Archive for the ‘Security Theater’ tag
The Transportation Security Administration (TSA) has a sordid record when it comes to airport security. Since airport security is the agency’s primary job and it hasn’t been doing an effective job at providing security you might expect it to, you know, try to improve its capabilities. Instead the agency has been doubling down on security theater. But the best part is that the agency realizes that its efforts are theater:
If you’ve ever suspected that the TSA’s airport behavior screening (where it looks for visual signs of lying or stress) was just another example of ineffective security theater, you now have some science to back up your hunches. Thanks to a lawsuit, the ACLU has obtained TSA files showing that the organization has pushed and even expanded its “behavior detection” program despite a lack of supporting evidence. While the TSA maintains that it can detect signs of shady activity through fidgeting, shifty eyes and other visual cues, studies in its files suggest just the opposite — you’d have just as much success by choosing at random. And those are in controlled conditions, not a busy airport where anxiety and stress are par for the course.
The TSA hasn’t thwarted a single terrorist attack since it was founded. It hasn’t even done anything noteworthy in the field of security. The only thing the agency has managed to do is bolster the profits of bottled water manufacturers by stealing air travelers’ water and forcing them to buy more inside of “secure” areas. Yet this agency continues to exist. It continues to exist because the government that established it believes stealing your money and giving it to one of its entirely ineffective agency is fiscally responsible.
The next time some statist dipshit tells you that taxes aren’t high enough remind them that a ton of tax money is being irresponsibly dumped into agencies like the TSA.
How expensive is it to perform a denial of service attack in the real world? More often than not the cost is nearly free. The trick is to exploit the target’s own security concerns:
A flight in America was delayed and almost diverted on Tuesday after a passenger changed the name of their wi-fi device to ‘Samsung Galaxy Note 7’.
An entire flight was screwed up by simply changing the SSID of a device.
Why did this simply trick cause any trouble whatsoever? Because the flight crew was more concerned about enforcing the rules than actual security. There was no evidence of a Galaxy Note 7 being onboard. Since anybody can change their device’s SSID to anything they want the presence of the SSID “Samsung Galaxy Note 7” shouldn’t have been enough to cause any issues. But the flight crew allowed that, at best, flimsy evidence to spur them into a hunt for the device.
This is why performing denial of service attacks in the real world is often very cheap. Staffers, such as flight crew, seldom have any real security training so they tend to overreact. They’re trying to cover their asses (and I don’t mean that as an insult, if they don’t cover their asses they very well could lose their job), which means you have an easy exploit sitting there for you.
Minnesota is one of the few remaining states that has told the federal government where to stick its
REAL Slave ID requirements. If you do live in Minnesota and you really want an official Slave ID you can pay an extra $15 and go through the additional hassle necessary to convert your drivers license but it’s not required.
While it’s been known that the Transportation Security Administration (TSA) would begin requiring Slave IDs to board aircraft the exact deadline has remained unknown. Soon the TSA at the Minneapolis International Airport will post signs indicating that the deadline will be January 22, 2018:
MINNEAPOLIS (KMSP) – Signs will soon be posted at Minneapolis-St. Paul International Airport with a warning that your current Minnesota driver’s license won’t be enough to pass through security in 2018.
Starting Jan. 22, 2018, you will need an alternate ID to fly if you have a standard driver’s license or ID card issued by any of the following states: Kentucky, Maine, Minnesota, Missouri, Montana, Oklahoma, Pennsylvania, South Carolina or Washington. Alternate forms of ID include a passport, military ID, or permanent resident card. You can find a full list of accepted ID at https://www.tsa.gov/travel/security-screening/identification
If you live in Minnesota and wish to travel on an airplane you should consider getting a passport. In fact, if you live in the United Police States of America you should consider getting a passport just so you have the option to leave this forsaken Orwellian nation.
I hope the Minnesota government continues to push against the Slave ID requirements but I fear that they’re going to kowtow to their federal masters before the deadline.
Shortly after the attack in San Bernardino the Federal Bureau of Investigations (FBI) tried to exploit the tragedy in order to force Apple to assist it in unlocking Syed Rizwan Farook’s iPhone. According to the FBI Farook’s phone likely contained information that would allow them to find his accomplices, motives, and basically solve the case. Apple refused to give the FBI the power to unlock any iPhone 5C willy nilly but the agency eventually found a third party that had an exploit that would allow the built-in security to be bypassed.
One year later the FBI hasn’t solved the case even with access to Farook’s iPhone:
They launched an unprecedented legal battle with Apple in an effort to unlock Farook’s iPhone and deployed divers to scour a nearby lake in search of electronic equipment the couple might have dumped there.
But despite piecing together a detailed picture of the couple’s actions up to and including the massacre, federal officials acknowledge they still don’t have answers to some of the critical questions posed in the days after the Dec. 2, 2015, attack at the Inland Regional Center.
Most important, the FBI said it is still trying to determine whether anyone was aware of the couple’s plot or helped them in any way. From the beginning, agents have tried to figure out whether others might have known something about Farook and Malik’s plans, since the couple spent months gathering an arsenal of weapons and building bombs in the garage of their Redlands home.
Officials said they don’t have enough evidence to charge anyone with a crime but stressed the investigation is still open.
This shouldn’t be surprising to anybody. Anybody who had the ability to plan out an attack like the one in San Bernardino without being discovered probably had enough operational security to not use an easily surveilled device such as a cellular phone for the planning. Too many people, including those who should know better, assume only technological wizards have the knowhow to plan things without using commonly surveilled communication methods. But that’s not the case. People who are committed to pulling off a planned attack that includes coordination with third parties are usually smart enough to do their research and utilize communication methods that are unlikely to be accessible to prying eyes. It’s not wizardry, it’s a trick as old as human conflict itself.
Humans are both unpredictable and adaptable, which is what makes mass surveillance useless. When an agency such as the National Security Agency (NSA) performs mass surveillance they get an exponentially greater amount of noise than signal. We’re not even talking about a 100:1 ratio. It would probably be closer to 1,000,000,000,000:1. Furthermore, people with enough intelligence to pull off coordinated attacks are usually paranoid enough to assume the most commonly available communication mechanisms are being surveilled so they adapt. Mass surveillance works well if you want a lot of grandmothers’ recipes, Internet memes, and insults about mothers made by teenagers. But mass surveillance is useless if you’re trying to identify individuals who are a significant threat. Sure, the NSA may get lucky once in a while and catch somebody but that’s by far the exception, not the rule. The rule, when it comes to identifying and thwarting significant threats, is that old fashioned investigative techniques must be employed.
Government agencies only expand, they never contract. Although the Transportation Security Administration (TSA) has failed 95 percent of red team exercises the agency hasn’t been abolished. Instead Congress wants to reward the agency by expanding its scope to guard the trains that practically nobody uses:
Several U.S. senators want the TSA to focus more attention and resources on rail, highway, and marine transportation, which would mean greater security oversight at such places as Amtrak stations and Megabus coach stops. A bipartisan bill introduced Thursday by Senator John Thune (R-S.D.) would require the TSA to use a risk-based security model for these transport modes and to budget money based on those risks. It would require a wider use of the agency’s terrorist watch list by train operators and more detailed passenger manifests along with tighter screening of marine employees. The legislation also would increase the TSA’s canine use by as many as 70 dog-handler teams for surface transportation.
Why bother? No terrorist attack has been performed on an Amtrak train. Compared to airliners Amtrak trains are practically ghost towns. They’re low value targets to an attacker looking to rack up as high of a body count as possible. Obviously this isn’t about security so what is it about? My guess is that it’s about police state bullshit.
Remember all those movie scenes where the Nazi or Soviet officer asks passengers boarding a train for their papers? It used to be the thing were we told to fear for obvious reasons. But those scenes are pornography for statists. They show everything statists desire: control, order, and obedience. And they swooped in the second they had an excuse to implement the exact same system for air travelers. When you line up in the security theater line at an airport you hand your papers to a TSA agent who looks them over and decides whether or not your can move forward. If you’re
a Jew or a kulak on the terrorist watch lists your trip ends there and you’ll be escorted away but a thug in a uniform. Now that every is used to kowtowing to government agents demanding to see our papers Congress is ready to expand the TSA’s scope. It won’t surprise me if the nation’s highways are someday littered with surprise TSA checkpoints.
Never ending expansion such as this is why I have a zero tolerance policy towards government. If you give government an inch it will slowly take a mile. The only sane solution is to not have a government at all.
It’s not secret to anybody who has had the displeasure of flying out of the Minneapolis/St. Paul International Airport (MSP) that something is wrong with the security lines. While there are several numbered gates they are no longer in use. Now there are only three. There’s the two main gates and then there’s the lesser known gate tucked away elsewhere in the airpot. This has lead to ridiculously long security lines and flights are being missed just so a putz with a badge can play their part in security theater.
If the Transportation Security Administration (TSA) is a failure of an organization in general then the TSA at MSP is the idiot uncle of the family that everybody hates because he get drunk at the family get togethers and starts getting frisky with everybody’s wives and daughters.
Somebody has finally had enough and is filing a lawsuit:
A Minneapolis man is blaming the long lines at security for missing a recent flight, and now he’s suing the federal agency and the Twin Cities airport’s operator for $506.85.
In the lawsuit filed in federal court last week, Hooman Nikizad said his wait of more than 90 minutes on March 19 before he passed through security screening by the federal Transportation Security Administration (TSA) made him miss his afternoon flight to Los Angeles.
“I had to buy a ticket with another airline to be able to make my destination and meet my obligations,” Nikizad said in his claim, which noted the TSA had limited staff on duty at the time and “only one body scanner for the regular security line [in operation].”
I’m sure Mr. Nikizad will be added to the no-fly list. Regardless his lawsuit, as far as I’m concerned, is entirely justified. Expecting people to arrive hours before a flight for no reason whatsoever (see the TSA’s 95 percent failure rate) is unacceptable. If somebody arrives at the airport 90 minutes before their flight and is forced to buy another ticket because TSA couldn’t get its shit together then the agency should be forced to reimburse them for damages.
Supposedly the Libertarian Party tries to get libertarians elected into offices. The party has a funny way of going about that goal though. For example, the party hasn’t nominated an actual libertarian presidential candidate for at least as long as I’ve been old enough to vote. This year’s ticket is no different.
Gary “Ban the Burqa” Johnson was nominated to be the Libertarian Party’s presidential candidate this year. Although the Libertarian Party doesn’t allow presidential candidates to outright pick their running mates, the party voters are usually willing to roll over and approve whoever their presidential candidate wants. Johnson wanted Bill Weld and the Libertarian Party, apparently deciding it didn’t want any libertarians on its presidential ticket, was happy to comply.
After the shooting in Orlando Weld decided to show his anti-libertarian colors:
Bill Weld, the former governor of Massachusetts now running as the Libertarian Party’s candidate for vice president, called today for a 1,000-agent task force to combat Islamic State adherents in the United States, and for a tip line where Muslims could inform on radicalism.
“Let’s face it: The United States is under attack right now by ISIS and ISIS copycats,” Weld said. “They have a deep pool to pull from. There are over 3 million Muslims in the United States — maybe Mr. Trump will want to deport them all, but the better approach is to work with the community.”
Weld, who served as U.S. attorney and then assistant attorney general in the DOJ’s criminal justice division, suggested that the DOJ could take a cue from a program that worked in Massachusetts. The “Drop-a-Dime Project,” a nonprofit tip line created by community leaders, was used by law enforcement to pursue tips about crime in Boston’s black neighborhoods and to achieve breakthroughs in drug investigations.
“We’d get all kinds of tips,” Weld said. “The residents of Dorchester and Mattapan were only too happy to help. There may be some people out there leaning toward ISIS, people who would want to shelter the people going around killing other people. But for every pair of ears that would be sympathetic, there will be pairs that will not be sympathetic.”
I thought the Libertarian Party was all about shrinking government, not growing it. I guess this is what happens when the party doesn’t nominates a libertarian for its vice presidential candidate.
I know the Libertarian Party, especially now that it’s pulling people from the Republican Party, has a lot of statists within its ranks so this idea may sound appealing to them. Let’s consider the effectiveness of such a program. I’ll start by once again quoting Bruce Schneier, “If you ask amateurs to act as front-line security personnel, you shouldn’t be surprised when you get amateur security.” This is something libertarians tend to inherently understand. If you setup a program where average Joes are expected to rat out their neighbors you will get a lot of noise and very little, if any, signal.
How do you tell if somebody expressing sympathies for the Islamic State (IS) is merely angry at the way the United States and European countries have treated the Middle East or is planning to commit acts of murder in the organization’s name? Most people can’t tell and that’s the problem with this kind of tip line. It would be flooded with “tips” from people who think somebody speaking out against the United States dropping bombs on wedding parts is sympathizing with IS. Many of the “tips” would likely come from people who just don’t like their Muslim neighbors and see the tip line as a way to get the State to harass them. Well’s proposal would create a 1,000-agent (you do have to appreciate how all of these proposals involve an arbitrary number of agents that is almost always cleanly divisible by 10) task force that does nothing productive (in other words, it’ll be just like every other government agency).
I’m glad I don’t play politics anymore. If I did I’d be depressed this election cycle because there are exactly zero acceptable candidates running for office.
As is common after a violent tragedy, a great deal of electrons are being annoyed by people who are calling for prohibitions. Some want to prohibit firearms, ammunition, and body armor while others want to prohibit members of an entire religion from crossing the imaginary line that separates the United States from the rest of the world. All of this finger pointing is being done under the guise of security but the truth is that any security system that depends on an attacker acting in a certain way is doomed to fail.
Prohibitions don’t eliminate or even curtail the threat they’re aimed at. In fact the opposite is true. The iron law of prohibition, a term coined in regards to prohibitions on drugs, states that the potency of drugs increases as law enforcement efforts against drugs increases. It applies to every form of prohibition though. Prohibitions against firearms just encourages the development of more easily manufactured and concealable firearms just as the prohibition against religious beliefs encourages those beliefs to be practices in secrecy.
When you rely on a prohibition for security you’re really relying on your potential attackers to act in a specific way. In the case of firearm prohibitions you’re relying on your potential attackers to abide by the prohibition and not use firearms. In the case of prohibiting members of a specific religion from entering a country you’re relying on potential attacks to truthfully reveal what religion they are a member of.
But attackers have a goal and like any other human being they will utilize means to achieve their ends. If their ends can be best achieved with a firearm they will acquire or manufacture one. If their ends require body armor they will acquire or manufacture body armor. If their ends require gaining entry into a country they will either lie to get through customs legitimately or bypass customs entirely. You attackers will not act in the manner you desire. If they did, they wouldn’t be attacking you.
What prohibitions offer is a false sense of security. People often assume that prohibited items no longer have to be addressed in their security models. This leaves large gaping holes for attackers to exploit. Worse yet, prohibitions usually make addressing the prohibited items more difficult due to the iron law of prohibition.
Prohibitions not only provide no actual security they also come at a high cost. One of those costs is the harassment of innocent people. Firearm prohibitions, for example, give law enforcers an excuse to harass anybody who owns or is interested in acquiring a firearm. Prohibitions against members of a religion give law enforcers an excuse to harass anybody who is or could potentially be a member of that religion.
Another cost is a decrease in overall security. Firearm prohibitions make it more difficult for non-government agents to defend themselves. A people who suffer under a firearm prohibition find themselves returned to the state of nature where the strong are able to prey on the weak with impunity. When religious prohibitions are in place an adversarial relationship is created between members of that religion and the entity putting the prohibition in place. An adversarial relationship means you lose access to community enforcement. Members of a prohibited religion are less likely to come forth with information on a potentially dangerous member of their community. That can be a massive loss of critical information that your security system can utilize.
If you want to improve security you need to banish the idea of prohibitions from your mind. They will actually work against you and make your security model less effective.
The Transportation Security Administration (TSA) sucks at providing airport security. But the agency isn’t a one trick pony. Demonstrating its commitment to excellence — at sucking — the TSA is working hard to make its computer security just as good as its airport security:
The report centers on the the way TSA (mis)handles security around the data management system which connects airport screening equipment to centralized servers. It’s called the Security Technology Integrated Program (STIP), and TSA has been screwing it up security-wise since at least 2012.
In essence, TSA employees haven’t been implementing STIP properly — that is, when they’ve been implementing it at all.
STIP manages data from devices we see while going through security lines at airports, namely explosive detection systems, x-ray and imaging machines, and credential authentication.
In addition to unpatched software and a lack of physical security that allowed non-TSA airport employees access to IT systems, the auditors found overheated server rooms and computers using unsupported systems — and much more.
The observed “lack of an established disaster recovery capability” noted by the OIG is particularly scary. If a data center was taken out by natural disaster, passenger screening and baggage info would be rendered inaccessible.
Not only that, but there was no security incident report process in place, and there was “little employee oversight in maintaining IT systems.” And, auditors were not pleased at all that non-TSA IT contractors maintained full admin control over STIP servers at airports.
At what point do we write the TSA off as a failed experiment? I know, it’s a government agency, it’ll never go away. But the fact that the TSA continues to fail at everything and is allowed to continue existing really demonstrates why the market is superior to the State. Were the TSA forced to compete in a market environment it would have been bankrupted and its assets would have been sold to entrepreneurs who might be able to put them to use.
It’s time to ask the million dollar question. What will happen now? One of the reason government agencies fail to improve their practices is because there’s no motivation to do so. A government agency can’t go bankrupt and very rarely do failures lead to disciplinary action. In the very few cases where disciplinary action does happen it’s usually something trivial such as asking the current head of the agency to retire will full benefits.
Meanwhile air travelers will still be required to submit to the TSA, which not only means going through security theater but now potentially means having their personal information, such as images from the slave scanners, leaked to unauthorized parties.
Kickstarter is used to get some really cool projects off of the ground but it’s also packed with half-baked ideas and outright scams. What I present here is a case of the latter. Meet the first encryption software engineered to defeat hacking programs, granting impenetrable data protection, and cloud storage (their words, not mine).
I’m not even sure where to start with this one so I guess I’ll start with the most obvious red flag, impenetrable anti-hacking software. Before starting this Kickstarter I assume the team worked on a unicorn ranch because they apparently have a knack for delivering the impossible. And if designing impenetrable software is possible it certainly isn’t going to be done by this team. Pulling off such a feat would require a great deal of technical knowledge and this team doesn’t appear to have that as I will demonstrate. Let’s begin with their statement regarding the Advanced Encryption Standard (AES):
AES Hacking Solutions are readily available for sale on dark web.
In the late 1990’s, AES, while under ‘well-intentioned’ government oversight, somehow, a ‘back-door’ found its way into this ‘approved’ data security solution, — as has been widely reported. The unintended consequences of this back-door allows for complete access to your data, without your permission, to data monitoring, data-mining and active eavesdropping. Effectively, voiding your right to privacy and confidently. So common is this practice it has a name: Active Snooping.
There are known attacks against AES but none of them are practical. But the elite team of entrepreneurs (I’ll get to that in a bit) supposedly know of a backdoor. In fact this backdoor has supposedly been widely reported! Yet I’ve never heard of it, which I find odd because I follow the publications of quite a few computer security experts. I guess everybody from Bruce Schneier to Dan Kaminsky just missed that piece of news as well as this piece:
SSL is a Myth. Cybercriminals know about these flaws and back-door. They are stealing, compromising, and profiting from your data everyday.
SSL is a myth? Huh. As somebody who has spent many hours configuring it I would beg to differ. SSL, more accurately TLS, is a very real thing. It’s also secure so long as it’s configured correctly. Speaking of myths, or more accurately fiction:
You don’t have to be 007 to Use the DataGateKeeper Encryption Software…
I’m glad they mentioned 007 because this page reads like the “hacking” Q did in Skyfall. That is to say it’s nonsensical and entirely fictitious. Q gets a pass though because he’s a fictional character in a fictional universe where anything is possible. Even something as infeasible as a Walther PPK feeding reliably can happen in the James Bond’s universe.
Earlier I questioned DataGateKeeper’s team’s technical knowledge. This isn’t because they posted an incorrect minor detail about a complex mathematical factoid. It’s because they can’t even get basic units of measure correct:
So. Many. Kilobits! Even if you’re only marginally aware of AES you’ve probably seen a mention of a 128-bit and a 256-bit mode. A kilobit is 1,000 bits so according to this chart DataGateKeeper has 512,000-bit encryption whereas services such as Dropbox and OneDrive lack even 128,000-bit AES encryption. Well that’s a no brainer since 128,000-bit AES doesn’t exist. Even if it did no consumer computer would have the processing power to use it. This chart should have added a row for unicorns. None of the competing services offer unicorns and I wouldn’t put it past the DataGateKeeper team to claim they offer unicorns.
Regardless of feasibility, DataGateKeeper is offering all of the kilobits:
- 512kb Civilian – 50 Years of protection. Available on Kickstarter.
- 768kb First Responders, Police, Retired & Active Duty Military – 73 years of protection. Donation of your choice.
- 1024kb – Enterprise & SMB
That’s a lot of kilobits! But wait… now I’m confused. Earlier on the page it said:
MyDataAngel.com provides Impenetrable Civilian Data Protection plans beginning at 512-bit encryption.
So which is it? 512-bits or 512-kilobits? There’s literally a multiple of 1,000 difference. I’m sure that will be clarified at a future data. What we do know is that whatever algorithm they’re using is 6,000,000 times stronger than current data security:
We created a cipher that is 6,000,000 times stronger than current data security, as proven by algorithmic mathematics.
See? They proved it with algorithmic mathematics! That’s, like, the best kind of mathematics!
So how does this miraculous algorithm work? Who knows. The Kickstarter page, not surprisingly, doesn’t include any technical details. Okay, it does include a gif image with a calculator and some math-like stuff. It doesn’t actually explain anything but it’s there.
After reading this Kickstarter page you’re left with the feeling that it was written by marketing people who have no knowledge about cryptography. Even the most basic of information is either wrong or nonsensical. It’s almost as if there are no cryptographers involved with this project. In fact, that may be exactly what the problem is:
Our management team is uniquely qualified to implement our plan of operations, with a combined 75+ years of entrepreneurial experience, at all levels of corporate gestation, from rank start-up through to publicly traded entities. Our experience spans multiple sectors, from entertainment and manufacturing to healthcare and technology. The management team resume includes names such as: PepsiCo, Colgate-Palmolive, Paramount Studios and Merv Griffin Productions. Our President and co-founder, Debra Towsley, oversaw the marketing plan for Universal Studio’s $1.5 billion theme park expansion, Islands of Adventure®, as VP of Marketing. Our Chief Strategy Officer, Frank Ruppen, graduated from Harvard Business School, and cut his teeth as the brand manager for Proctor & Gamble, before accepting positions at McKinsey & Co., Sterling Brands, and Consumer Dynamics; he relocated to work in cities like: Sydney, Caracas and Tokyo. Raymond Talarico, our CEO, has been involved in multiple roll-ups and consolidations. He is credited as having developed companies from a one-sentence mission statement in MEDirect Latino to publicly traded entities with market caps exceeding $160M. The youngest member of our team, Joshua Noel (21), is the Creative Director who is a literal ‘Jack of All Trades’ when it comes to content creation. Yes, they do exist. His talent is on display here in the videos, as well as the vlogs, the overall design of our branding, and iconization.
They have people experienced in entrepreneurship but not a single mention of a cryptographer anywhere on the page is made. That pretty much tells us everything we need to know and explains why this page reads like a marketing person was tasked with writing a sales pitch on a cryptographic service but wasn’t given access to anybody knowledgeable in cryptography to verify any of the claims.
This is what a scam looks like. The product being offered is not only impossible but the entire writeup makes no sense within the framework of the market they’re aiming at. Scam might not even be the correct word for this. I would hope a scam artist would put some effort into making their scam at least appear somewhat believable. The people involved in this page didn’t even accomplish that much! DataGateKeeper’s team are scam artists who couldn’t even create a convincing scam. They’re basically failures who failed at failing.
At this point, when social media backlash destroys any chance of this Kickstarter getting funded, I’m expecting them to claim that this was all an elaborate troll. It really is their only option.