportation Security Agency (TSA) missed a whopping 95 precent of restricted items. You would think that such a damning report would have lead to a top to bottom rework of the agency’s practices. But the TSA is a government agency, which means it doesn’t suffer consequences for failing, unlike market actors, and therefore has no motivation to improve. That’s what, two years later, we still get to read stories like this:
An off-duty policewoman flew from Los Angeles international airport (LAX) to Taiwan with a gun in her hand luggage.
The weapon was not detected during security screening and Noell Grant only realised she was carrying it as she changed planes in Taipei.
At one point I noted that the TSA exists solely to provide warm and fuzzy feelings to passengers who are too ignorant to realize that the agency isn’t securing anything. But as these stories continue to role out even ignorant fools are likely becoming aware of the fact that the TSA is just as ineffective as every other government agency. When that realization sets in the warm and fuzzy feelings of ignorance vanish, which means the agency serves no purpose whatsoever. The TSA should be completely abolished tomorrow.
I will go so far as to say that Let’s Encrypt revolutionized the Transport Layer Security (TLS) certificate market. While there were some free sources of certificates, the general rule remained that you had to pay if you wanted to implement a secure connection for you website. Then Let’s Encrypt was released. Now anybody can implement a secure connection for their website for free. On top of that, Let’s Encrypt greatly simplified the process of managing certificates. So it’s no surprise that certificate vendors are feeling the squeeze and responding desperately:
The fact that Let’s Encrypt is now being used to make phishing sites look legit is a total burn for us, and a potential house fire for users who rely on simple cues like the green padlock for assurance. According to certificate reseller The SSL Store, “between January 1st, 2016 and March 6th, 2017, Let’s Encrypt has issued a total of 15,270 SSL certificates containing the word ‘PayPal.'”
Keep in mind that the SSL Store is a provider of those incredibly overpriced certificates, so Let’s Encrypt’s mission isn’t necessarily in their interests. Even still, their post points out that the “vast majority of this issuance has occurred since November — since then Let’s Encrypt has issued nearly 100 ‘PayPal’ certificates per day.” Based on a random sample, SSL Store said, 96.7 percent of these certificates were intended for use on phishing sites.
The reseller added that, while their analysis has focused on fake PayPal sites, the firm’s findings have spotted other SSL phishing fakers, including Bank of America, Apple IDs, and Google.
The SSL Store paints a frightening picture. But the picture requires ignoring two facts.
First, TLS doesn’t verify if a website is legitimate. TLS verifies that the URL you’re connecting to matches the name in the certificate provided by the server and that the certificate was issued by a trusted authority. For example, if you connect to https://paypaltotallyascam.com, TLS will verify that the URL in the certificate is for https://paypaltotallyascam.com and that the certificate was issued by a trusted authority. However, TLS is not magical and cannot determine whether the site is a scam or not.
Second, you can’t even pull a certificate with Let’s Encrypt unless you have a registered URL. So why is Let’s Encrypt getting all of the blame but not the Domain Name System (DNS) registrar that allowed the domain to be registered in the first place? Because DNS registrars aren’t a threat to The SSL Store’s business model, Let’s Encrypt is.
This report by The SSL Store is nothing more than the desperate thrashings of a dying business model.
The Transportation Security Administration (TSA) has a sordid record when it comes to airport security. Since airport security is the agency’s primary job and it hasn’t been doing an effective job at providing security you might expect it to, you know, try to improve its capabilities. Instead the agency has been doubling down on security theater. But the best part is that the agency realizes that its efforts are theater:
If you’ve ever suspected that the TSA’s airport behavior screening (where it looks for visual signs of lying or stress) was just another example of ineffective security theater, you now have some science to back up your hunches. Thanks to a lawsuit, the ACLU has obtained TSA files showing that the organization has pushed and even expanded its “behavior detection” program despite a lack of supporting evidence. While the TSA maintains that it can detect signs of shady activity through fidgeting, shifty eyes and other visual cues, studies in its files suggest just the opposite — you’d have just as much success by choosing at random. And those are in controlled conditions, not a busy airport where anxiety and stress are par for the course.
The TSA hasn’t thwarted a single terrorist attack since it was founded. It hasn’t even done anything noteworthy in the field of security. The only thing the agency has managed to do is bolster the profits of bottled water manufacturers by stealing air travelers’ water and forcing them to buy more inside of “secure” areas. Yet this agency continues to exist. It continues to exist because the government that established it believes stealing your money and giving it to one of its entirely ineffective agency is fiscally responsible.
The next time some statist dipshit tells you that taxes aren’t high enough remind them that a ton of tax money is being irresponsibly dumped into agencies like the TSA.
How expensive is it to perform a denial of service attack in the real world? More often than not the cost is nearly free. The trick is to exploit the target’s own security concerns:
A flight in America was delayed and almost diverted on Tuesday after a passenger changed the name of their wi-fi device to ‘Samsung Galaxy Note 7’.
An entire flight was screwed up by simply changing the SSID of a device.
Why did this simply trick cause any trouble whatsoever? Because the flight crew was more concerned about enforcing the rules than actual security. There was no evidence of a Galaxy Note 7 being onboard. Since anybody can change their device’s SSID to anything they want the presence of the SSID “Samsung Galaxy Note 7” shouldn’t have been enough to cause any issues. But the flight crew allowed that, at best, flimsy evidence to spur them into a hunt for the device.
This is why performing denial of service attacks in the real world is often very cheap. Staffers, such as flight crew, seldom have any real security training so they tend to overreact. They’re trying to cover their asses (and I don’t mean that as an insult, if they don’t cover their asses they very well could lose their job), which means you have an easy exploit sitting there for you.
Minnesota is one of the few remaining states that has told the federal government where to stick its
REAL Slave ID requirements. If you do live in Minnesota and you really want an official Slave ID you can pay an extra $15 and go through the additional hassle necessary to convert your drivers license but it’s not required.
While it’s been known that the Transportation Security Administration (TSA) would begin requiring Slave IDs to board aircraft the exact deadline has remained unknown. Soon the TSA at the Minneapolis International Airport will post signs indicating that the deadline will be January 22, 2018:
MINNEAPOLIS (KMSP) – Signs will soon be posted at Minneapolis-St. Paul International Airport with a warning that your current Minnesota driver’s license won’t be enough to pass through security in 2018.
Starting Jan. 22, 2018, you will need an alternate ID to fly if you have a standard driver’s license or ID card issued by any of the following states: Kentucky, Maine, Minnesota, Missouri, Montana, Oklahoma, Pennsylvania, South Carolina or Washington. Alternate forms of ID include a passport, military ID, or permanent resident card. You can find a full list of accepted ID at https://www.tsa.gov/travel/security-screening/identification
If you live in Minnesota and wish to travel on an airplane you should consider getting a passport. In fact, if you live in the United Police States of America you should consider getting a passport just so you have the option to leave this forsaken Orwellian nation.
I hope the Minnesota government continues to push against the Slave ID requirements but I fear that they’re going to kowtow to their federal masters before the deadline.
Shortly after the attack in San Bernardino the Federal Bureau of Investigations (FBI) tried to exploit the tragedy in order to force Apple to assist it in unlocking Syed Rizwan Farook’s iPhone. According to the FBI Farook’s phone likely contained information that would allow them to find his accomplices, motives, and basically solve the case. Apple refused to give the FBI the power to unlock any iPhone 5C willy nilly but the agency eventually found a third party that had an exploit that would allow the built-in security to be bypassed.
One year later the FBI hasn’t solved the case even with access to Farook’s iPhone:
They launched an unprecedented legal battle with Apple in an effort to unlock Farook’s iPhone and deployed divers to scour a nearby lake in search of electronic equipment the couple might have dumped there.
But despite piecing together a detailed picture of the couple’s actions up to and including the massacre, federal officials acknowledge they still don’t have answers to some of the critical questions posed in the days after the Dec. 2, 2015, attack at the Inland Regional Center.
Most important, the FBI said it is still trying to determine whether anyone was aware of the couple’s plot or helped them in any way. From the beginning, agents have tried to figure out whether others might have known something about Farook and Malik’s plans, since the couple spent months gathering an arsenal of weapons and building bombs in the garage of their Redlands home.
Officials said they don’t have enough evidence to charge anyone with a crime but stressed the investigation is still open.
This shouldn’t be surprising to anybody. Anybody who had the ability to plan out an attack like the one in San Bernardino without being discovered probably had enough operational security to not use an easily surveilled device such as a cellular phone for the planning. Too many people, including those who should know better, assume only technological wizards have the knowhow to plan things without using commonly surveilled communication methods. But that’s not the case. People who are committed to pulling off a planned attack that includes coordination with third parties are usually smart enough to do their research and utilize communication methods that are unlikely to be accessible to prying eyes. It’s not wizardry, it’s a trick as old as human conflict itself.
Humans are both unpredictable and adaptable, which is what makes mass surveillance useless. When an agency such as the National Security Agency (NSA) performs mass surveillance they get an exponentially greater amount of noise than signal. We’re not even talking about a 100:1 ratio. It would probably be closer to 1,000,000,000,000:1. Furthermore, people with enough intelligence to pull off coordinated attacks are usually paranoid enough to assume the most commonly available communication mechanisms are being surveilled so they adapt. Mass surveillance works well if you want a lot of grandmothers’ recipes, Internet memes, and insults about mothers made by teenagers. But mass surveillance is useless if you’re trying to identify individuals who are a significant threat. Sure, the NSA may get lucky once in a while and catch somebody but that’s by far the exception, not the rule. The rule, when it comes to identifying and thwarting significant threats, is that old fashioned investigative techniques must be employed.
Government agencies only expand, they never contract. Although the Transportation Security Administration (TSA) has failed 95 percent of red team exercises the agency hasn’t been abolished. Instead Congress wants to reward the agency by expanding its scope to guard the trains that practically nobody uses:
Several U.S. senators want the TSA to focus more attention and resources on rail, highway, and marine transportation, which would mean greater security oversight at such places as Amtrak stations and Megabus coach stops. A bipartisan bill introduced Thursday by Senator John Thune (R-S.D.) would require the TSA to use a risk-based security model for these transport modes and to budget money based on those risks. It would require a wider use of the agency’s terrorist watch list by train operators and more detailed passenger manifests along with tighter screening of marine employees. The legislation also would increase the TSA’s canine use by as many as 70 dog-handler teams for surface transportation.
Why bother? No terrorist attack has been performed on an Amtrak train. Compared to airliners Amtrak trains are practically ghost towns. They’re low value targets to an attacker looking to rack up as high of a body count as possible. Obviously this isn’t about security so what is it about? My guess is that it’s about police state bullshit.
Remember all those movie scenes where the Nazi or Soviet officer asks passengers boarding a train for their papers? It used to be the thing were we told to fear for obvious reasons. But those scenes are pornography for statists. They show everything statists desire: control, order, and obedience. And they swooped in the second they had an excuse to implement the exact same system for air travelers. When you line up in the security theater line at an airport you hand your papers to a TSA agent who looks them over and decides whether or not your can move forward. If you’re
a Jew or a kulak on the terrorist watch lists your trip ends there and you’ll be escorted away but a thug in a uniform. Now that every is used to kowtowing to government agents demanding to see our papers Congress is ready to expand the TSA’s scope. It won’t surprise me if the nation’s highways are someday littered with surprise TSA checkpoints.
Never ending expansion such as this is why I have a zero tolerance policy towards government. If you give government an inch it will slowly take a mile. The only sane solution is to not have a government at all.
It’s not secret to anybody who has had the displeasure of flying out of the Minneapolis/St. Paul International Airport (MSP) that something is wrong with the security lines. While there are several numbered gates they are no longer in use. Now there are only three. There’s the two main gates and then there’s the lesser known gate tucked away elsewhere in the airpot. This has lead to ridiculously long security lines and flights are being missed just so a putz with a badge can play their part in security theater.
If the Transportation Security Administration (TSA) is a failure of an organization in general then the TSA at MSP is the idiot uncle of the family that everybody hates because he get drunk at the family get togethers and starts getting frisky with everybody’s wives and daughters.
Somebody has finally had enough and is filing a lawsuit:
A Minneapolis man is blaming the long lines at security for missing a recent flight, and now he’s suing the federal agency and the Twin Cities airport’s operator for $506.85.
In the lawsuit filed in federal court last week, Hooman Nikizad said his wait of more than 90 minutes on March 19 before he passed through security screening by the federal Transportation Security Administration (TSA) made him miss his afternoon flight to Los Angeles.
“I had to buy a ticket with another airline to be able to make my destination and meet my obligations,” Nikizad said in his claim, which noted the TSA had limited staff on duty at the time and “only one body scanner for the regular security line [in operation].”
I’m sure Mr. Nikizad will be added to the no-fly list. Regardless his lawsuit, as far as I’m concerned, is entirely justified. Expecting people to arrive hours before a flight for no reason whatsoever (see the TSA’s 95 percent failure rate) is unacceptable. If somebody arrives at the airport 90 minutes before their flight and is forced to buy another ticket because TSA couldn’t get its shit together then the agency should be forced to reimburse them for damages.
Supposedly the Libertarian Party tries to get libertarians elected into offices. The party has a funny way of going about that goal though. For example, the party hasn’t nominated an actual libertarian presidential candidate for at least as long as I’ve been old enough to vote. This year’s ticket is no different.
Gary “Ban the Burqa” Johnson was nominated to be the Libertarian Party’s presidential candidate this year. Although the Libertarian Party doesn’t allow presidential candidates to outright pick their running mates, the party voters are usually willing to roll over and approve whoever their presidential candidate wants. Johnson wanted Bill Weld and the Libertarian Party, apparently deciding it didn’t want any libertarians on its presidential ticket, was happy to comply.
After the shooting in Orlando Weld decided to show his anti-libertarian colors:
Bill Weld, the former governor of Massachusetts now running as the Libertarian Party’s candidate for vice president, called today for a 1,000-agent task force to combat Islamic State adherents in the United States, and for a tip line where Muslims could inform on radicalism.
“Let’s face it: The United States is under attack right now by ISIS and ISIS copycats,” Weld said. “They have a deep pool to pull from. There are over 3 million Muslims in the United States — maybe Mr. Trump will want to deport them all, but the better approach is to work with the community.”
Weld, who served as U.S. attorney and then assistant attorney general in the DOJ’s criminal justice division, suggested that the DOJ could take a cue from a program that worked in Massachusetts. The “Drop-a-Dime Project,” a nonprofit tip line created by community leaders, was used by law enforcement to pursue tips about crime in Boston’s black neighborhoods and to achieve breakthroughs in drug investigations.
“We’d get all kinds of tips,” Weld said. “The residents of Dorchester and Mattapan were only too happy to help. There may be some people out there leaning toward ISIS, people who would want to shelter the people going around killing other people. But for every pair of ears that would be sympathetic, there will be pairs that will not be sympathetic.”
I thought the Libertarian Party was all about shrinking government, not growing it. I guess this is what happens when the party doesn’t nominates a libertarian for its vice presidential candidate.
I know the Libertarian Party, especially now that it’s pulling people from the Republican Party, has a lot of statists within its ranks so this idea may sound appealing to them. Let’s consider the effectiveness of such a program. I’ll start by once again quoting Bruce Schneier, “If you ask amateurs to act as front-line security personnel, you shouldn’t be surprised when you get amateur security.” This is something libertarians tend to inherently understand. If you setup a program where average Joes are expected to rat out their neighbors you will get a lot of noise and very little, if any, signal.
How do you tell if somebody expressing sympathies for the Islamic State (IS) is merely angry at the way the United States and European countries have treated the Middle East or is planning to commit acts of murder in the organization’s name? Most people can’t tell and that’s the problem with this kind of tip line. It would be flooded with “tips” from people who think somebody speaking out against the United States dropping bombs on wedding parts is sympathizing with IS. Many of the “tips” would likely come from people who just don’t like their Muslim neighbors and see the tip line as a way to get the State to harass them. Well’s proposal would create a 1,000-agent (you do have to appreciate how all of these proposals involve an arbitrary number of agents that is almost always cleanly divisible by 10) task force that does nothing productive (in other words, it’ll be just like every other government agency).
I’m glad I don’t play politics anymore. If I did I’d be depressed this election cycle because there are exactly zero acceptable candidates running for office.
As is common after a violent tragedy, a great deal of electrons are being annoyed by people who are calling for prohibitions. Some want to prohibit firearms, ammunition, and body armor while others want to prohibit members of an entire religion from crossing the imaginary line that separates the United States from the rest of the world. All of this finger pointing is being done under the guise of security but the truth is that any security system that depends on an attacker acting in a certain way is doomed to fail.
Prohibitions don’t eliminate or even curtail the threat they’re aimed at. In fact the opposite is true. The iron law of prohibition, a term coined in regards to prohibitions on drugs, states that the potency of drugs increases as law enforcement efforts against drugs increases. It applies to every form of prohibition though. Prohibitions against firearms just encourages the development of more easily manufactured and concealable firearms just as the prohibition against religious beliefs encourages those beliefs to be practices in secrecy.
When you rely on a prohibition for security you’re really relying on your potential attackers to act in a specific way. In the case of firearm prohibitions you’re relying on your potential attackers to abide by the prohibition and not use firearms. In the case of prohibiting members of a specific religion from entering a country you’re relying on potential attacks to truthfully reveal what religion they are a member of.
But attackers have a goal and like any other human being they will utilize means to achieve their ends. If their ends can be best achieved with a firearm they will acquire or manufacture one. If their ends require body armor they will acquire or manufacture body armor. If their ends require gaining entry into a country they will either lie to get through customs legitimately or bypass customs entirely. You attackers will not act in the manner you desire. If they did, they wouldn’t be attacking you.
What prohibitions offer is a false sense of security. People often assume that prohibited items no longer have to be addressed in their security models. This leaves large gaping holes for attackers to exploit. Worse yet, prohibitions usually make addressing the prohibited items more difficult due to the iron law of prohibition.
Prohibitions not only provide no actual security they also come at a high cost. One of those costs is the harassment of innocent people. Firearm prohibitions, for example, give law enforcers an excuse to harass anybody who owns or is interested in acquiring a firearm. Prohibitions against members of a religion give law enforcers an excuse to harass anybody who is or could potentially be a member of that religion.
Another cost is a decrease in overall security. Firearm prohibitions make it more difficult for non-government agents to defend themselves. A people who suffer under a firearm prohibition find themselves returned to the state of nature where the strong are able to prey on the weak with impunity. When religious prohibitions are in place an adversarial relationship is created between members of that religion and the entity putting the prohibition in place. An adversarial relationship means you lose access to community enforcement. Members of a prohibited religion are less likely to come forth with information on a potentially dangerous member of their community. That can be a massive loss of critical information that your security system can utilize.
If you want to improve security you need to banish the idea of prohibitions from your mind. They will actually work against you and make your security model less effective.