Your Vote Matters

After the last election the Democrats were throwing a fit over supposed Russian interference with the presidential election (funny how politicians here get bent out of shape when somebody interferes with their elections). Implied in the accusation is that an extremely sophisticated enemy such as a state actor is necessary to interfere with a United States election. However, the security of many election machines and election-related sites is so bad that an 11-year-old can break into them:

An 11-year-old boy on Friday was able to hack into a replica of the Florida state election website and change voting results found there in under 10 minutes during the world’s largest yearly hacking convention, DEFCON 26, organizers of the event said.

Thousands of adult hackers attend the convention annually, while this year a group of children attempted to hack 13 imitation websites linked to voting in presidential battleground states.

The boy, who was identified by DEFCON officials as Emmett Brewer, accessed a replica of the Florida secretary of state’s website. He was one of about 50 children between the ages of 8 and 16 who were taking part in the so-called “DEFCON Voting Machine Hacking Village,” a portion of which allowed kids the chance to manipulate party names, candidate names and vote count totals.

Florida’s website isn’t an isolated incident. The entire infrastructure supporting elections here in the United States is a mess:

Even though most states have moved away from voting equipment that does not produce a paper trail, when experts talk about “voting systems,” that phrase encompasses the entire process of voting: how citizens register, how they find their polling places, how they check in, how they cast their ballots and, ultimately, how they find out who won.

Much of that process is digital.

“This is the problem we always have in computer security — basically nobody has ever built a secure computer. That’s the reality,” Schneier said. “I want to build a robust system that is secure despite the fact that computers have vulnerabilities, rather than pretend that they don’t because no one has found them yet. And people will find them — whether it’s nation-states or teenagers on a weekend.”

And before you think that you’re state is smart for not using voting machines, you should be aware that computers are involved in various steps of any modern voting process. Minnesota, for example, uses paper ballots but they’re fed into an electronic machine. Results from local ballot counts are transmitted electronically. Those results are then eventually transmitted electronically to media sources and from there to the masses.

If you go to cast your ballot today, know that there is no reason to believe that it will matter. There are far too many pieces of the voting infrastructure that are vulnerable to the machinations of 11-year-olds.

We’re Not Telling You the Rules

The politicians in California have passed the first law regulating the security of Internet connected devices. However, manufacturers of said devices are going to have a difficult time complying with the law since the rules are never defined:

This bill, beginning on January 1, 2020, would require a manufacturer of a connected device, as those terms are defined, to equip the device with a reasonable security feature or features that are appropriate to the nature and function of the device, appropriate to the information it may collect, contain, or transmit, and designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure, as specified.

The California bill doesn’t define exactly what a ‘reasonable security feature’ would be but it mandates that connected devices come with unique passwords that users can change, which isn’t the case for many IoT products. If someone can log into the device outside a LAN, then it must have either preprogrammed passwords that are unique to each device (no more default login credentials) or a way to generate new authentication credentials before accessing it for the first time.

You must implement ‘a reasonable security feature or features’ but we’re not going to tell you what those features are. Oh, and if you fail to comply with our undefined rules, you will be subject to punishment. Anyways, good luck!

That sounds perfectly reasonable, doesn’t it?

Eight Percent of the Time It Works Every Time

The Transportation Security Agency (TSA) is the embodiment of government incompetence. It has failed 95 percent of red team exercises, which doesn’t bode well for the agency’s general ability to detect weapons before air travelers are able to enter the “secure” area of an airport. However, the United States doesn’t have a monopoly on government incompetence. The United Kingdom (UK) also has its own program that has a failure rate of 90 percent:

A British police agency is defending (this link is inoperable for the moment) its use of facial recognition technology at the June 2017 Champions League soccer final in Cardiff, Wales—among several other instances—saying that despite the system having a 92-percent false positive rate, “no one” has ever been arrested due to such an error.

Of course nobody has been arrested due to a false positive. When a system has a false positive rate of 92 percent it’s quickly ignored by whomever is monitoring it.

False positives can be just as dangerous as misses. While misses allow a target to avoid a detection system, false positives breed complacency that quickly allows false positives to turn into misses. If a law enforcer is relying on a system to detect suspects and it constantly tells him that it found a suspect but hasn’t actually found a suspect, the law enforcer quickly ignores any report from the system. When the system does correctly identify the suspect, there’s a good chance that the law enforcer monitoring it won’t even bother to look at the report to verify it. Instead they’ll just assume it’s another false positive and continue sipping their tea or whatever it is that UK law enforcers do most of the time.

Important Lessons All Around

The students of the Marjory Stoneman Douglas High School are back in prison and are already learning some valuable lessons:

Survivors of the deadly school shooting in Florida have resisted new security rules that ban all but clear backpacks at their school.

Students at Marjory Stoneman Douglas High in Parkland, adorned their bags with signs, badges and slogans protesting against the measures.

Seventeen people were killed in the shooting on 14 February.

The attack led to an extensive social media campaign, culminating in a national march for tighter gun control.

But students have argued that the new bags will not prevent future attacks and infringe their privacy.

The first lesson, obviously, is that it sucks being punished for something you didn’t do.

The second lesson is probably a bit more subtle but the students have identified what the faculty who imposed this policy never comprehended: security theater is not security. Those students who are claiming that transparent backpacks don’t prevent future attacks are entirely correct. First of all, weapons can still be hidden in transparent backpacks. One can easily toss a weapon in a hollowed out book, pencil case, or tampon box. Moreover, an attacker doesn’t have to sneak a weapon into the school, they can just walk in with the weapon and shoot anybody who attempts to stop them.

The third lesson should be the most obvious but is probably the least obvious: laws (or in this case, policies) are irrelevant. While the school may require students to use transparent backpacks, the students have found the policy burdensome and are violating the spirit of it by concealing the contents of their backpacks behind signs and other obstructions. The words on pieces of paper that are the actual physical policy are unable to control the will of the students. This is why laws fail to prevent the behavior that they’re aimed at preventing. Gun control laws can’t stop individuals from acquiring of manufacturing a firearm. Transparent backpack requirements can’t stop individuals from obscuring the content of their backpacks.

Unfortunately, I have little faith that these lessons will be comprehended. The students, being interred in a government indoctrination center, are at a severe learning disadvantage due to the indoctrination that they’re being told is an education. The faculty were likely the product of the same indoctrination and are therefore also hindered from learning. And few people allow new knowledge to alter their beliefs. If new knowledge doesn’t support their beliefs, they will perform the mental gymnastics necessary to make it fit into their worldview.

Airport Security Remains a Joke

How can one best illustrate the ineffectiveness of airport security? By pointing out that serial stowaways are a thing:

The woman known as a “serial stowaway” for her years-long history of sneaking onto airplanes was arrested once again at Chicago’s O’Hare International Airport early Sunday — just two weeks after she managed to board a flight to London from the same airport.

In an attempt to divert attention away from the failure of the airport security team, a member of the local sheriff’s department made a statement that actually made them look even more incompetent:

The sheriff’s office had advocated for special treatment for Hartman, according to NBC Chicago.

“Releasing any seriously mentally ill person without support and treatment is never a good idea,” Cara Smith, the sheriff’s policy chief, told NBC Chicago on Thursday. “This order seriously reflects many things wrong with the criminal justice system.”

“We have a woman who is obviously suffering and in need of significant services,” she said, according to the station. “Without the help she clearly needs, history is likely to repeat itself.”

Not just any woman managed to board two flights but a woman who apparently doesn’t have full faculties.

Security theater continues to be a joke. Its existence only serves to ease the fears of ignorant flyers. Anybody who has read the seemingly ceaseless stream of stories about airport security failures is left to realize that airport and security are currently mutually exclusive terms.

Tightening the Chains

The turkey won’t be the only thing to get a hand up its ass this Thanksgiving:

New TSA screening guidelines will likely make Thanksgiving travel a disaster for legions of Americans — and the worst is yet to come.

Shortly after Trump’s inauguration, TSA announced more “comprehensive” pat-down procedures which the Denver airport suggested might involve “more intimate contact than before.” TSA preemptively notified local police to expect potential complaints, and plenty of travelers are howling:

The Transportation Security Administration (TSA) still hasn’t thwarted a single terrorist plot. After 16 years one might expect an agency to show proof of having accomplished something. Instead the agency has pulled the same stunt as every other government agency and claimed that its failures are due to lack of funding. And like every other government agency, the TSA has shown no evidence of improvement when its funding has been increased.

Creating the Super Bowl Experience

The toll of the Super Bowl continues to rise. Between the “security” turning the entire city into a prison, shutdown streets, and light rail use reserved exclusively for Super Bowl attendees, things have already become quite miserable for the denizens of Minneapolis. But the Super Bowl experience wouldn’t be complete if some wealthy attendees had their vision offended by a poor person so the homeless shelter near the stadium is being evacuated for the duration of the game:

Dozens of people who use a homeless shelter near U.S. Bank Stadium will be moved to a new, temporary facility during Super Bowl week because of security concerns.

In a deal struck with churches and social service agencies, up to 60 people who normally would spend the night at First Covenant Church in downtown Minneapolis will be relocated six blocks away to a makeshift shelter at St. Olaf Catholic Church. The transition will occur the Thursday before the 2018 game and last through Super Bowl Sunday.

It is, of course, being done in the name of security. However, the 60 people occupying that shelter are no more a security risk than the hundreds living in the condominiums near the stadium so it’s pretty obvious this decision has nothing to do with actual security. But most “security” decisions being made have nothing to do with security and everything to do with security theater being a convenient excuse to ensure the Super Bowl attendees don’t have to deal with the riffraff or Minneapolis.

For $19.95 You Too Can Rent a Weapon of Terror for 90 Minutes

I’m predicting that it’s going to become a lot more difficult to rent a vehicle in the near future because of the attack perpetrated in Manhattan yesterday:

TRIBECA, Manhattan — A man described as a “lone wolf” deliberately drove a rented truck into a West Side bike path in lower Manhattan, killing at least eight people and injuring 11 others in the first terror attack in New York City since 9/11.

A high ranking police source tells PIX11 News the suspect has been identified as 29-year-old Sayfullo Saipov from Tampa, Florida. Saipov was brandishing two fake guns when he exited the truck after the multi-block rampage, yelling “Allah Akbar,” which is Arabic for God is great.

Since the attacker supposedly yelled, “Allah Akbar,” this attack was labeled terrorism, which brings us to a rather important point. For the low price of $19.95 (for 90 minutes) the attacker was able to acquire a weapon of terror from Home Depot. Asymmetrical warfare tactics are difficult to counter specifically because the weaponry is cheap and readily available.

Unfortunately, this attack will likely make renting a vehicle a huge pain in the ass in the near future. Because its logo is on the side of the truck, Home Depot will feel the need to demonstrate its piety to the State. It will likely do this by establishing new policies for vehicle rentals that include a bunch of new hoops for renters to jump through. Such policies will be futile but that doesn’t matter since they’ll be implemented for show, not for actual security reasons.

Make no mistake, terrorism is winning the War on Terror. Almost every attack that gets labeled terrorism results in the lives of everyday people being inconvenienced by more bureaucracy that does nothing to improve actual security. This attack will likely be no different in that regard.

TSA Agents Want to Talk to You

It must get lonely being a Transportation Security Administration (TSA) officer. They stand in line for hours making the lives of passengers who are just trying to get from one place to another miserable. Needless to say, there isn’t a lot of love for TSA officers. To help alleviate their loneliness, higher ups have implemented new security measures that will require people entering the country to make small talk with the agency’s flunkies:

New security measures including stricter passenger screening take effect on Thursday on all U.S.-bound flights to comply with government requirements designed to avoid an in-cabin ban on laptops, airlines said.

Airlines contacted by Reuters said the new measures could include short security interviews with passengers at check-in or the boarding gate, sparking concerns over flight delays and extended processing time.

They will affect 325,000 airline passengers on about 2,000 commercial flights arriving daily in the United States, on 180 airlines from 280 airports in 105 countries.

Now we know what the laptop ban was all about, making the intended security policy look better by comparison. This change in policy will also do nothing to improve airline security. I know that the agency is going for the Israeli system but that requires having people who know what they’re doing asking passengers questions. The TSA isn’t renowned for hiring competent individuals and any encounter with one of their officers will give anybody who has watched Idiocracy flashbacks.

Everything is a Big Ol’ Conspiracy

Can anything occur this day and age without people claiming that it’s part of a conspiracy? Almost immediately after the shooting in Las Vegas, before any investigation had a chance to even begin, people were claiming that the event was part of some conspiracy. As with most conspiracy theories, this conspiracy theory is based on spurious evidence. So far the dumbest “evidence” that “doesn’t add up” is news that the shooter used the freight elevator at Mandalay Bay:

Law enforcement sources told CBS News that Las Vegas shooter Stephen Paddock is believed to have used the freight elevator at the Mandalay Bay hotel casino in the days leading up to last week’s deadly attack.

It wasn’t clear what Paddock used the freight elevator for or how often he used it.

How could the shooter have accessed a restricted freight elevator without help from the inside? Obviously this is proof that he had help!

Anybody who claims that doesn’t realize just how poor building security generally is. I’ve used freight elevators on numerous occasions, including in casinos, without authorization. They’re usually “hidden” behind a nondescript door or one with a sign that says “Employees Only.” In almost every case the door is unlocked and the elevator lacks any form of access control. If the owners of the building are really concerned about security, there might be cameras that aren’t monitored by anybody facing the freight elevator doors although even that’s pretty rare.

Another way of gaining access to a freight elevator is to ask the person working at the front desk if you can use it to haul up a bunch of luggage. As it turns out, the person at the front desk who is tasked with making the customer happy will often let you use the freight elevator if it makes you happy. Humans are often wonderfully helpful creatures.

So I’m sorry to report that using a freight elevator isn’t evidence that “doesn’t add up.” It adds ups quite cleanly. Although I suspect that access control on freight elevators will become more common now that this information has been released.