St. Cajetan’s Revenge

For some time, I’ve watched the War on Bottled Water with amusement. I don’t disagree with figuring out how to reduce waste, and so on and so forth, but the railing against bottled water per se struck me as not thought out very well.

The major reason for my thinking is that I never heard any of the venomous railing against water extending to any other drinks that come in bottles. To my mind, it seemed that a Coke, hey, that’s okay, but if you start with one and take out the sugar, the caffeine, the artificial flavors, and CO2 you end up with water. Coke okay, water evil.

Me, sometimes all I want is a cool drink of water. More often, I want something a little more. I’m very fond of those fizzy waters with a bit of essential oils in them, as well as iced tea. But I don’t want the sugar. I want an artificial sweetener even less, and often when faced with decisions, water is what’s available. When I’m traveling nearly anywhere, I think I’d rather have it in a bottle, thanks.

The prejudice against water comes from thinking that it’s just water. Rarely is there such a thing as just water. The only just water there is is distilled (or in a pinch deionized) water, and that is itself special because it is unusual for something to be just water.

And now, I can’t help but think, “Uh huh” as I read, “Millions in U.S. Drink Dirty Water, Records Show.”

The summary is that more than 20% of US water treatment systems have violated key provisions of the Safe Drinking Water Act over the last five years. The violations include sewage bacteria, known poisons and carcinogens, parasites, and so on. Mid-level EPA investigators say that the government has been interested in other things and just not enforcing things, and they don’t think change will happen.

Security isn’t just going after terrorists, it’s basic thing. Like water.

We Take Your Privacy Seriously

So after BNY Melon dropped a tape with my social security number and those of millions of my closest neighbors, they bought me a one year subscription to Experian’s “Triple Alert” credit monitoring service. Today, I got email telling me that there was new information, and so I went to login.

Boy, am I glad to know they take my privacy seriously, because otherwise, their failure to fill out fields in their certificate might really worry me.

I mean, I’m not annoyed that BNY Mellon treated my information negligently. Oh, no. I expect that. I am a little annoyed that having done so, they offered me a year of “monitoring” rather than prevention. I’m annoyed that it’s a year, when there’s no evidence that risk of harm falls after a year. And I’m annoyed that the company offering monitoring doesn’t bother to get the little things right.

[Update: This may be a broader issue of all non-EV certs being treated like this. I admit, I rarely check because I rarely care. But when I do care, I reasonably expect it to be done right.]

Top Security Stories of the Year?

Next week, I’ll be joining a podcast to discuss “top security stories of the year.”

I have a couple in mind, but I’d love to hear your nominations. What are the most important things which have happened in information security in the last year?

Monkeys krak-oo krak-oo

According to “Campbell’s Monkeys Use Affixation to Alter Call Meaning:”

We found that male alarm calls are composed of an acoustically variable stem, which can be followed by an acoustically invariable suffix. Using long-term observations and predator simulation experiments, we show that suffixation in this species functions to broaden the calls’ meaning by transforming a highly specific eagle alarm to a general arboreal disturbance call or by transforming a highly specific leopard alarm call to a general alert call. We concluded that, when referring to specific external events, non-human primates can generate meaningful acoustic variation during call production that is functionally equivalent to suffixation in human language.

Sorta via Wired, who, not being monkeys, did not use the invariable suffix “here’s a link.”

Photo: Macque monkey and kitten by Kaz Campbell.

TSA Security Operating Procedures

Via Gary Leff, we learn that “The TSA Puts Their Sensitive Security Screening Procedures Online For All To See (oops).”

It’s another “we blacked out the doc without blacking out the data” story. The doc is 93 pages, and I don’t have time to more than skim it right now. I think that the redactions are generally reasonable, covering things like the gauge of wire which needs to be detectable for an xray machine to be considered operational. That’s not something we need to know about to debate the right of free travel. We can assume that there’s some level that the machines are set to, and that’s ok. There are a few redactions where I disagree, like ones about who’s exempted from special security treatment. In a democratic society, we should be able to ask “should members of Congress be subject to the same treatment as the rest of us?”

Generally, what’s in the document is not likely to surprise anyone who flies often and pays attention. What’s most interesting to me are actually some of the non-redacted bits:

A. TSA does not prohibit the public, passengers, or press from photographing, videotaping, or filming screening locations unless the activity interferes with a TSO’s ability to perform his or her duties or
prevents the orderly flow of individuals through the screening location. Requests by commercial entities to photograph an airport screening location must be forwarded to TSA’s Office of Strategic Communications and Public Affairs. Photographing EDS (Explosive Detection Systems) or ETD (Explosive Trace Detection) monitor screens or emitted images is
not permitted.
B. TSA must not confiscate or destroy the photographic equipment or film of any person photographing the
screening location.

That’s very interesting, and not in accordance with signs I’ve seen.

The screening process of an individual begins when he or she walks through a WTMD (or an ETP if it is placed ahead of the WTMD at ETP-equipped checkpoints), or a TSO grants an individual’s request for specialized screening. Once screening has begun, an individual may not withdraw from the screening process. […]
B. If an individual refuses to complete screening after screening has begun, the TSO must notify the STSO. The STSO must advise the individual that the screening process must be completed. The STSO must then offer the individual a final opportunity to complete the screening process. If the individual continues to
refuse screening, the STSO must:
1) Notify an LEO and request that the LEO assist in completing screening of the individual
2) Ensure that screening of the individual’s accessible property is completed
3) Inform TSA management if the LEO permits the individual to return to the public area without completing screening
C. If the individual, who has refused to complete screening, returns to the public area prior to clearance or the arrival of an LEO:
1) Screening personnel must attempt to keep the individual under constant observation until an LEO arrives.
2) Screening personnel must not physically detain or hinder the movement of the individual.

This is also a very interesting section. The individual “may not withdraw” but TSA may not detain or hinder someone who tries to leave. I believe that there have been questions raised about this, and now that this is public, I expect more.

Finally, I found 3.9.2.B, “TIP User ID requirements” interesting

The user ID number must contain at least four alphanumeric characters, usually comprised of the last four digits of the employee’s Social Security number, and it must be no greater than the number of characters
permitted by the x-ray manufacturer. Each user must choose a unique password containing at least four, but no greater than six, alphanumeric characters.

At first, I boggled at this. A 6 character password? Really? Then, as I thought about it, I realized that this isn’t that unreasonable. The machines are in physically secured areas. The data on them isn’t that valuable. It’s probably reasonable.

As an aside, are there fewer than 10,000 TIP operators? If not, there are certainly collisions in the user ID space. Otherwise, it’s a birthday problem.

[Update: Jon Stewart has assembled up some of the news reports, and Ed Hasbrouck covers the FOIA and legal aspects. ]

A sociologist reads a Twitter feed

So, Adam retweets a hysterical reference to a viral email about an absolute genius of a Xmas light display made to look like an accident with a ladder, and the hapless homeowner left hanging from the gutter of his house.
The email explains that the display was taken down after two days in large part because so many people were stopping to help, in some cases at risk to themselves.
After pausing a moment to reflect on the evil genius behind this idea, I immediately wondered how the willingness of passers-by to assist might vary according to the amount of traffic on the road passing the house. The notion, exemplified in the infamous Kitty Genovese murder, is that the willingness of people to “get involved” decreases as the (individually-perceived) number of possible interveners increases. If a passer-by knew the route was well-travelled, she would (so one theoretical formulation goes) be less likely to stop, whereas on an infrequently-used byway, she would be more likely to assist. (I later realized that the “cul-de-sac”scenario is more complex, in that drivers/walkers on such a road are much more likely to (think they) know the victim AND to think that their action or inaction will become known by others).
After having these thoughts, I was left chuckling at myself. Would most sane people have analyzed a prank in these terms? Maybe it was because I was reading Luce and Raiffa before breakfast…

Fingerprinted and Facebooked at the Border

According to the Wall St Journal, “Iranian Crackdown Goes Global ,” Iran is monitoring Facebook, and in a move reminiscent of the Soviets, arresting people whose relatives criticize the regime online.

That trend is part of a disturbing tendency to criminalize thoughts, intents, and violations of social norms, those things which are bad because they are prohibited, not bad in themselves. It’s important if we want to export freedom of speech and freedom from self-incrimination, to push for an international norm of limiting the powers of governments, not of people. Of course, since the main way that the international reach of governments is limited is through treaties negotiated by, umm, governments, I don’t expect a lot of that soon.

Not to mention the creation of fake Facebook accounts by Iranian intelligence.

But most interesting is this:

Five interviewees who traveled to Iran in recent months said they were forced by police at Tehran’s airport to log in to their Facebook accounts. Several reported having their passports confiscated because of harsh criticism they had posted online about the way the Iranian government had handled its controversial elections earlier this year.


One 28-year-old physician who lives in Dubai said that in July he was asked to log on to his Facebook account by a security guard upon arrival in Tehran’s airport. At first, he says, he lied and said he didn’t have one. So the guard took him to a small room with a laptop and did a Google search for his name. His Facebook account turned up, he says, and his passport was confiscated.

The Market for Fake Police Badges


But in New York, a city that has become almost synonymous with high security, where office employees wear picture IDs and surveillance cameras are on the rise, some officers don’t wear their badges on patrol.

Instead, they wear fakes.

Called “dupes,” these phony badges are often just a trifle smaller than real ones but otherwise completely authentic. Officers use them because losing a real badge can mean paperwork and a heavy penalty, as much as 10 days’ pay.

A few police veterans said they believed that many officers bought their second badges at a jewelry shop in Chinatown, near Police Headquarters. They did not want to name the store, however.

“Everybody knows where to go,” Mr. Anemone said.

Words fail me, but not Ray Rivera of the New York Times, who wrote “The Officer Is Real; The Badge May Be an Impostor.”

But taking the cake is the photo, “Police Badge,” by Kimmy’s Kakes.

Eight Million? Eight Million?!?!

Chris Soghoian, who we’ve mentioned here extensively in the past, has posted some new research around just how much electronic surveillance is really going on here in the US.

Sprint Nextel provided law enforcement agencies with its customers’ (GPS) location information over 8 million times between September 2008 and October 2009. This massive disclosure of sensitive customer information was made possible due to the roll-out by Sprint of a new, special web portal for law enforcement officers.

And that’s just Sprint. (Who btw also keeps logs of all IP access for 24 months, including in many cases full URLs).
You really need to read the full article because he has so much data, as usual, Chris sums things up nicely:

As the information presented in this article has demonstrated, the publicly available law enforcement surveillance statistics are, at best misleading, and at worst, deceptive. It is simply impossible to have a reasonable debate amongst academics, public policy makers, and members of the public interest community when the very scale of these surveillance programs is secret.


As for the millions of government requests for geo-location data, it is simply disgraceful that these are not currently being reported…but they should be.

Per Chris’s request the full data dump has been mirrored here as well.