TSA tester slips mock bomb past airport security - CNN.com:


TAMPA, Florida (CNN) -- Jason -- that's the name CNN was asked to call him -- slides a simulated explosive into an elastic back support. The mock bomb is as slim as a wallet; its fuse, the size of a cigarette. He wraps the support around his torso, and the bomb fits comfortably into the small of his back.

It's hard to tell he's concealing anything; harder still when he dons a black T-shirt and a maroon golf shirt.

Then, with CNN's cameras in tow, Jason heads to Tampa International Airport, where he'll try to sneak the fake explosive past security screeners.

Jason, a covert tester for the Transportation Security Administration, has been probing airport weaknesses for five years, beginning with big mock bombs before switching to ever smaller devices as the TSA adapts to evolving terrorist threats. Watch the tester slip past security »

As jobs go, this one comes with its own unique set of satisfactions and tribulations. Jason wants to succeed at his task -- and he wants to fail. Success is a measure of his stealth, hewn by 40 years in law enforcement. But failure is satisfying too, because it means airport screeners are growing more adept at detecting threats.

So Jason -- looking every bit the middle-aged man on an uneventful trip to anywhere -- shows a boarding pass and an ID to a TSA document checker, and he is directed to a checkpoint where, unbeknown to the security officer on site, the real test begins.

Don't Miss
Report: Extremists plotted attacks across Europe
Loaded gun gets through airport security
Student points out another TSA flaw
Transportation Security Administration
He gets through, which in real life would mean a terrorist was headed toward a plane with a bomb.

To be clear, the TSA allowed CNN to see and record this test, and the agency is not concerned with CNN showing it. The TSA says techniques such as the one used in Tampa are known to terrorists and openly discussed on known terror Web sites.

Even before the September 11, 2001, terror attacks, government agencies deployed "red teams" such as this one to look for holes in airport security. The tests have resulted in a torrent of reports criticizing the government for failing to staff, train, manage and equip properly the screener work force, which numbers 43,000.

While test results are classified and rarely leak out, those that have been disclosed typically don't inspire confidence. In tests conducted in 2006 and disclosed to USA Today last year, investigators successfully smuggled 75 percent of fake bombs through checkpoints at Los Angeles International Airport, 60 percent through Chicago's O'Hare International Airport and 20 percent at San Francisco International Airport.

The TSA has disputed some test methodologies and test results. But instead of running from tests, the agency has embraced the idea that testing has a value that goes beyond measuring the performance of individual screeners.

Tests, the TSA says, can show systemwide security vulnerabilities. When used frequently -- as was the case with San Francisco in 2006 -- they can heighten screener awareness. Tests can show areas that need increased attention. And tests can be used to determine whether terrorist plots uncovered by intelligence agencies or being discussed on terrorist Web sites are lunatic rants, or are plausible.

As a result, the TSA says it believes its work force is the most tested in the federal government, with checkpoint drills of various sophistication occurring in every checkpoint at every airport daily.

Almost an hour before Jason approached the checkpoint, a fellow red team member had gone through the checkpoint. It's this member's job to make sure the test is conducted safely.

Five minutes before the test begins, he uses a cell phone to call Tampa's federal security director, the airport's top security official.

"Sir, the reason we're calling today is to tell you that we will be conducting covert testing at your airport," the red team leader says. "But I would ask that you not speak to anyone on your staff to alert them of this test."

The message is clear: Don't tell anyone. Testers say they will scratch a test if they believe anyone has been alerted. The TSA was embarrassed several years ago when word of one test leaked out, and an internal auditor is investigating other possible leaks.

But in Tampa, everything goes smoothly as Jason steps through the metal detector portal. The detector alarm goes off, as Jason expects it to, not because of the nonmetallic device strapped to his back but due to his metal knee.

It's the perfect tool for ensuring he gets to "secondary," where more extensive searches are conducted.

Soon Jason is in a posture familiar to air travelers. He is standing, legs apart, with his arms extended. A screener "wands" him with a hand-held metal detector, and it beeps as it passes his metal knee, his necklace and the rivets on his bluejeans.

The screener then pats him down, running latex-gloved hands over Jason's legs, arms and torso. And he pats down Jason's back, including the lower part where the device is concealed.

But Jason explains away the back support. He tells the screener that he has a bum back in addition to having a metal knee.

With the patdown over, the screener releases Jason. He picks up his belongings and walks freely into the airport, the fake bomb still fastened to his back.

TSA officials say the Tampa test demonstrates the type of systemic vulnerability that the agency is working to expose and address.

Screeners have cultural sensitivities toward travelers' handicaps, and they are sometimes hesitant to perform intrusive searches, officials said. Terrorists could exploit that reluctance, they said.

The TSA screener could have used other relatively unobtrusive means to check Jason's back brace. But he didn't.

After leaving the screening checkpoint, Jason returns with other members of his red team and informs the screener he has failed a test. A fake bomb has just entered their airport.

The screener appears devastated.

The reaction is common, says Jason, adding that notifying screeners of failed tests can be the toughest part of his job.

On occasions, he says, testers have appeared indifferent. In those rare instances, Jason says, he gets "nasty," stressing the importance of the tests. The stakes are too high to tolerate indifference.

Regardless of their reactions, screeners who fail to detect contraband are "pulled off the line" and retrained before being allowed back.

The test CNN witnessed was conducted by the TSA's Office of Inspection, which the agency calls the most sophisticated of its covert tests. But there are others.

For starters, every TSA X-ray machine has a Threat Image Projection system, which digitally inserts images of guns, knives and bombs into the X-rays of luggage, to keep screeners alert. This system library contains "tens of thousands" of images, said TSA spokesman Christopher White.

If screeners observe a suspicious object, they can check with the simple click of a computer mouse. If they detect a threat object, the computer congratulates them. Successes and failures are recorded for use in a screener's performance evaluation and are factors in determining pay.

Some 69,929 threat image tests are conducted on an average day, or more than 25 million tests per year. An array of other tests also are conducted to assess screeners, including the red team ones.

The TSA declines to give test results, which are classified. But it says the agency is getting better at finding bomb parts. And test scores won't demonstrate that, it says, because as success rates improve, tests are made more difficult.

"We're designing our tests not so much to indicate or to show or highlight performance," says Dave Holmes, who runs the Office of Inspection, "but we're highlighting where the vulnerabilities exist."

The elaborate test at the Tampa airport, Holmes says, is not to identify individuals performing below par. It's intended to provide data that, together with other information, will reveal the whole system's performance.


Back at the Tampa checkpoint, a member of Jason's red team is holding court with a group of screeners, including the one who missed the fake bomb.

"Today ... was a scrimmage," the red team leader says. "Every day, every time a passenger is coming through -- that is game day."

Posted by mikki at 04:32 PM | Permalink | Comments (0)

I truly do not understand how companies think that we're quite so stupid as to let them get away with these things.

TomTom: When a paid upgrade is a downgrade:


Stick this one in the extremely shady business practices category. In order to add more revenue to the coffers, a paid upgrade from existing TomTom 910 and 510 maps that currently include locations of Starbucks will result in losing the locations of said Starbucks! Hey, that's darned good service for all us long-standing customers.
It wasn't until after the map upgrade that my folks told me that they could no longer find any Starbucks when they did a POI search. What's the cause of this? TomTom has decided that these POIs are now a Paid For option. And, to make matters even worse, after calling support, I was informed that:

• The web-based online store is down (due to a planned upgrade that was supposed to take 21 days and is now taking much longer)
• The Windows-based version of TomTom home has access to it, but the Macintosh version does not
• This change was intentional and not based on any licensing fees

What's the solution?

For me, I think the solution is going to be getting the POIs from someplace else. I'm not sure how up-to-date they are, but the POIs available from POI Handler seem to work fine and many are free. There's a database of over 7000 Starbucks available. You may need to register for the site (I had already registered previously), but I have yet to receive anything annoying from them. Once there, follow the Download POI link to get to the screen where you can get your POIs. They're tailor made for a bunch of the common GPS devices and have pretty up-to-date data.

Posted by mikki at 11:42 AM | Permalink | Comments (0)

Congress Should Demand MPAA Data on the Cost of Piracy | Public Knowledge:


Yesterday, the Motion Picture Association of America admitted something that many of us had suspected all along – an MPAA-funded study showing that 44% of the industry’s losses came from illegal downloading of movies by college students using campus networks was overstated by a factor of 3. The MPAA now says that only 15% of its losses come from campus activity. Hollywood has been using that larger number to push for legislation, now pending in the House of Representatives, which would require colleges and universities to filter their networks for copyright infringement.
But why should we believe the 15% claim (and indeed, Mark Luker of EDUCAUSE says that a more accurate number would be 3%)? The 2006 study from which the numbers were derived was conducted by the consulting firm LEK, and purported to demonstrate that the industry losses from both hard goods piracy and downloading was $6.1 billion. The study, which purportedly cost the MPAA $3 million, was controversial from the start, and the organization has for two years steadfastly refused to provide the data and the methodology underlying the study, even after an influential member of Congress had requested them.
Nineteen months ago, at a Senate Judiciary Committee hearing on Hollywood’s proposal to close the analog hole (the outputs that allow you to capture analog content and digitize it), then-Committee Chair Arlen Specter (and other members of the Committee) expressed skepticism about Hollywood’s claims about losses resulting from the analog hole and asked MPAA President Dan Glickman to show him the data:
Chairman Specter. Mr. Glickman, lots of information about piracy from you and from the Department of Justice, but can you quantify any direct connection between piracy and the analog hole?
Mr. Glickman. We have just completed a major study called the LE case study which estimates that our companies lose about $6.1 billion a year in piracy, and as part of that—
Chairman Specter. OK. I mean from analog—I have only got 5 minutes.
Mr. Glickman. OK, $1 to $1.5 billion in what we call noncommercial copying of movies for family and friends. We believe a big part of that is due to the analog hole.
Chairman Specter. How do you arrive at the figure of $1.5 billion?
Mr. Glickman. The firm did worldwide and national piracy study focus groups. The methodology we considered to be quite good.
Chairman Specter. Well, let me ask you to supplement your answer with the specifics as to how you come to that conclusion.
Mr. Glickman. Sure, be glad to.
Chairman Specter. We would like to see the methodology because before we really tackle the problem, we want to know— before we really look for a solution, we would like to have a specification of the problem.
Mr. Glickman. We will get you that, Senator.
Over a year and a half later, Senator Specter’s request has been unfulfilled.
It is time for Congress to demand that the MPAA turn over the data and methodology from the LEK study. Hollywood can pay for all the studies it wants, but when it seeks to use those studies as “evidence” of the need for legislation to impose technology mandates on industry and on higher education institutions, the public has the right to see whether that “evidence” is at all valid. Until then, Congress should refuse to consider any legislative proposals based on this or other studies purporting to demonstrate the cost of piracy.

Posted by mikki at 12:23 AM | Permalink | Comments (0)

Is Comcast really blocking P2P? EFF + SF Weekly conclude: yeah.:


David Downs of the SF Weekly invited Electronic Frontier Foundation spokeshacker Peter Eckersly into his home to test claims that Comcast is blocking BitTorrent files:
Eckersley's BitTorrent controller flickers for a second, showing that his computer is "seeding" our file to the Melbourne computer. Then everything stops. The transmission fails, and to an untrained eye, the problem appears to be with BitTorrent.

But Eckersley is running a Net monitor application called Wireshark, which works like an online customs officer checking the packets going out of the computer here and into the one in Melbourne. What Eckersley finds is damning. Someone or something has interceded in the transmission and told the computers to stop talking.

And that something, experts have concluded, is Comcast.

The experiment Eckersley and I ran replicates private and public versions that emerged last fall through an Associated Press story. That story confirmed what many in software circles knew for most of 2007: Comcast has been looking at its users' Web traffic and secretly blocking some of the Internet, namely BitTorrent uploads, to users outside Comcast's network. The Electronic Frontier Foundation alleges that Comcast blocks BitTorrent with a classic hacker technique called "spoofing," where the hacker poses as someone he isn't, in this case another user. Eckersley describes it as if he and I were having a phone conversation, and then halfway through Comcast interrupts us and in my voice tells him to hang up, and in his voice tells me the same thing.

Link. Illustration for SF Weekly by Aaron Piland.

Posted by mikki at 12:21 AM | Permalink | Comments (0)

Boeing 777 Heathrow Crash Update:


An initial report offered by the Air Accidents Investigation Branch Friday said interviews with crew and analysis of the "Flight Recorder" aboard the British Airways Boeing 777 200ER that crashed Thursday at Heathrow indicate the aircraft's engines did not respond to commands from the autothrottle or the flight crew. First Officer John Coward, the flying pilot, told reporters he glided the big airliner to the grass. "Suddenly there was nothing from any of the engines, and the plane started to glide. I didn't think we'd clear the fence at first. As we landed I was bracing myself for an enormous thud. But instead of one thud, there was a series of thuds as it bounced along the grass. Eventually it shuddered to a halt. While I was trying to stop the plane, I struggled to try and keep it in a straight line."

Posted by mikki at 12:19 AM | Permalink | Comments (0)

Air Canada Flight Upset Update:


The wake of a 747 that crossed its path is among the possible suspects in the upset event that injured eight passengers and two crew aboard an Air Canada Airbus A319 flying at 35,000 feet Thursday January 10. A fully loaded 747 can weigh more than five times as much as an Airbus A319. The A319 rolled violently and lost altitude in the incident, but a cause has not yet been determined and some have theorized that computerized flight control systems could have been causal in the disturbance if they reverted to a particular failsafe mode. A Seattle air traffic controller saw the potential conflict in flight paths, citing that conditions were ripe for the formation of mountain waves that could make dissipation of wake less predictable, and directed one of the aircraft to change altitude, according to the Globe and Mail. The aircraft were flying south of Cranbrook, B.C., which is known for generating mountain waves capable of lifting gliders to 25,000 feet.

Posted by mikki at 12:18 AM | Permalink | Comments (0)

Plane crashes after flight safety meeting - CNN.com:


(CNN) -- At least seven people were killed Wednesday when a Polish military transport aircraft carrying passengers who had attended a flight-safety conference crashed in northwest Poland, military officials said.

Defense Ministry Col. Cezary Siemion confirmed seven deaths, but said that number could continue to climb.

He said there were 18 people on board -- 14 passengers and four crew members.

The Spanish-built CASA transporter crashed near the town of Miroslawiec, a few hundred kilometers northwest of Warsaw, around 7 p.m. (noon ET).

The passengers had attended the 15th annual Flight Safety Conference, held in Warsaw on Wednesday.

Officials said it was the first accident in Poland involving a CASA transporter, which is generally considered an extremely reliable aircraft.

The airplane took off from Warsaw and was scheduled to make stops in three cities before returning to its home base in Krakow. It crashed before reaching its second destination.

Military officials said a special commission has been set up to investigate the crash and rescue operations are ongoing

Posted by mikki at 06:56 PM | Permalink | Comments (0)

Man With Gun Clears Reagan National Airport Security - News Story - WRC | Washington:


WASHINGTON -- The Metropolitan Washington Airports Authority said a man was able to carry a gun undetected through a security checkpoint at Reagan National Airport.
Spokesman Rob Yingling said the man realized before boarding his flight Sunday morning that he had the gun with him and returned voluntarily to the checkpoint.
The man is identified as Gregory Hinkle, 53, of Davis, W.Va. The gun was seized, Hinkle was issued a summons and he was allowed to continue his trip. He is charged with possessing or transporting a firearm into an airline terminal, which is a misdemeanor.
The federal Transportation Security Administration said the worker who screened Hinkle has been relieved of security duties.

Posted by mikki at 10:51 AM | Permalink | Comments (0)

MPAA admits to lying about college downloading:


The MPAA study that showed that students were responsible for 44 percent of film downloading? A big old lie. And now the MPAA has admitted it:

In a 2005 study it commissioned, the Motion Picture Association of America claimed that 44 percent of the industry's domestic losses came from illegal downloading of movies by college students, who often have access to high-bandwidth networks on campus.

The MPAA has used the study to pressure colleges to take tougher steps to prevent illegal file-sharing and to back legislation currently before the House of Representatives that would force them to do so.

But now the MPAA, which represents the U.S. motion picture industry, has told education groups a "human error" in that survey caused it to get the number wrong. It now blames college students for about 15 percent of revenue loss.

Link

(via /.)

Posted by mikki at 10:48 AM | Permalink | Comments (0)

Apple cripples debugging tool to keep iTunes DRM safe:


Sun's Adam Leventhal has made a disturbing discovery about Apple's version of DTrace, a free/open debugging tool that Leventhal helps to oversee: Apple has deliberately broken DTrace to prevent it from being used to examine the inner workings of iTunes. This is presumably in place to stop people from figuring out how to break iTunes's DRM, and as Leventhal notes, it is completely contrary to the purpose and spirit of debugging tools and open source:

Wow. So Apple is explicitly preventing DTrace from examining or recording data for processes which don't permit tracing. This is antithetical to the notion of systemic tracing, antithetical to the goals of DTrace, and antithetical to the spirit of open source. I'm sure this was inserted under pressure from ISVs, but that makes the pill no easier to swallow. To say that Apple has crippled DTrace on Mac OS X would be a bit alarmist, but they've certainly undermined its efficacy and, in doing do, unintentionally damaged some of its most basic functionality. To users of Mac OS X and of DTrace: Apple has done a service by porting DTrace, but let's convince them to go one step further and port it properly.

To paraphrase Warren Buffet, DRM is the gate to hell: once you enter, you can't leave. Apple, having committed itself to preventing users from using their computers in certain ways, must now take on a further and further-reaching set of restrictions in service of that -- locking down APIs, shipping updates that downgrade the software, exposing user privacy, breaking core development tools. No end in sight -- not until Apple decides that what you do with your computer is your own business.

Link

(via /.)

Posted by mikki at 10:46 AM | Permalink | Comments (0)

Missing Cat Found in Owner's Suitcase:


PALM BEACH GARDENS, Fla. (AP) - The last time cat-owner Kelly Levy saw her tiger-striped feline was before she took her husband to the airport. The 24-year-old came back to her house late Friday to find the bottom step, where Gracie Mae would usually be waiting, empty.

Levy tore the house apart looking for the 10-month-old tabby who had been spayed just days before. She and her dad took out bathroom tiles and part of a cabinet to check a crawl space and papered the neighborhood with "lost cat" signs.

Then she got a phone call.

"Hi, you're not going to believe this, but I am calling from Fort Worth, Texas, and I accidentally picked up your husband's luggage. And when I opened the luggage, a cat jumped out," Levy recalled the caller saying.

Gracie Mae had crawled into Seth Levy's black suitcase undetected, been put through an X-ray machine, loaded onto an airplane, thrown onto a baggage claim conveyor belt and picked up by a stranger.

The tabby made the 1,300-mile trip home on an $80 plane ticket Sunday night.

Posted by mikki at 09:37 PM | Permalink | Comments (0)

Senate Resumes Debate on Wiretap Rules:


The Senate this week plans to resume debate on legislation setting rules for government surveillance of communications between people in the U.S. and targets abroad. Two competing bills and possible amendments offer different approaches to Executive Branch power, judicial supervision of intelligence agency activities, and the role of telecommunications companies in assisting warrantless surveillance after 9/11. CDT has issued an "Insider's Guide" to the debate and a chart outlining the issues at stake. [links below]

Posted by mikki at 06:58 PM | Permalink | Comments (0)

Wired News - AP News:


BRUSSELS, Belgium (AP) -- IP addresses, string of numbers that identify computers on the Internet, should generally be regarded as personal information, the head of the European Union's group of data privacy regulators said Monday.
Germany's data protection commissioner, Peter Scharr, leads the EU group preparing a report on how well the privacy policies of Internet search engines operated by Google Inc., Yahoo Inc., Microsoft Corp. and others comply with EU privacy law.
He told a European Parliament hearing on online data protection that when someone is identified by an IP, or Internet protocol, address "then it has to be regarded as personal data."
His view differs from that of Google, which insists an IP address merely identifies the location of a computer, not who the individual user is - something strictly true but which does not recognize that many people regularly use the same computer terminal and IP address.
Scharr acknowledged that IP addresses for a computer may not always be personal or linked to an individual. For example, some computers in Internet cafes or offices are used by several people.
But these exceptions have not stopped the emergence of a host of "whois" Internet sites that apply the general rule that typing in an IP address will generate a name for the person or company linked to it.
Treating IP addresses as personal information would have implications for how search engines record data.
Google led the pack by being the first last year to cut the time it stored search information to 18 months. It also reduced the time limit on the cookies that collect information on how people use the Internet from a default of 30 years to an automatic expiration in two years.
But a privacy advocate at the nonprofit Electronic Privacy Information Center, or EPIC, said it was "absurd" for Google to claim that stripping out the last two figures from the stored IP address made the address impossible to identify by making it one of 256 possible configurations.
"It's one of the things that make computer people giggle," EPIC executive director Marc Rotenberg told The Associated Press. "The more the companies know about you, the more commercial value is obtained."
Google's global privacy counsel, Peter Fleischer, however, said Google collects IP addresses to give customers a more accurate service because it knows what part of the world a search result comes from and what language they use - and that was not enough to identify an individual user.
"If someone taps in 'football' you get different results in London than in New York," he said.
He said the way Google stores IP addresses meant one of them forms part of a crowd, giving valuable information on general trends without infringing on an individual's privacy.
Google says it needs to store search queries and gather information on online activity to improve its search results and to provide advertisers with correct billing information that shows that genuine users are clicking on online ads.
Internet 'click fraud' can be tracked down by showing that the same IP address is jumping repeatedly to the same ad. Advertisers pay for each time a different person views the ad, so dozens of views by the same person can rack up costs without giving the company the publicity it wanted.
Microsoft does not record the IP address that identifies an individual computer when it logs search terms. Its Internet strategy relies on users logging into the Passport network that is linked to its popular Hotmail and Messenger services.
The company's European Internet policy director, Thomas Myrup Kristensen, described the move as part of Microsoft's commitment to privacy.
"In terms of the impact on user privacy, complete and irreversible anonymity is the most important point here - more impactful than whether the data is retained for 13 versus 18 versus 24 months," he said.
But neither of the search engines received a pat on the back from Spain's data protection regulator, Artemi Rallo Lombarte, who criticized them for not trying to make their privacy policies accessible to normal people.
Their privacy policies "could very well be considered virtual or fictional ... because search engines do not sufficiently emphasize their own privacy policies on their home pages, nor are they accessible to users," he said, describing the policies as "complex and unintelligible to users."

Posted by mikki at 06:54 PM | Permalink | Comments (0)

Oh man. This is utterly hilarious. I will license him my trademark of the term "Idiot Lawyer" for free :-).

Lawyer claims he owns "cyberlawyer" -- actual cyberlawyers laugh and laugh:


Rebecca sez, "One lawyer is threatening another over the use of the term "cyberlaw," which he says he's trademarked. As the post (by EFF's Corynne McSherry) says, that's like a soda company trying to trademark the word soda."

Eric Menhart may call himself a cyberlawyer, but we think he has a lot of learn about cyberlaw -- and common sense. Menhart is the author of a blog about cyberlaw issues called, logically if not innovatively, "Cyberlawg." (As he says in the top right corner, "Cyberlawg = Cyberlaw + blog.") And he is "principal attorney" in a firm called "CyberLaw P.C." OK, OK, we get it, he practices technology law. Based on this, he's applied for a trademark on the use of the term "cyberlaw" in connection with the practice of, um, cyberlaw. That's like a soda company claiming a trademark in the use of the word soda in connection with the sale of soda. Or an apple farmer claiming a trademark in the use of the term apple in connection with the sale of apples. Or ... well, you get the picture.

Link
(Thanks, Rebecca!)

Posted by mikki at 04:24 PM | Permalink | Comments (0)

NATCA Declares "Staffing Emergency" At DFW TRACON:


The National Air Traffic Controllers Association (NATCA) on Wednesday declared a "staffing emergency" at the Dallas-Fort Worth Terminal Radar Approach Control (DFW TRACON) and called on the FAA to act immediately to stem the loss of veteran controllers. The facility is dealing with a 34-percent drop in the number of fully trained and certified controllers on staff in just two years, according to NATCA. "Six-day weeks and 50 hours per week is now the norm for many of these men and women," DFW TRACON NATCA Facility Representative Steve Bates said in a statement. "This is a 24/7 high stress, high pressure job where mistakes can mean lives. Running our employees into exhaustion is not the way to do it." This is the fifth facility where NATCA has declared a "staffing emergency" in recent weeks. Others were cited in Atlanta, Chicago, New York and Southern California.

Posted by mikki at 10:00 PM | Permalink | Comments (0)

Google to be Dragooned Into U.S. Wiretapping?:

I'd wondered when the feds would think of this:

"Google has records that could help in a cyber-investigation, he said,"
Wright adds. "Giorgio warned me, 'We have a saying in this business:
`Privacy and security are a zero-sum game.'"

— A New Internet Wiretapping Plan? Steve Bellovin, SMBlog, 15 January 2008

Their saying is wrong, as Bellovin points out:

The risks are quite similar to those posed by CALEA: this is an intentional vulnerability which can be exploited by the wrong people. (That's what happeed to the Greek cellphone network.)

But some people believe the saying anyway, and will act on it, unless they are stopped.

-jsq

Posted by mikki at 07:20 PM | Permalink | Comments (0)

When are our elected imbeciles in the Congress EVER going to stop listening to these complete fuckwits?

NSA Must Examine All Internet Traffic to Prevent Cyber Nine-Eleven, Top Spy Says | Threat Level from Wired.com:


The nation's top spy, Michael McConnell, thinks the threat of cyberarmageddon! is so great that the U.S. government should have unfettered and warrantless access to U.S. citizens' Google search histories, private e-mails and file transfers, in order to spot the cyberterrorists in our midst.
That's according to a sprawling 18-page story on the Director of National Intelligence by Lawrence Wright in the January 21 edition of the New Yorker. (The story is not online).
In the piece, McConnell returns, in flamboyant style, to his exaggerating ways, hyping threats and statistics to further his bureaucratic aims. For example, McConnell regurgitates the hoary myth that computer crime costs America $100 billion a year. THREAT LEVEL traced down the source of that fake-factoid in September to a former privacy officer for the state of Colorado.
Presumably using unsupported stats like that, in May 2007 McConnell convinced President Bush that a massive cyber-attack on a singe U.S. bank would be worse for the economy than than the deadly terrorist attacks of September 11, the article reports. In response, the NSA developed a mind-boggling, but still incomplete, plan to eavesdrop on the internet in order to protect it.
In order for cyberspace to be policed, Internet activity will have to be closely monitored. Ed Giorgio, who is working with McConnell on the plan, said that would mean giving the government the authority to examine the content of any e-mail, file transfer, or Web search. "Google has records that could help in a cyber-investigation," he said. Giorgio warned me, "We have a saying in this business: 'Privacy and security are a zero-sum game.'"
It says something ominous about McConnell's priorities if he believes a DDOS attack on Bank of America, or even a computer intrusion that wiped out its database (and magically purged its backup tapes), would be worse than an attack that killed 3,000 Americans.
Still, it's hardly a surprising plan -- given that McConnell was one of the main backers of the Clipper Chip, the government's failed, early 1990's proposal to put a backdoor in every encryption product.
McConnell also makes an astounding assertion that the secretive Foreign Intelligence Surveillance Court recently crippled the NSA's overseas signals intelligence collection with a string of soft-on-terror rulings. 
McConnell said that federal judges had recently decided, in a series of secret rulings, that any telephone transmission or e-mail that incidentally flowed into U.S. computer systems was potentially subject to judicial oversight. According to McConnell the capacity of the NSA to monitor foreign-based communications had consequently been reduced by seventy per cent.
In other words, McConnell claims the NSA couldn't intercept a terrorist's e-mail by tapping a fiber optic cable in Pakistan, if there was a chance the message would pass through a U.S. router or end up in a Hotmail account.

I'm no rich man, but I'll bet any reader $1,000 that, when and if those rulings are ever released, we'll see they say no such thing. Send me an e-mail to take me up this bet. U.S. government officials are welcome to participate.
The FISA law that created the Foreign Intelligence Surveillance Court only applies to intercepts that physically happen within the borders of the United States. The NSA has always been free to intercept foreign communications overseas -- the mission for which they were created and funded -- even if the call passes through a U.S. switch.
So in the case of the now debunked Iraqi kidnappers anecdote that leads off the New Yorker story, the NSA would only have needed to get a court order if its Iraqi targets initiated communications that flowed through U.S. servers or switches and the NSA decided to tap them physically at a United States internet or telecom facility, by burglarizing it, digging up its cables or getting the company to cooperate. (As for why that happens and how common it is, check my story: NSA's Lucky Break: How the U.S. Became the Switchboard to the World.)
Simply put, the FISA law is intended to prevent the NSA from operating inside the United States.
In any event, that restriction collapsed this summer with the fear-induced, strong-armed passage of the so-called Protect America Act. That law radically re-architected the nation's surveillance apparatus.
Now the NSA can turn Gmail's servers and AT&T's switches into de facto arms of the surveillance industrial complex without any court oversight.
And though the law ostensibly sunsets in February, any orders in effect at that time will have power for another 12 months. Moreover, Senate Majority Leader Harry Reid (D-Nevada) is reportedly planning to discard legislative attempts to rein in these new powers and will instead simply push to extend the current scheme another 12 months.
In short, McConnell's politically convenient exaggerations have already worked well for him in winning domestic spying powers, despite their flimsiness under any real scrutiny.
That track record bodes ill for anyone concerned about his new plans to push for sweeping and unnecessary powers to put the NSA in the wires of the internet in order to prevent a computer attacks.
The Wall Street Journal's intelligence guru Siobhan Gorman's take is here. Gorman wrote a groundbreaking story on the cyberspace initiative last September while at The Baltimore Sun.
UPDATE: Ex-spook Michael Tanji guest-posting over at Danger Room writes:
It's bad enough that the Director of National Intelligence is trotting out a bogus threat so the government can snoop on all Internet traffic.  What's worse is that this kind of mass surveillance is a pretty lame way to catch the honest-to-God bad guys. 
Of more interest to observers of intelligence activities is the issue of quality vs. quantity and the slow creep towards doom that these efforts foretell. The fact that we are essentially attempting to gill-net bad guys is a fairly strong indicator that the intelligence community has yet to come up with an effective strategy against information-age threats.
[...] Its not a question of listening in to you whispering sweet nothings into the ear to your significant other, it is simply a case of – as the late Sam Kinison joked – going where the food is. That our intelligence agencies can intercept adversary communications is largely a given, they just want to do it from the convenience of the homeland, not some remote switch in the darkest hinterlands.

Posted by mikki at 05:11 PM | Permalink | Comments (0)

Newsmax.com - New ID Rules May Complicate Air Travel:


Millions of air travelers may find going through airport security much more complicated this spring, as the Bush administration heads toward a showdown with state governments over post-Sept. 11 rules for new driver's licenses.

By May, the dispute could leave millions of people unable to use their licenses to board planes, but privacy advocates called that a hollow threat by federal officials.

Homeland Security Secretary Michael Chertoff, who was unveiling final details of the REAL ID Act's rules on Friday, said that if states want their licenses to remain valid for air travel after May 2008, those states must seek a waiver indicating they want more time to comply with the legislation.

Chertoff said that for any state which doesn't seek such a waiver by May, residents of that state will have to use a passport or certain types of federal border-crossing cards if they want to avoid a vigorous secondary screening at airport security.

"The last thing I want to do is punish citizens of a state who would love to have a REAL ID license but can't get one," Chertoff said. "But in the end, the rule is the rule as passed by Congress."

The plan's chief critic, the American Civil Liberties Union, called Chertoff's deadline a bluff — and urged state governments to call him on it.

"Are they really prepared to shut those airports down? Which is what effectively would happen if the residents of those states are going to have to go through secondary scrutiny," said Barry Steinhardt, director of the ACLU's technology and liberty program. "This is a scare tactic."

So far, 17 states have passed legislation or resolutions objecting to the REAL ID Act's provisions, many due to concerns it will cost them too much to comply. The 17, according to the ACLU, are Arkansas, Colorado, Georgia, Hawaii, Idaho, Illinois, Maine, Missouri, Montana, Nebraska, Nevada, New Hampshire, North Dakota, Oklahoma, South Carolina, Tennessee and Washington.

Maine officials said Friday they were unsure if their own state law even allows them to ask for a waiver.

"It certainly seems to be an effort by the federal government to create compliance with REAL ID whether states have an interest in doing so or not," said Don Cookson, spokesman for the Maine secretary of state's office.

The Sept. 11 attacks were the main motivation for the changes: The hijacker-pilot who flew into the Pentagon, Hani Hanjour, had four driver's licenses and ID cards from three states.

The Homeland Security Department and other officials say the only way to ensure an ID is safe is to check it against secure government data; critics such as the ACLU say that creates a system that is more likely to be infiltrated and have its personal data pilfered.

Congress passed the REAL ID law in 2005, but the effort has been delayed by opposition from states worried about the cost and civil libertarians upset about what they believe are invasions of privacy.

Under the rules announced Friday, Americans born after Dec. 1, 1964, will have to get more secure driver's licenses in the next six years, over which time the new requirements would gradually be phased in.

A key deadline would come in 2011, when federal authorities hope all states will be in compliance, and the regulations would not take full effect for all Americans until 2017.

To make the plan more appealing to cost-conscious states, federal authorities drastically reduced the expected cost from $14.6 billion to $3.9 billion, a 73 percent decline, said Homeland Security officials familiar with the plan.

By 2014, anyone seeking to board an airplane or enter a federal building would have to present a REAL ID-compliant card, with the notable exception of those older than 50, Homeland Security officials said.

The over-50 exemption was created to give states more time to get everyone new licenses, and officials say the risk of someone in that age group being a terrorist, illegal immigrant or con artist is much less. By 2017, even those over 50 must have a REAL ID-compliant card to board a plane.

Among other details of the REAL ID plan:

_The traditional driver's license photograph would be taken at the beginning of the application instead of the end so that if someone is rejected for failure to prove identity and citizenship, the applicant's photo would be kept on file and checked if that person tried to con the system again.

_The cards will have three layers of security measures but will not contain microchips as some had expected. States will be able to choose from a menu which security measures they will put in their cards.

_After Social Security and immigration status checks become nationwide practice, officials plan to move on to more expansive security checks. State DMV offices would be required to verify birth certificates; check with other states to ensure an applicant doesn't have more than one license; and check with the State Department to verify applicants who use passports to get a driver's license.

Posted by mikki at 02:42 PM | Permalink | Comments (1)

These types of threats to national security must be stopped this instant!

'No Pants Ride' Gets Mixed Review from Metro Riders:


WASHINGTON--Metrorail riders had an eye-opening experience watching up to 200 people remove their pants Saturday afternoon before heading into railcars.

No one was arrested in the activity because participants didn't break the law as long as they kept their "undies" on.

But many Metro riders asked the big question. Why did the group drop trow on the Metro?

"No real purpose, just to get people to laugh a little bit," said Elizabeth, one of the organizers of the No Pants Event. She didn't care to share her last name in between giggles Saturday.

The group organized on the social website Facebook and met at the Dupont Circle Metro Station fully clothed.

Stunts like this have taken place on the New York City Subway before, but never on Metro.

Metro riders had various opinions about the activity Saturday.

Some said the unusually warm January temperatures that the Washington area has experienced lately in the past week it a good time to do it.

"I think its fine as long as they're not showing any flesh and they're being decent," said one rider.

However, other Metro riders described the group's action as "indecent exposure" and questioned if it were some type of rebellion.

Posted by mikki at 02:29 PM | Permalink | Comments (0)

Delta, ASA Plane Nearly Collide At Atlanta Airport - News Story - WSB Atlanta:


ATLANTA -- A Delta 757 and an Atlantic Southeast regional jet came within three seconds of a disastrous runway collision Friday at Hartsfield-Jackson International Airport. Without clearance from the tower, ASA flight 876 to Greensboro, N.C. crossed runway 27-right at 10:10 a.m. just as Delta flight 261 roared down that same runway, taking off for Puerto Vallarta, Mexico.
The 757 was too far into its takeoff to shut down and came within 1,250 feet of the smaller jet, Federal Aviation Administration spokesperson Kathleen Bergen confirmed to WSB-TV Channel 2.
A representative of the National Air Traffic Controllers Association said the planes were three seconds from a collision.
Officials at both the FAA and the National Air Traffic Controllers Association said the ASA pilot failed to follow instructions from controllers.
The ASA pilot had been told to wait until the Delta flight took off before crossing the runway, according to Doug Church, Director of Communications for NATCA.
The pilot repeated the instructions back to the tower, but proceeded across the runway; directly into the path of the Delta jet, Church added.
Both flights continued on to their destinations. No passengers were injured.

Posted by mikki at 01:30 AM | Permalink | Comments (0)

Another five-year-old on the no-fly list: meet Sam Adams:


Ted Adams -- the publisher of IDW comics -- named his little son "Sam Adams," a good, solid patriotic name. It's also a name on the TSA's no-fly list, and the five-year-old has spent his young life being harassed by airport security goons who think he's a terrorist.

the article you posted on Boing Boing about the five year old on the no-fly list. My son, also five, is on that same list and it's a nightmare. Every time we fly with him, we can't use the computer terminals to check in and the attendant has to call some never named government agency to make sure he's not a terrorist. Some attendants joke it off but some are insanely serious about it. His seat always goes unassigned (even if it was assigned when the reservation is made) which always causes problems.

I've tried everything that anyone has suggested. There's a TSA form that you can fill out for this situation, which I did, but they won't tell you if they've removed your name. We got him a passport -- that didn't work. We've tried booking the tickets with his full name (including middle name), that didn't work. We tried booking the ticket under Master Samuel Adams, with still no luck.

Yeah, and if you think that's funny, imagine this kid's life when he's an adult and Every goddamned flight he takes involves an extra hour of hassle, a search, no assigned seats, being turned away, being humiliated, being harassed... There's a special circle of hell that's being prepared for the domestic fear-mongers who've helped the terrorists make Americans so very afraid.

Link

(Thanks, Ted!)

Posted by mikki at 05:43 PM | Permalink | Comments (0)

In a world of "turn over the information or else" could we possibly expect that anyone would attempt to keep our personal information private?

DHS Releases Final Regulations for REAL ID Act:


Department of Homeland Security today released its final regulations to implement the REAL ID Act. As CDT expected, based on the proposed regulations published last March, the final rules direct how states will issue driver's licenses but fail to provide meaningful privacy and security requirements for personal information collected, stored and shared within the REAL ID system. CDT has consistently said that Congress must revisit this fundamentally flawed law using the legislative proposals that have been introduced in the Senate and House as a starting point.

Posted by mikki at 04:44 PM | Permalink | Comments (0)

Why it's good to leave your WiFi open:


Bruce Schneier has a wonderful essay up on Wired explaining why he runs an open wireless network at home -- and how that fits in with security. I've run open wireless networks since the late 1990s (in five cities in three countries) and I've never encountered the problems that everyone says are inevitable -- network contention, crap from my ISP, busts for the child-porn my neighbors are downloading from my network.

Instead, I've provided network access to innumerable people -- people like me: I can't count the number of times I've had my ass saved by an open wireless network at the right moment (e.g., in good time to help me look up directions, a phone number, or flight details). I figure the more open wireless I provide to the world, the more people I'll turn on to providing their own open wireless access, and the more open WiFi I'm likely to find.

To me, it's basic politeness. Providing internet access to guests is kind of like providing heat and electricity, or a hot cup of tea. But to some observers, it's both wrong and dangerous...

I remain unconvinced of this threat, though. The RIAA has conducted about 26,000 lawsuits, and there are more than 15 million music downloaders. Mark Mulligan of Jupiter Research said it best: "If you're a file sharer, you know that the likelihood of you being caught is very similar to that of being hit by an asteroid."

I'm also unmoved by those who say I'm putting my own data at risk, because hackers might park in front of my house, log on to my open network and eavesdrop on my internet traffic or break into my computers. This is true, but my computers are much more at risk when I use them on wireless networks in airports, coffee shops and other public places. If I configure my computer to be secure regardless of the network it's on, then it simply doesn't matter. And if my computer isn't secure on a public network, securing my own network isn't going to reduce my risk very much.

Link

Posted by mikki at 02:20 PM | Permalink | Comments (0)

From the same folks who brought us wiretaps without court orders, yet more "guilty until proven innocent" strategies. And Apple chose THEM to be their network for iPhones? *sigh*

AT&T mulls copyright censorship at the network level:


AT&T is considering adding content filters to its network. These will try to figure out if your network connection contains a copyrighted work, and censor any communications that are believed to be infringing.

This strategy will work for approximately 30 seconds -- about as long as it takes for people who like to download copyrighted works to switch to using an encrypted protocol -- and thereafter it will be primarily useful to bullies and schemers who will use it to silence critics (by claiming their works infringe and getting them censored) and prevent competition (by raising the cost of operating an ISP through the inclusion of the spyware and the hardware to run it on).

Of course, AT&T has
already shown its commitment to its customers by helping the NSA conduct wholesale warrantless wiretapping on the entire nation -- adding a censorious, expensive, and useless piece of spyware to its network operations is entirely in keeping with its behavior.

???What we are already doing to address piracy hasn???t been working. There???s no secret there,??? said James Cicconi, senior vice president, external & legal affairs for AT&T.

Mr. Cicconi said that AT&T has been talking to technology companies, and members of the MPAA and RIAA, for the last six months about implementing digital fingerprinting techniques on the network level.

???We are very interested in a technology based solution and we think a network-based solution is the optimal way to approach this,??? he said. ???We recognize we are not there yet but there are a lot of promising technologies. But we are having an open discussion with a number of content companies, including NBC Universal, to try to explore various technologies that are out there.???

Link

(Thanks, Virtual Tours and Leon!)

Posted by mikki at 02:09 AM | Permalink | Comments (0)

As if we didn't have enough silly aviation news today....

Backed Up Sink Cripples 747:


It's often said that aircraft accidents are the result of a series of seemingly innocuous events strung together and the crew of a Qantas Boeing 747 might agree with that. The flight from London to Sydney was 15 minutes from touchdown for a scheduled stop at Bangkok when it lost power from all four engine-driven generators. Back-up batteries kept all those displays in front of the pilots glowing through a safe landing but the battery power likely wouldn't have lasted more than another 45 minutes and that would have knocked out the radios and all of the electronic instruments. "In this case it looks as if it has gone to the last stage of emergency power for communication and navigation," Dr. Arvind Sinha, director of aerospace at RMIT University in Melbourne told the Sydney Morning Herald. "After that it comes down to the skill and experience of the crew." He added that the loss of all four generators is "unheard of" but Murphy can and does find a way, this time through a sink with a clogged drain in the first class galley.

Posted by mikki at 05:54 PM | Permalink | Comments (0)

This kind of total bullshit screams "ENOUGH" in a voice louder than the Boston Tea Party. What is it going to take for us to take our country back?

TSA searches, detains 5 year old because his name was on no-fly list:


A five-year-old boy was taken into custody and thoroughly searched at Sea-Tac because his name is similar to a possible terrorist alias. As the Consumerist reports, "When his mother went to pick him up and hug him and comfort him during the proceedings, she was told not to touch him because he was a national security risk. They also had to frisk her again to make sure the little Dillinger hadn't passed anything dangerous weapons or materials to his mother when she hugged him."

It's a case of a mistaken identity for a 5-year-old boy from Normandy Park. He had trouble boarding a plane because someone with the same name is wanted by the federal government. Mimi Jung reports from Sea-Tac Airport.

You know, if you wanted to systematically discredit the idea of a Department of Homeland Security, if you wanted to make an utter mockery of aviation safety, you could not do a better job than this.

Link

(via Consumerist)

Posted by mikki at 05:06 PM | Permalink | Comments (0)

Feds to probe Comcast's BitTorrent busting | The Register:


At long last, the US Federal Communications Commission (FCC) will investigate claims that Comcast has put a choke hold on P2P file-sharing traffic.
Speaking yesterday at the International Consumer Electronics Show (CES), FCC chairman Kevin Martin finally acknowledged four-month-old press reports questioning the American ISP's commitment to net neutrality.
"Sure, we're going to investigate and make sure that no consumer is going to be blocked," he told VIPs at CES.
Of course, "blocked" is a loaded word in this case.
Comcast's efforts to throttle P2P traffic were first uncovered in May, when an independent network researcher named Robb Topolski posted the results of several tests to DSLReports.com. But this news didn't reach the web at large until Topolski's tests were spied by the P2P-happy blog TorrentFreak.
In essence, Topolski had shown that Comcast was preventing P2P users from "seeding" files. When one machine attempts to trade a file with another, Topolski's tests proved, the ISP was sending a duped "reset flag" to break this peer-to-peer connection. Two months later, The Associated Press published its own tests showing this was indeed the case.
In response, Comcast insisted it was not "blocking" P2P traffic. "Comcast does not block access to any Websites or online applications, including peer-to-peer services like BitTorrent," read the company's statement.
But no one was accusing the ISP of blocking traffic. At issue was whether Comcast was throttling traffic. Later in its statement, the ISP copped to such behavior - though it used the word "managing" rather than "throttling".
"Our customers use the Internet for downloading and uploading files, watching movies and videos, streaming music, sharing digital photos, accessing numerous peer-to-peer sites and thousands of applications online," the company said. "We have a responsibility to provide all of our customers with a good Internet experience and we use the latest technologies to manage our network so that they can continue to enjoy these applications."
Is this acceptable behavior? The SaveTheInternet.com Coalition thinks not. In early November, members formally asked the FCC to give Comcast a look-see.
"In 2005, when the FCC adopted an order reclassifying wireline broadband as an information service, it sought to ensure that network providers of Internet service, like phone and cable companies, would not violate network neutrality," SaveTheInterneters said. "Consumers are entitled to access all applications, services, and content of the consumer’s choice, and entitled to competition among providers of networks, applications, services, and content."
Meanwhile, Comcast argues that this FCC policy statement gives ISPs free rein to practice "reasonable network management." "We engage in reasonable network management to provide all of our customers with a good Internet experience, and we do so consistently with FCC policy," Comcast has said. "As the FCC noted in its policy statement in 2005, all of the principles to encourage broadband deployment and preserve the nature of the Internet are 'subject to reasonable network management.' The Commission clearly recognized that network management is necessary by ISPs for the good of all customers."
With his appearance at CES, Kevin Martin has now said that the commission will investigate if Comcast's practices fall within its rules. "The question is going to arise: Are they reasonable network practices?" Martin said. But even if Comcast's practices are reasonable, he added, the ISP should lay all its cards on the table. "When they have reasonable network practices, they should disclose those and make those public."
You think the FCC should take Comcast to task? Richard Bennett - the man who wrote the first standard for Ethernet over twisted-pair wiring - thinks you're wrong. ®

Posted by mikki at 04:12 PM | Permalink | Comments (0)

NSIMAYNOTHAVECOMPLETELYTHOUGHTTHISTHROUGH.COM:

Folks are afraid of domain name front-running, that is to say that they fear that someone will intercept a whois look-up and register the name ahead of then. In fact, in the pre-ICANN days when the old NetSol wouldn't require payment up front, it made sense to register a name rather than look it up (and now in the era of domain name tasting the same logic applies).

So today we learn the following. If you go to (the new) NSI's whois, and type in any available string, for the following four days that string will show up as a name registered to "This name available through NSI." You (or, as far as I can tell) anyone else over the next four days) can only buy that name through NSI (at it's regular retail price). During those four days, the name, say, NSIISTEALINGMYNAME.COM will look like this.

So, to the best of my understanding, if you were to search for the name WHICH-REGISTRAR-WILL-SUE-NSI-FIRST.COM now, and it was available, and you closed your browser terminating your search, for the next four days that string will show up as UNAVAILABLE in every other registrar's whois, and as available in NSI's whois, and anyone can register the name through NSI for the next four days.

NSI's spokesperson has responded as follows:

“I’d like to clarify what we are doing. In response to customer concerns about Domain Name Front Running (domains being registered by someone else just after they have conducted a domain name search), we have implemented a security measure to protect our customers. The measure will kick in when a customer searches for an available domain name at our website, but decides not to purchase the name immediately after conducting the search.

After the search ends, we will put the domain name on reserve. During this reservation period, the name is not active and we do not monetize the traffic on these domains. If a customer searches for the domain again during the next 4 days at networksolutions.com, the domain will be available to register. If the domain name is not purchased within 4 days, it will be released back to the registry and will be generally available for registration.

This protection measure provides our customers the opportunity to register domains they have previously searched without the fear that the name will be already taken through Front Running.

You are correct that we are trying to take an arrow out of the quiver of the tasters. As you know, domain tasters are the largest Front Runners. Due to no fault of registrars, Front Runners purchase search data from Internet Service Providers and/or registries and then taste those names. Some folks may not agree with our approach, but we are trying to prevent this malicious activity from impacting our customers.”

Well, I suppose that there is a certain of subset of people who wil search on NSI, not immediately register, and want to register over the subsequent four days. If NSI's program does in fact protect such people from front-running, then NSI is acknowledging that the connection between the whois searcher and NSI's server is not secure. It's worth exploring why.

BUT LET'S NOT FORGET THIS SCENARIO:

Your namesearcher is searching EXAMPLE1 through EXAMPLE50 for you. Your name searcher doesn't have a credit card and you're not authorized to spend the money on ten names so you can't snap up all ten. Someone hear's a rumor that you're considering EXAMPLE4 as a name. They check the name and now they know that someone has searched the name on whois within the past 4 days.

So everyone is forced to be a name taster now.

Posted by mikki at 04:08 PM | Permalink | Comments (0)

Commentary: The partisan elephant unnoticed in the room:

The Supreme Court, studiously avoiding almost all mention that it was examining a thoroughly partisan political battle, spent a spirited hour on Wednesday looking for ways either to scuttle a major test case over voters’ rights or to find a way — as if the Justices were writing a law themselves — to soften the impact of a tough state requirement for a photo ID before a voter may cast a ballot at the polls.

Only two Justices — Ruth Bader Ginsburg and John Paul Stevens — even hinted at the real-world fact that the photo ID law in Indiana is at the heart of a bitter, ongoing contest reaching well beyond Indiana. It is a dispute between Republicans worried over election fraud supposedly generated by Democrats to pad their votes, and Democrats worried over voter suppression supposedly promoted by Republicans to cut down their opposition.  The abiding question at the end: can a decision be written that does not itself sound like a political, rather than a judicial, tract?  Can the Court, in short, avoid at least the appearance of another Bush v. Gore?

At issue in the consolidated cases of Crawford v. Marion County Election Board (07-21) and Indiana Democratic Party v. Rokita (07-25) is the constitutionality of a 2005 Indiana law that voters who show up at the polls without a photo ID will be allowed only to cast a provisional ballot, to be validated later at another place only if they can travel there and then prove identity.  It has been upheld by the Seventh Circuit Court, leading to appeals to the Supreme Court by Democrats or their state party apparatus.

It was apparent from the outset that the Court’s more conservative members were most interested in (a) finding that no one had a right to bring the constitutional challenge, at least at this stage, (b) putting off a challenge until the law has actually been enforced or at least until just before election day, or (c) salvaging as much as possible of the Indiana photo ID requirement on the theory that voter fraud is a problem that states have a legitimate right to try to solve.    There was some hand-wringing, particularly by Justice Samuel A. Alito, Jr., over  how difficult it is for a judge to “draw the line” on when a voting requirement would or would not pass a constitutional test.

And it was equally apparent that the Court’s more liberal members were most keen about (a) pushing the Court to decide the case now, (b) doing so in a way that at least narrows the impact of the Indiana law on poor or minority voters, and (c) applying some constitutional pressure on the states to regulate voter fraud — if they do so at all — with more specifically targeted statutes.

In a notable way, therefore, it appeared that — once more — Justice Anthony M. Kennedy may hold the vote that controls the outcome.  He displayed some skepticism about the challenge to Indiana’s law, somewhat impatiently suggesting at one point that the challengers would oppose any kind of voter ID requirement other than a simple signature match at the polling place. Kennedy seemed ultimately to be looking for ways to assure voters who demonstrably would be significantly burdened by the law they they could challenge it, perhaps even before election day came around.

Because the Nation’s caustic relations between the two major political parties are so clearly on display in the Indiana voter ID case, the Court was obviously at risk of being drawn into the middle of that in hearing the challenge to the state’s voter ID statute.  For the most part, the hearing Wednesday was conducted in the language of the law, not politics and certainly not partisan politics.  It was only barely noticeable, for example, when Justice Ginsburg, focusing on the plight of poor voters without photo IDs or the means to get them, said that states should make it easier for them to vote — “if they want their votes counted.” That conditional phrase was repeated several times, leaving the impression that she was not convinced that Indiana’s legislature was sincerely interested in having the poor (presumably, Democratic voters) take a genuine part in elections.

And there was only one conspicuous reference to the partisan divide in the legislature that produced the photo ID law. Very near the end of the hour, Justice Stevens asked U.S. Solicitor General Paul D. Clement whether it was relevant, in judging whether the case should go forward, that the legislature was “split along party lines” in enacting the bill. He also asked whether it was “fair to infer” that the objective was to create an “adverse impact on the Democratic Party.” Clement indicated he was not sure, saying that any such Republican ploy had “gone awry” because the Democrats did pretty well in the ensuing election.

There was no mistaking, however, that there was a definite link during the hearing between conservative judicial philosophy and skepticism about the challenge to the photo ID laws, and between liberal judicial philosophy and concern over the potential burdens on the more marginalized voters.  Whether those translate into partisan equations — or partisan voting in the end — is another matter entirely.

Justice Antonin Scalia, one of the more predictably conservative members, led the charge against the challengers, drawing in his wake Chief Justice John G. Roberts and JusticesAlito and (to some extent) Justice Kennedy in questioning whether anyone had “standing” to bring this case, and in questioning — even more aggressively — whether the case should have been brought at all to the law as written rather than to its actual application in a specific election setting.  As it turns out, those are the two complaints that the Bush Administration leveled most strongly against the challenge.

Washington lawyer Paul M. Smith, representing the Democratic challengers, no doubt used more of his argument thnt he would have liked on the standing issue, and on defending the pre-election challenge to the statute.  He challenged the Justices to shoulder the burden of decision, saying that, in voting rights cases in particular, the courts must make the hard choices about the validity of limits on voting.  He had particular difficulty with Justice Scalia, who rejected Smith’s suggestion that voter fraud was only “possible,” insisting instead that it actually was “likely.”

Near the end of his argument, Smith was pressed by Justice David H. Souter, one of the more liberal members, to come up with some statistics on how many voters actually might be impacted by the photo ID mandate — questions that seemed designed to help bolster the notion that the law’s impact might, indeed, be substantial.  Smith ultimately said that the law might effect as many as 200,000 voters in Indiana.

Posted by mikki at 01:25 PM | Permalink | Comments (0)

A 'Reasonable' Explanation?:


All the news of the day continues to be about NSI's front running-domain tasting service. Yesterday, I said the explanation didn't hold water. A second explanation from NSI (on the GNSO's General Assembly mailing list) starts to sound more reasonable. NSI claims that gTLD registries ("or ISPs") are selling registrar lookup data to third-party domain tasters, who then taste a domain before the customer can register it. If true, that's a real concern that needs to be addressed. I'm not sure NSI has hit on the right solution because this "solution" has the potential to cause just as much consumer confusion as the practice the company is trying to prevent.

If a registry leak is causing front-running, however, it's a hole that needs to be patched, preferably by ICANN.

Posted by mikki at 01:23 PM | Permalink | Comments (0)

Midwest airlines to passenger who was screwed over and shouted at: we did nothing wrong and owe you nothing:


Dave Greenbaum, a loyal Midwest Airlines customer who lobbied to keep the airline running, had his seat screwed up by a check-in attendant. When he asked to be re-seated after boarding, the flight attendant got a security guy who shouted at him and threatened to kick him off the plane.
Then, when Greenbaum complained, he was given a measly $25 voucher. He tried to complain higher up, but was ignored until he sent email to the whole executive of Midwest.

And that's when they took away his voucher and told him they'd done nothing wrong.

When the flight eventually boarded and I noticed it wasn’t the exit row, I politely told a Flight Attendant that there was a misunderstanding at the ticket counter and I asked for an exit row. She took my boarding pass and said she would see what she could do. I assumed it would be if an exit row seat was available, I’d be first to get it.
Instead a very large man named Roger with a booming and aggressive voice, loudly said “I UNDERSTAND YOU HAVE A PROBLEM WITH THIS SEAT AND WANT OFF THIS FLIGHT".

He held my boarding pass in his hand while saying this and as I reached for it, he pulled it away. I said “No problem officer” and he handed me my boarding pass. I thought I was going to be removed from the flight! The flight appeared to be held while he chatted with the flight staff. I was 100% convinced I was going to be removed from the flight because I complained about my seat. Passengers were visibly shaken, not sure why I was going to be removed from the flight and cause problems later in the travel

Posted by mikki at 02:10 PM | Permalink | Comments (0)

FAA: Boeing's New 787 May Be Vulnerable to Hacker Attack:


Boeing's new 787 Dreamliner passenger jet may have a serious security vulnerability in its onboard computer networks that could allow passengers to access the plane's control systems, according to the U.S. Federal Aviation Administration.
The computer network in the Dreamliner's passenger compartment, designed to give passengers in-flight internet access, is connected to the plane's control, navigation and communication systems, an FAA report reveals.
The revelation is causing concern in security circles because the physical connection of the networks makes the plane's control systems vulnerable to hackers. A more secure design would physically separate the two computer networks. Boeing said it's aware of the issue and has designed a solution it will test shortly.
"This is serious," said Mark Loveless, a network security analyst with Autonomic Networks, a company in stealth mode, who presented a conference talk last year on Hacking the Friendly Skies (PowerPoint). "This isn’t a desktop computer. It's controlling the systems that are keeping people from plunging to their deaths. So I hope they are really thinking about how to get this right."
Currently in the final stages of production, the 787 Dreamliner is Boeing's new mid-sized jet, which will seat between 210 and 330 passengers, depending on configuration.
Boeing says it has taken more than 800 advance orders for the new plane, which is due to enter service in November 2008. But the FAA is requiring Boeing to demonstrate that it has addressed the computer-network issue before the planes begin service.
According to the FAA document published in the Federal Register (mirrored at Cryptome.org), the vulnerability exists because the plane's computer systems connect the passenger network with the flight-safety, control and navigation network. It also connects to the airline's business and administrative-support network, which communicates maintenance issues to ground crews.
The design "allows new kinds of passenger connectivity to previously isolated data networks connected to systems that perform functions required for the safe operation of the airplane," says the FAA document. "Because of this new passenger connectivity, the proposed data-network design and integration may result in security vulnerabilities from intentional or unintentional corruption of data and systems critical to the safety and maintenance of the airplane."
The information is published in a "special conditions" document that the FAA produces when it encounters new aircraft designs and technologies that aren't addressed by existing regulations and standards.
An FAA spokesman said he would not be able to comment on the issue until next week.
Boeing spokeswoman Lori Gunter said the wording of the FAA document is misleading, and that the plane's networks don't completely connect.
Gunter wouldn't go into detail about how Boeing is tackling the issue but says it is employing a combination of solutions that involves some physical separation of the networks, known as "air gaps," and software firewalls. Gunter also mentioned other technical solutions, which she said are proprietary and didn't want to discuss in public.
"There are places where the networks are not touching, and there are places where they are," she said.
Gunter added that although data can pass between the networks, "there are protections in place" to ensure that the passenger internet service doesn't access the maintenance data or the navigation system "under any circumstance."
She said the safeguards protect the critical networks from unauthorized access, but the company still needs to conduct lab and in-flight testing to ensure that they work. This will occur in March when the first Dreamliner is ready for a test flight.
Gunter said Boeing has been working on the issue with the FAA for a number of years already and was aware that the agency was planning to publish a "special conditions" document regarding the Dreamliner.
Gunter said the FAA and Boeing have already agreed on the tests that the plane manufacturer will have to do to demonstrate that it has addressed the FAA's security concerns.
"It will all be done before the first airplane is delivered," she said.
Loveless said he's glad the FAA and Boeing are addressing the issue, but without knowing specifically what Boeing is doing, it is impossible to say whether the proposed solution will work as intended. Loveless said software firewalls offer some protection, but are not bulletproof, and he noted that the FAA has previously overlooked serious onboard-security issues.
"The fact that they are not sharing information about it is a concern," he said. "I'd be happier if a credible auditing firm took a look at it."
Special conditions are not unusual. The FAA publishes them whenever it encounters unusual issues regarding a plane's design or performance in order to communicate on record that it expects the manufacturer to address the issue. It's then up to the manufacturer to demonstrate to the FAA that it has solved the problem. Gunter said the FAA has issued eight special conditions on the Boeing 787, but that not all of them pertain to the plane's computer systems.

Posted by mikki at 01:26 PM | Permalink | Comments (0)

Get Yourself Some RIAA-Free Music:

I wish I'd seen this in time to post it for peoples' end-of-year buying, but here you go anyway...

RIAA Radar is a site dedicated to offering enough information to make more-informed choices about your music buying, assuming you care about the Copyright Wars.

For the past 6+ years I've refused to buy new CDs retail. I buy direct from artists, I buy used, and I buy DJ white-label disks. Anything else feels like supporting the enemy. What RIAA Radar offers is a set of technological gadgets that let you make more fine-grained distinctions than I make.

For example, you can go to an album's detail page on Amazon.com, press a button and be told that the album is "Safe" in that it's not released by a member of the RIAA. Or not safe, obviously.

There are some nice features, such as a button directly on the RIAA Radar pop-up that lets you submit a correction if you find their conclusion to be in error. They also have some close links to Amazon, which may not please some people, but there's nothing stopping you using the data to take your shopping to whatever retail venue pleases you.

As with many open-source/volunteer software efforts there are some rough edges to the technology, but in general it seems to be a pretty useful gadget to have on a Copyfighter's bookmark bar.

Posted by mikki at 04:31 PM | Permalink | Comments (0)

Man, 75, Hurt While Riding Pet Buffalo:


MESA, Ariz. (AP) - Fire officials say a Cave Creek man who was trying to ride his pet buffalo was mauled by the animal after it bucked him off. The man, 75, was flown to a Scottsdale hospital after the incident at his home about 20 miles north of downtown Phoenix on Monday.

John Kraetz, a district chief for the Rural/Metro fire department, said the unidentified man suffered non-life threatening injuries.

The man owned two of the animals. Kraetz said he's never been on a similar call.

"People do have buffalo on their property, but it's pretty darn uncommon," he said.

Posted by mikki at 04:10 PM | Permalink | Comments (0)

Seems we're not the only ones who are fighting this assault of privacy.

We have everything to fear from ID cards - Telegraph:


We start the year in Britain with a challenge to our essential nature, for 2008 might turn out to be the year when we decide to rip up the Magna Carta.

Among the basic civil rights in this country, there has always been, at least in theory, an inclination towards liberal democracy, which includes a tolerance of an individual's right to privacy.

We are born free and have the right to decide what freedom means, each for ourselves, and to have control over our outward existence, yet that will no longer be the case if we agree to identity cards.

Britain is already the most self-watching country in the world, with the largest network of security cameras; a new study suggests we are now every bit as poor at protecting privacy as Russia, China and America.

But surveillance cameras and lost data will prove minuscule problems next to ID cards, which will obliterate the fundamental right to walk around in society as an unknown.

Some of you may have taken that freedom so much for granted that you forget how basic and important it is, but in every country where ID cards have ever been introduced, they have changed the relation between the individual and the state in a way that has not proved beneficial to the individual. I am not just talking Nazi Germany, but everywhere.

It is also a spiritual matter: a person's identity is for him or her to decide and to control, and if someone decides to invest the details of their person in a higher authority, then it should not be the Home Office.

The compulsory ID card scheme is a sickness born of too much suspicion and too little regard for the meaning of tolerance and privacy in modern life.

Hooking individuals up to a system of instantly accessible data is an obscenity - not only a system waiting to be abused, but a system already abusing.

Though we don't pay much attention to moral philosophy in the mass media now - Bertrand Russell having long been exchanged for the Jeremy Kyle Show - it may be worth remembering that Britain has a tradition of excellence when it comes to distinguishing and upholding basic rights and laws in the face of excessive power.

The ID cards issue should be raising the most stimulating arguments about who we are and how we are - but no, it is not: we nose the grass like sheep and prepare to be herded once again.

It seems the only person speaking up with a broad sense of what this all means is Nick Clegg, the new leader of the Liberal Democrats, who has devoted much of his new year message to underlining the sheer horribleness of the scheme.

He has said he will go to jail rather than bow to this "expensive, invasive and unnecessary" affront to "our natural liberal tendencies".

I have to say I cheered when I heard this, not only because I agree, but because it is entirely salutary, in these sheepish times, to see a British politician express his personal feelings so strongly.

Many people on the other side of the argument make what might be called a category mistake when they say: "If you've nothing to hide, why object to carrying a card?"

Making it compulsory to prove oneself, in advance, not to be a threat to society is an insult to one's right not to be pre-judged or vetted.

Our system of justice is based on evidence, not on prior selection, and the onus on proving criminality is a matter for the justice system, where proof is of the essence.

Many regrettable things occur as a result of freedom - some teenage girls get pregnant, some businessmen steal