“You will eventually be caught”

I believe that if you are a low- to mid-skilled intruder physically located in the United States, you will eventually be caught. The days when hardly anyone cared about prosecuting digital crime are ending. The FBI has 13 Computer Hacking and Intellectual Property (CHIPS) units with plans to open more. The Computer Crime and Intellectual Property Section (CCIPS) are available to US Attorneys across the country. The Secret Service operates 15 Electronic Crimes Task Forces. There are 5 Regional Computer Forensic Laboratories operating now with 8 planned to open in the coming years. The Internet Fraud Complaint Center (IFCC) is taking reports from victims of cyber crime and the National White Collar Crime Center supports law enforcement efforts. All of this adds up to a lot of federal, state, and local police working to bust bad guys.

(From Richard Bejtlich’s TaoSecurity.)

This feels wrong to me. Investigating computer crimes is still a very labor-intensive process.
(I’m experimenting to see how MarsEdit handles extended entries.)

Continue reading

Firefox Software Install UI

his changed recently — spyware ‘toolbars’ started to appear for Firefox as well. It was quite a surprise to see a dialog pop up when accessing an otherwise normal-looking (though advertising-heavy) page, using my Linux desktop, prompting me to install some ‘toolbar’ .xpi file!

Firefox 1.0PR now includes code to deal with this. Here’s how it works.

Justin Mason has a good bit on how Firefox reduces the chances that spyware will end up in your system. This is a nice start. I don’t know that it will work long term. When SSL came out, there were all sorts of sites with directions for working around the security and interoperability. Things like “Your browser will issue a warning. To use this site, click “please screw me.” Spyware sites will start to issue the same sort of message around installing new software to see their dancing bunnies.

Browsers have become big complex technologies. That’s not a slam at the browser folks–users want them to do more and more. As the browser replaces one set of buggy device drivers with another, it may need to start offering an internal security model that controls what APIs different plug-ins can use, etc. It may need to start controlling what modules can access what data, much like an operating system.

Airport Screening Still Fails Tests

Do current security plans depend on no guns getting onto the planes? I hope not.

Covert government tests last November showed that screeners were still missing some knives, guns and explosives carried through airport checkpoints, and the reasons involve equipment, training, procedures and management, according to a report by the inspector general of the Homeland Security Department.

From The New York Times. Use BugMeNot if you need a login.

In other “guns on planes” news, John Miller, the head of the LAPD’s counter-terror unit was detained Thursday after forgetting about a gun in his bag.


It’s interesting that Miller got where he is via a PR and reporting background. The obvious charge is security as theater. However, reporters often end up knowing a huge amount about their subjects, and so I don’t want to throw that charge without more research than I can do before dinner.

Verisign’s Kid Credentials

So Verisign has teamed up with I-safe to issue “USB tokens” to children. The ZDnet story states that it “will allow children to encrypt e-mail, to access kid-safe sites and to purchase items that require a digital signature, said George Schu [A Verisign VP].” To me that sounds a lot like an X.509 certificate, which Verisign has been trying, and failing, to flog to consumers for years. (It may be this.)

What’s unclear is the privacy implications. If this is a X.509 cert on a USB token, then what this means is that children will not have privacy in these “kid only” spaces. They’ll be subject to monitoring under their real name. This damages one of the best features of the internet, which is the ability of kids to go online and explore different identities fearlessly. Read their chatroom rules of use: Cyberdating is dangerous!

At least they’re up front in their terms of service: You are being watched. Your name will follow you. Yeah, I wanna go play there.

What’s In A Name?

“BRANSON, Mo. – A Branson man has put a face to the anonymous references people often make to “they” by changing his name to just that: “They.”

Not only is he making a statement about his name, but he’s messing with the entire English language,” friend Craig Erickson said.

How can you argue with messing with the entire English language?

(From AP via Languagehat.)

“Post-Totalitarian Stress Disorder”

This – the damage done to individual psyche – and not just to the physical infrastructure and institutions of the country, is what we have to always keep in mind when assessing the progress of reconstruction and democratisation in places like Iraq. If things aren’t moving ahead as fast as expected, if cooperation is lacking and trust hard to find, and if the population seems apathetic and disengaged, it’s just the fallen regime having its final chuckle from beyond the grave.

is a fascinating piece in Chrenkoff (via Iraq The Model.)

Acceptable ID

Virginia Postrel writes about flying without ID:

Coming home today from New York, I was a little more prepared. I still didn’t have “government-issued i.d.,” but at least I knew I was headed for trouble. I got to JFK several hours early. The young security guard wasn’t sure what to do with me and asked a more senior guard. The elder guard sternly insisted that I must have a photo.

“This is a little weird,” I said to the young guard, as I opened my bag and pulled out one of the extra paperbacks I’d snagged from my publisher. “I wrote this book, and here’s my photo in it.” He laughed and let me through. This time, they didn’t even search my bags.

Below, I wrote about discretion for screeners. This is a great example of that discretion being used in a harmless and entertaining way. Of course, since anyone can get a book published, this can’t last.

account.management@gmail.com

So when Google Mail started up, I managed to register “account.management@gmail.com.” I didn’t have any particular plan for this, I just figured that it was entertaining, and a good, harmless prank could be made of it. (I specifically emailed a friend who works for Google security about it, and mentioned it in person next time we saw each other.) Google has just closed the account.

The termination clause of their terms of use clearly allow this: “Google may at any time and for any reason terminate the Services, terminate this Agreement, or suspend or terminate your account.”

So, I’m not really complaining. I do wish I’d gotten a good prank from it.

I do hope they don’t terminate the accounts that were associated with it, because a bunch of family members are using their accounts more in line with the way Google wants you to. But this raises a real worry. The lack of consideration for your account, along with that clause, may allow them to shut you out of your email. I’m glad I’m not seriously using the service.

There’s a great business in selling gmail appliances for corporate email, I think. Google’s reconsideration of the use of email was well overdue, and I’d like to be able to use their work without such worries.

“All Persons Held As Slaves Shall Be Forever Free”

Happy Emancipation Proclamation Day!

On Sept 22, 1862, President Lincoln issued the Emancipation Proclamation:

“…all persons held as
slaves within any State or designated part of a State the people
whereof shall then be in rebellion against the United States shall
be then, thenceforward, and forever free;

Now, like many government proclamations, there was more to read in the fine print. This is a good summary, but essentially, Lincoln knew that his powers as President, even during wartime, were limited, and he was only able to free slaves in the confederate (rebellious) states.


Regardless, a great day for human freedom. Raise a glass to Abe Lincoln tonight.

Testing Airline Data for …what?

The New York Times reports that
“The Transportation Security Administration said Tuesday that it planned to require all airlines to turn over records on every passenger carried domestically in June, so the agency could test a new system to match passenger names against lists of known or suspected terrorists.”

The data will vary by airline. It will include each passenger’s name, address and telephone number and the flight number. It may also include such information as the names of traveling companions, meal preference, whether the reservation was changed at any point, the method of ticket payment and any comment by airline employees, like whether a passenger was drunk or belligerent in encounters with airline personnel.

Now, I may have missed it, but it seems that no hijackings took place in the US in June. So what does a successful test look like? What’s more, information about how belligerent a passenger is on the plane is clearly not available before they fly, unless there’s a new database of belligerent passengers that will be maintained. I saw no mention of such in the PIA or Federal Register notice.

The question is partially answered: “What we’re looking for is the people who are actually on that list,” said Lisa Dean, of TSA. Does TSA need a month of real data to see if they can match names, addresses, and phone numbers from a database?

This whole article forces me to ask, does the current system work at all? If there’s a list of people who are a threat to aviation, shouldn’t we have arrested some of them when they tried to fly?

This system isn’t ready for testing, never mind using real data.