The inhuman Flash vulnerability

A reliable security exploit for Flash is big news, or at least it should be big news, because Flash is on nearly every graphical browser on nearly every operating system, and there's only one supplier. (Sure, there's Gnash, but that's not yet ready for prime-time, and may never be.) A good exploit against Flash could allow Bad People to p0wn nearly every desktop everywhere. So even though this is a year old, this is still important.

Cyberdyne Systems, er, sorry, IBM researcher Mark Dowd demonstrated an incredible vulnerability that allows a single Trojan to exploit Flash in either IE or Firefox while leaving the Flash runtime operating normally. And it can bypass Vista security. Although Dowd doesn't explicitly mention other OSes, I see no reason to believe the same technique wouldn't work on Linux as well.

Start with the vulnerability.

It’s an integer overflow, but not a simple one.
...
The net result of this silliness is that it’s hard to do what attackers normally do with a write32 vulnerability, which is to clobber a function’s address with a pointer back to their buffer, so that their shellcode is called when the clobbered function is called. So Dowd’s exploit takes things in a different direction, and manipulates the ActionScript bytecode state.
...
Clobber the right value in the length table, and you can make an unused bytecode instruction that the verifier ignores seem much longer than it is. The “extra” bytes slip past the verifier. But they don’t slip past the executive, which has no idea that the unused bytecode has trailing bytes. If those trailing bytes are themselves valid bytecode, Flash will run them. Unverified. Giving them access to the whole system stack. Game over.

Security is hard.

Ex-Bush official confirms innocents at Gitmo

If it wasn't obvious by now, it should be: most of the people rounded up and jailed without charge at Guantanamo Bay were guilty of nothing more than being in the wrong place at the wrong time.

Retired Army colonel and former chief of staff to the then-Secretary of State Colin Powell, Lawrence B. Wilkerson, told The Associated Press last Thursday that many of the detainees were innocent men, and that there was no meaningful attempt by US forces to distinguish actual terrorists from civilians.

Not only were they unable to separate civilians from fighters, but they had no desire to. Wilkerson revealed that he learned from military commanders that they had determined early on that the men were innocent, but decided to keep them imprisoned regardless: "It did not matter if a detainee were innocent. Indeed, because he lived in Afghanistan and was captured on or near the battle area, he must know something of importance." [Emphasis added.]

Wilkerson wrote, "U.S. leadership became aware of this lack of proper vetting very early on and, thus, of the reality that many of the detainees were innocent of any substantial wrongdoing, had little intelligence value, and should be immediately released." Former Defense Secretary Donald Rumsfeld and Vice President Dick Cheney prevented the situation from being addressed, because "to have admitted this reality would have been a black mark on their leadership."

Wilkerson also confirmed that many detainees had no connection to either the Taliban or to al-Qaida, and had been turned in for the $5,000 per head reward money.

Of the 800-odd prisoners at Guantanamo, of which 240 remain, Wilkerson claimed that two dozen are actual terrorists. (That's a ratio of over 32 innocents per terrorist.) He also revealed that the US government couldn't try them even if they wanted to, "because we tortured them and didn't keep an evidence trail."

More here.

This is a good time to remember that while President Obama has promised to close Guantanamo Bay, he has so far refused to do the same for the even more secret Bagram Air Base in Afghanistan. Not only has Obama refused to close Bagram, or open it to oversight, or at least to trials, but there are plans to increase the number of people disappeared into the secret prison.

Perverse incentives

Bruce Schneier has written an article on perverse security incentives. The concept of a perverse incentive comes from economics, where it refers to an incentive that, deliberately or accidentally, rewards inefficient or bad behaviour.

Such "perversely" inefficient behaviour isn't necessarily bad. It's an economic term focusing on a single aspect of the human condition: a rather narrow view of economic efficiency. Spending money on taking Granny to the doctor instead of selling her to the glue factory would, according to some definitions, count as inefficient, and therefore love, loyalty, affection and kindness might be counted as "perverse incentives". This isn't a bad thing -- we'd all be a lot happier if we admitted that we're all pervs in one way or another, and besides it's not the job of economists to make value judgements. Their job is to tell us how efficiently we're spending, or making, money, and it's our job to make the value judgements that, all things considered, Gran's got a few more years left in the old bird, and besides one day we'll be that old too.

So remember that while perverse incentives are often harmful as well as inefficient, this isn't necessarily the case. Schneier discusses the case of a store who fired an employee for stopping a shop-lifter escaping with hundreds of dollars of stolen food. Sounds ridiculously stupid, yes? But not if you look at the big picture: a few hundred dollars worth of food is nothing compared to the tens or hundreds of thousands of dollars the store could be liable for if the staff member tackled and injured an innocent customer, or if the thief pulled out a weapon and killed somebody. As Schneier explains (and so many of the commenters on the blog fail to grasp), "You Will Not Attack Shop-Lifters" is a security measure: it protects the store against worse consequences than a backpack full of groceries being stolen.

For the same reason, banks typically have a strict No Heroics rule. It's not worth the life of a teller to save the insurance company from suffering a slightly lower profit in one quarter. This sort of economic reasoning comes hard to most people. It comes hard to me -- even knowing all the reasons why it would be stupid to put yourself in danger for somebody else's profit, the very thought that thieves are getting something for nothing offends every fibre of my being[1]. As a species, we have a deep hatred of cheaters who break the social contract (unless it is Us breaking the contract against Them -- we're a moral species, but also a hypocritical species).



[1] As a 19 year old, when I was young and invincible, one of my fellow uni students and I almost walked into a bank robbery in progress at a bank on Melbourne University campus. We saw these two masked gunmen, and came *this close* to deciding to tackle them when they came out of the bank. Fortunately, we decided to walk around the building once first, and if the robbers were still there, then we would tackle them. They weren't. Back

Secret Service versus the candidates

Why isn't the Secret Service protecting Hillary Clinton and Barack Obama?

Among other duties, the Secret Service is responsible for protecting America's presidential candidates. But something strange has happened this electoral campaign: the Secret Service has started letting people into Clinton and Obama rallies without being screened for weapons or even given a visual check.

The story first broke when the Dallas police force publicly questioned the orders they were given to stop screening, but it's since come out that, this campaign, it's been standard Secret Service policy for all of Clinton's and Obama's rallies: set up metal detectors and screen the crowd, then at some arbitrary point stop and let everyone else in.

The Secret Service has admitted that this is standard procedure, although there's been no word on whether they apply the same procedure to Republican candidates. They certainly don't apply it to public appearances by Bush and Cheney, nor did they apply them during the 2004 presidential elections.

There have already been death threats against Obama. The Secret Service initially took them so seriously that he was given Secret Service protection earlier than any other candidate in American history.

The Anonymity Experiment

Can you live in a big city without leaving traces? Who is watching you and what you do?

2006, David Holtzman decided to do an experiment. Holtzman, a security consultant and former intelligence analyst, was working on a book about privacy, and he wanted to see how much he could find out about himself from sources available to any tenacious stalker. [...] When he put the information together, he was able to discover so much about himself—from detailed financial information to the fact that he was circumcised—that his publisher, concerned about his privacy, didn’t let him include it all in the book.

[...] Last year, 127 million sensitive electronic and paper records (those containing Social Security numbers and the like) were hacked or lost—a nearly 650 percent increase in data breaches from the previous year. [...] Last November, the British government admitted losing computer discs containing personal data for 25 million people, which is almost half the country’s population.

[...]

It was strangely calming, standing in this dim room, watching the words and thoughts of strangers reveal themselves to me. I still had my hat on, but for once there were no surveillance cameras, so I sat down on a bench in the room and pulled out my notebook, grateful to finally be the observer rather than the observed. And then, out of the corner of my eye, I saw her: a security guard standing in the room’s darkened corner—silent, motionless, watching.

Unlike some, I'm not ready to give up on privacy in the information age. I'm with this important essay by Bruce Schneier:

We've been told we have to trade off security and privacy so often -- in debates on security versus privacy, writing contests, polls, reasoned essays and political rhetoric -- that most of us don't even question the fundamental dichotomy.

But it's a false one.

Security and privacy are not opposite ends of a seesaw; you don't have to accept less of one to get more of the other. Think of a door lock, a burglar alarm and a tall fence. Think of guns, anti-counterfeiting measures on currency and that dumb liquid ban at airports. Security affects privacy only when it's based on identity, and there are limitations to that sort of approach.

Since 9/11, approximately three things have potentially improved airline security: reinforcing the cockpit doors, passengers realizing they have to fight back and -- possibly -- sky marshals. Everything else -- all the security measures that affect privacy -- is just security theater and a waste of effort.

[...]

There is no security without privacy. And liberty requires both security and privacy. The famous quote attributed to Benjamin Franklin reads: "Those who would give up essential liberty to purchase a little temporary safety, deserve neither liberty nor safety." It's also true that those who would give up privacy for security are likely to end up with neither.

Speaking of privacy... I want this.

Major security hole in encryption products

Professor Ed Felton has published research that demonstrates conclusively that disk encryption can be defeated quite easily due to a hardware leak: even when you turn off power, modern memory chips will hold their contents for minutes without any special actions. If you cool the DRAM chips they can hold their contents for hours. This is important because it allows an attacker to retrieve the encryption key from memory and use it to decrypt the hard disk.

This news doesn't make disk encryption useless. It will still protect your data in the event of casual theft, but it does mean that if you have sensitive data, and you believe you could be targeted by people wanting that data, you can't rely on disk encryption. At this time, there is no work-around, and the operating system you use is irrelevant. I expect that the eventual fix will be a circuit to fill the DRAM chips with random data when the computer is turned off.

More nonsense about Open Source vulnerabilities

Computer World is claiming that Red Hat Linux and Firefox are "more buggy" than Microsoft Windows.

That at least is the conclusion you are supposed to draw from the article's title, the summary and the opening paragraph:

Windows not that bad after all
By Matthew Broersma, Techworld

Secunia has found that the number of security bugs in the open source Red Hat Linux operating system and Firefox browsers far outstripped comparable products from Microsoft last year.

So they say. But if you read on to midway down the second page of the article, you get a very different picture:

Red Hat [Linux] was found to have by far the most vulnerabilities, at 633, with 99 percent found in third-party components. ...

Windows had only 123 bugs reported, but 96 percent of those were found in the operating system itself.

So let's see how that works. Red Hat Linux, which ships with multiple hundreds of third party applications, almost all of which are non-critical and don't even get installed, has about six vulnerabilities in the operating system. Windows, which ships with a handful of applications, has about 118 vulnerabilities in the OS. According to Computer World, an OS with six vulnerabilities is more buggy than one with 118 vulnerabilities.

Yeah, right. Sure it is. Just how much advertising does Microsoft do with Computer World?

The article goes on:

In the browser field, Firefox led the way with 64 bugs, compared to 43 for Internet Explorer, and 14 each for Opera and Safari.

However, in an examination of zero-day flaws - reported by third parties before a patch was available - Secunia found that Firefox tended to get more patches, sooner, compared to IE.

Out of eight zero-day bugs reported for Firefox in 2007, five have been patched, three of those in just over a week. Out of 10 zero-day IE bugs, only three were patched and the shortest patch time was 85 days.

You got that? The shortest time IE was vulnerable to known security bugs was nearly three months, compared to just over a week for Firefox.

But IE only looks as good as it does because ActiveX bugs are counted separately: IE had no fewer than 339 ActiveX bugs in 2007. If you include them in the count for IE, as you should, then you're comparing 382 for IE versus 64 for Firefox.

You almost -- almost -- have to admire the journalist's gall in trying to push a whopper of this size. Sadly, this sort of behaviour is very common: half-truths and deceptive statements in paragraph one, the actual facts buried deep in the article. That way you're not lying, because all the facts are there.

The people doing this know that there is a strong correlation between the number of readers and how close to the top of the article: for each extra paragraph you bury something under, you reduce the number of readers by a surprisingly large percentage.

I've written about the tendency of the IT press and security industry to make misleading if not dishonest comparisons between Linux and Windows before.

The war on the unexpected

Bruce Schneier has a good name for the faux-war on terror the cowardly Chicken Littles have created: the War on the Unexpected. Anything different or unexpected must be a threat:

We've opened up a new front on the war on terror. It's an attack on the unique, the unorthodox, the unexpected; it's a war on different. If you act different, you might find yourself investigated, questioned, and even arrested -- even if you did nothing wrong, and had no intention of doing anything wrong. The problem is a combination of citizen informants and a CYA attitude among police that results in a knee-jerk escalation of reported threats.

This isn't the way counterterrorism is supposed to work, but it's happening everywhere. It's a result of our relentless campaign to convince ordinary citizens that they're the front line of terrorism defense. ...

The problem is that ordinary citizens don't know what a real terrorist threat looks like. They can't tell the difference between a bomb and a tape dispenser, electronic name badge, CD player, bat detector, or trash sculpture; or the difference between terrorist plotters and imams, musicians, or architects. All they know is that something makes them uneasy, usually based on fear, media hype, or just something being different.

The full article is well worth reading, and contains many links to actual cases of the most awe-inspiring stupid security "threats". None of the examples quoted above are made up.

In recent weeks:

• Concert-goers to an open-air concert in Perth were told that picnic blankets and rugs were prohibited as they were a security risk. Adding a note of the surreal, the tickets warned patrons not to bring "crocodiles or spears" to the concert.


• A blind calypso musician and his band thrown off a plane after another passenger complained they had been in high spirits earlier but were now sitting quietly.


• An orthodox Jew on a train was arrested after passengers panicked on seeing him praying while sitting next to a man wearing a turban.


• A Florida bomb squad called in to blow up a typewriter.


• Police evacuate everyone within a mile radius of some fake dynamite taped to the side of a house.
  
  (The comments on that story are interesting: in summary, it seems that the cops simply followed the Department of Transportation's guidelines, which seem to be massively over-cautious compared to the guidelines offered by the Department of Defense and usual practice for disarming known high-explosive bombs.

Earlier incidents in the war on the unexpected:

• An Australian pub patron thrown out by bouncers for reading a book called The Unknown Terrorist.


• A Canadian firetruck racing to a fire in New York was stopped at the US border for eight minutes while border officials checked the firefighters' IDs and the truck's licence plates.


• In 2005, a man in the UK who fell into a diabetic coma on a bus was shot twice with a Taser gun by police who feared he may have been a terrorist.

Are we feeling safer yet?

Another study criticising voting machines

Over the last decade or so, the American political machine has become rotten to the core with vote fixing, secret counting, lost votes and other "irregularities". (Those with long memories of infamous political bosses like William Tweed will see this corruption as a return to normality after a half century of relative honesty and transparency.)

As Bruce Schneier reports, more and more US states are realising just how bad the electronic voting machines are. Like California before them, Ohio has just published a massive study on voting machines and found that they are insecure, untrustworthy, vulnerable to malicious software and operator fraud, and easy to undetectably hack using simple tools.

Colorado has decertified most of it's electronic voting machines. California seems to be ready to do the same, and surely Ohio can't be far behind. In 2006, New Mexico changed to a paper ballot system. Unfortunately for every politician who understands about the risks, there's another who is either ignorant, in denial, or actively pushing for insecure voting systems ("all the better to make sure the right person wins, my dear").

In related news, it seems that Diebold -- not the worst of the bad bunch at all, merely the first to be caught -- is re-thinking their voting machine business.

And in other news, former staff at Sequoia Voting Systems printing plant have gone public with claims that in 2000 they were ordered to send inferior quality punched cards to West Palm Beach (Florida), purposely misprinted, so that the cards would fail and Sequoia could push it's more profitable touch-screen voting machines to the states.

Testing airport security

You're probably familiar with any number of ad hoc experiments where some journalist, law-enforcement officer or random clown successfully smuggles a gun or knife onto a plane, demonstrating the weakness of airport security.

These sorts of anecdotes make powerful memes, but what does the scientific evidence say about airport security?

According to a recent study by the Harvard School of Public Health, there's no evidence that X-raying carry-on luggage, taking off shoes and confiscating small items has prevented any hijackings or attacks.

The TSA defended the searches, claiming that they confiscated 13 million prohibited items in one year, "most" of which were cigarette lighters.

Bruce Schneier responded:

This is where the TSA has it completely backwards. The goal isn't to confiscate prohibited items. The goal is to prevent terrorism on airplanes. When the TSA confiscates millions of lighters from innocent people, that's a security failure. The TSA is reacting to non-threats. The TSA is reacting to false alarms. Now you can argue that this level of failures is necessary to make people safer, but it's certainly not evidence that people are safer.

The report in the British Medical Journal points out that widespread screening for threats to public health are usually only enacted if there is clear evidence that they work -- otherwise they do nothing to improve health and safety, but merely waste a lot of time and money for no gain:

With $6.5 billion spent globally on airport protection each year, the public should be encouraged to query some screening requirements – such as forcing passengers to remove their shoes, the researchers said.

"Can you hide anything in your shoes that you cannot hide in your underwear?" they asked.

Making Communist Yugoslavia look good

It's certainly very special when the Home of the Free makes Communist Yugoslavia under a despotic totalitarian government look good, but the experience of photographers in the USA is doing that.

Avram Grumer explains:

Back in the ’80s, my parents (who are Balkan folk dance enthusiasts) visited what was then the Socialist Federal Republic of Yugoslavia, a Communist nation. While there, my father photographed a picturesque lake. He snapped off a shot or two, and was interrupted by a government official who told him that photographing that lake was forbidden, due to the presence of some militarily sensitive facility (I forget what; a power plant or something). My father put the camera away, and that was it. They didn’t confiscate the camera or the film, didn’t make him expose the roll to the light, didn’t haul my parents off for an interrogation. A print of the photo hung on my parents’ wall for years; no sort of industrial facility is visible in it. It’s just a photo of a pretty lake.

Compare that with the treatment this Japanese tourist got at the hands of Amtrak and the New Haven police:

The Japanese tourist was ordered by a conductor on an Amtrak train from New York to Boston to stop taking photos of the scenery "in the interests of national security", and threatened to confiscate his camera. The tourist, who spoke little English, complied with the order and put the camera away in his bag. Nevertheless, at the next stop, the train was bordered by police, who threatened to remove him with force:

The police speak through the interpreter, with the impatience of authority. [...] The officers explain, “After we remove him from the train, when we are through our investigation, we will put him on the next train.” The woman translates. The passenger replies, “I’m meeting relatives in Boston. They cannot be reached by phone. They expect me and will be worried when I do not arrive on schedule.” “Our task,” the police repeat, "is to remove you from this train. If necessary, we will do so by force. After we have finished the investigation, we’ll put you on another train.” The woman translates. The traveler gathers his belongings and departs.

To add insult to injury, it turns out that Amtrak has no such policy prohibiting photography on their trains.

The witness to these events wrote:

It doesn't take more than five minutes, in any airport in this country, before I hear the loudspeaker, "The current terror threat is elevated." We hear “terror” endlessly – traveling, at home, on television, in the news. Recent political campaigns have reminded – no, badgered – us, to be very afraid. What did Franklin Roosevelt say, that “the only thing we have to fear is fear itself.” Terror. Paranoia. We can no longer differentiate between terrors. Is this our generation’s enlightened contribution to American culture?

Watching police escort a visitor off the train, I felt anger, not comfort. This action was beyond irritating. It is intolerable, unacceptable. If it bothered me, it paled in comparison to the way it inconvenienced, and will long trouble, this visitor to our country. We disrupted his travel plans and family reunion. Even greater than the psychological damage we inflicted is the harm we’ve done to ourselves. We missed an opportunity to show kindness, to be ambassadors of goodwill. The visitor will return home. He will indeed impress many people – not with pleasant memories and pictures of a quiet morning trip along the New England coast, but with a story of being removed and detained by American police for taking pictures. Do we imagine we’ve gained anything because a single visitor returns home with stories of mistreatment?

Such blatant attempts to intimidate photographers aren't limited to tourists or Arabs. Avram Grumer links to a number of sites documenting these incidents. At one of these sites, "C.E." explains that he's been a professional photographer for thirty years, been taking photos all over the world, during martial law, before and after military coups and terrorist bombings, and even once accidentally inside a military base, and he's never been subject to as much harassment as he receives in the USA. And he is an American.

I think the best, or at least the most amusing, comment explaining why these events are becoming more common came from Chris Waller, talking about the similar situation in the UK:

Increasingly in Britain a lot of overweight young men of low intelligence who are otherwise unemployable are being stuffed into ill-fitting uniforms and given the idea that they are saving the Western world from sinking into chaos as a result of terrorism.

Follow that spam!

Make Wade over at the CA Security Advisor Blog decided to find out what happens when you buy from a spammer.

Our journey begins outside of Washington, DC. I am sitting at my desk, going through my SPAM filtered email, when I see one that catches my eye, “Dreams can cost less repl1ca w4tches from r0lex here”. Sounds interesting I thought, and I could use a new watch. Knowing the harmful effects of opening unsolicited email, I decided to open the email in a controlled virtualized environment.

It seems that the spam most likely originated in a small church in Washington State, probably from a malware-infected computer used by Cheryl Neff, the assistant to the senior pastor. Mark followed the link in the email to a professional-looking, but temporary, website. Using a credit card opened specifically for the experiment, he then purchased a set of earrings for $77 including postage and handling.

Mark followed the money, from websites in China and Korea, through a series of shell companies starting in Las Vegas, and finally ending up in Cyprus where the money was collected. Surprisingly, the earrings may have been shipped from China, but if they were, they got lost in the mail, because the parcel never arrived.

I'm fascinated by the fact that spammers can actually find any buyers at all. Economists will often talk about trust issues. For example, banks tend -- or at least they used to, before the economic rationalists moved in -- to go for big, imposing, expensive buildings, with high ceilings and marble floors and Grecian columns as far as the eye could see. The more risky the industry, the more important to convince people that you are trustworthy by showing commitment. "You can trust us not to take your money and run, because we've invested a lot in this business and we won't be going anywhere for a long time". And yet this seems to go right out the window when it comes to on-line purchases, at least for those who buy from spammers. Most spam websites are active for only a few weeks, before they are close down and re-open under a new name. But there seems to be an never-ending stream of buyers.

It's tempting -- oh, so very, very tempting -- to just put it down to pure, unadulterated stupidity. But that's a simplistic answer. Many buyers are hardly stupid: they have good white-collar jobs, educations, can walk and chew gum at the same time.

So what's going on? Is it that buyers are so naive that they can't recognise that they're being scammed? Is spam just the 21st century version of the old con of selling the Brooklyn Bridge to some country bumpkin, still with hayseed in his hair, visiting the big city for the first time?

I think there's more to it than that. For various reasons (advertising, welfare, the legions of pop-psychology books...), we live in a society that encourages a sense of wishful thinking, that wanting something to be real makes it real. Not that Homo sap needs much encouragement to wishful thinking and delusion. Rather than "if it seems to good to be true, it probably is", too many people act as if "if it seems too good to be true, it will be true anyway just because you deserve it".

Add to that the widespread use of credit cards, which encourages people to act as if money didn't matter even when it does, at least until all five of your cards are maxed out. Since you're not really paying for the goods, the credit card is, the risk is minimal -- or so seems to be the perception.

But one thing that doesn't make any sense to me at all is that people can take seriously any advertising written as shoddily as "repl1ca w4tches from r0lex here". This is worse than Greengrocer's Apostrophe; worse than VCR instructions translated into English from Chinese by a Korean. Not only does it look careless and incompetent, it is a deliberate attempt to bypass software that filters out spam. That screams "Deceit!". Why would anyone choose to buy from somebody who as good as says "Hey, I'm lying to you right now"?

Secrecy is like a weed

Unless you take steps to keep it under control, it spreads and takes over everything.

The Bush government has been one of the most secretive ever, for less reason than ever before. This stain has started spreading to even scientific organisations like NASA, which has refused to release the results of a survey into airline safety.

Anxious to avoid upsetting air travelers, NASA is withholding results from an unprecedented national survey of pilots that found safety problems like near collisions and runway interference occur far more frequently than the government previously recognized.

NASA gathered the information under an $8.5 million safety project, through telephone interviews with roughly 24,000 commercial and general aviation pilots over nearly four years. Since ending the interviews at the beginning of 2005 and shutting down the project completely more than one year ago, the space agency has refused to divulge the results publicly.

Just last week, NASA ordered the contractor that conducted the survey to purge all related data from its computers.

The Associated Press learned about the NASA results from one person familiar with the survey who spoke on condition of anonymity because this person was not authorized to discuss them.

A senior NASA official, associate administrator Thomas S. Luedtke, said revealing the findings could damage the public's confidence in airlines and affect airline profits [emphasis added].

Heaven forbid if the airlines profits were hurt because people could make informed decisions. That's not the capitalist way!

The Chaser security prank success

Have you ever wondered what sort of security AUD$250,000,000 buys? (Early reports suggested the cost of the security for APEC was $165 million; later figures suggested it actually cost $250 million. Either way, it is a lot of money.)

Apparently very little.

People are talking about The Chaser's wonderful prank where they drove a car with a fake Osama bin Laden right up to the highest security section of last week's APEC conference without being stopped. PZ Myers thought it was pure entertainment; Bruce Schneier is also a fan.

All the stupid security theatre and money wasted -- Australian taxpayers' money -- and it was only when Chas Licciardello, dressed as Osama bin Laden, stepped out of the car shouting "Where is my friend Bush? It has all been a misunderstanding!" that the security realised that something was wrong.

[Sarcasm alert] It's hard to blame the security guys. They're doing a simple job for lots of money: keep out people who don't belong. If they got fooled by The Chaser's cunning plan to put a Canadian flag on their cars, well, ask yourself: who wouldn't have been fooled? Just because "Osama bin Laden" was sitting in the back seat of a supposedly Canadian vehicle, well, that's hardly suspicious. And tell me that you too wouldn't have been fooled by this inauthentic-looking insecurity pass:

(Click image for full view.)

The Australian media, especially the Herald-Sun, loves to throw around the word "hero" to describe any Australian who basically isn't a total and complete waste of space. Saved thirty-seven children from a burning building? Hero. Rescued a cat stuck in a tree? Hero. Got hit by lightning and didn't die? Hero. Fell down drunk and chipped a tooth but didn't cry? Hero. But I think they really missed an opportunity to use the term appropriately. The Chaser guys might have been doing television comedy, but they were also making vitally important social commentary. As taxpayers and members of society, we are entitled -- no, not an entitlement, we have a duty -- to ask if our money is being put to good use. Spending a quarter of a million dollars, or even half that, for security which can be breached so easily is worse than a joke. The entire country should be thanking The Chaser for revealing that the Emperor has no clothes. Not only are they risking jail, but they actually risked their lives to make a point: all it needed was one trigger-happy government sniper on the rooftop and they could have been killed.

What we've learnt is that actual terrorists could have strolled right up to the restricted zone with no difficulty at all. Anybody could have done it. While the police were busy shutting down the entire city of Sydney (at who knows what economic cost) and keeping democratic protesters at least ten kilometres away from the conference, Osama bin Laden himself could have strolled right up to George Bush and given him a wedgie.

Or detonated a bomb.

If the clowns running this nation had really cared about security, instead of just the security opera of 24/7 helicopter fly-bys, snipers on rooftops and stopping tourists from taking photos, they would have held the conference somewhere inaccessible, like Canada did in 2002 when they held the G8 Conference in Kananaskis, population 429.

[Aside: I like these people.]

There's a certain level of tension between the needs of democracy -- the right of people to protest where they will be heard by those making the decisions -- and of security. Personally I think that the needs of democracy should outweigh those of security. Presidents and prime ministers might come and go, but democracy needs to survive. Protesters should be allowed to protest right outside George Bush's bedroom window, at least from 9am to 5pm. But if you want to put security first, then don't hold your conference in Sydney. Hold it miles away from any population centre, where you have more control over who comes in. That's good security and good economics.

Instead, what we got was bad security and bad economics, but lots of security opera. Good security should be as close to invisible as you can afford -- just visible enough so you know it's there, but not so much that it disrupts normal activity. Instead Sydney was completely disrupted, money was wasted, and for no good effect.

Naturally, the con artists who have wasted our money aren't happy about being exposed. NSW police minister David Campbell threw a hissy-fit at the tricksters:

An angry David Campbell denied he was embarrassed by the comedians' ability to penetrate APEC's restricted zone - rather, he was pleased the "multi-layered" security had worked.

He said the prank was inappropriate and he "did not see the funny side at all".

The Chaser's production team had been specifically warned by police to behave responsibly during the APEC security lockdown, he said.

"[Police] said 'we understand that parody and satire are entertaining and fun, many people watch the program and enjoy it, but please understand the seriousness of this matter and please take caution as you go about making your program.

"That seems to have been thrown out the window and that, I think, is inappropriate."

What's inappropriate is that Campbell hasn't been laughed out of town. Humourless, pretentious gits like him have no clue and should have no place in positions of power. Alas, the way of the world is that those who shouldn't have power so often do. The skills needed to become powerful so rarely include the skills needed to govern wisely.

The reality is that tricksters like The Chaser don't just make us laugh. Satire and parody are not just fun entertainments; they have a vital role in society. It has been said that medieval Fools, alone in the court, were permitted to make fun of the king and thus keep him from becoming too egotistical. (I doubt this was true in general, but it makes a nice story.) By puncturing the undeserved egos of the incompetent, tricksters help reduce the harm they can do. Far from being irresponsible, puncturing the illusion of security theatre is a fine example of civic responsibility.

Campbell had two possible responses to The Chaser's actions: he could admit to being embarrassed by the security failure and promise to do better, or he could bluster and blame the messengers. He choose to bluster and blame the messengers, and for that he should be out of government so fast it leaves his head spinning.

Unfortunately, for all of Australia's reputation as a nation of larrikins with a healthy disrespect for authority, we're becoming a nation of sheep who only do as we're told. (But that's a topic for another day.) Australians seem to have taken The Chaser team to heart, but not enough for them to demand real changes to the political system which allows the government to engage in this expensive security opera with no genuine benefit. While I would like to think that next time NSW voters go to the polls they will remember this and vote accordingly, the cynic in me expects that by this time next week it will all be forgotten.

This prank has punctured another myth. By showing just how easy it is for anyone to get through the loudest security money can buy, it puts a whole different perspective on terrorism. It doesn't take a devious master criminal to get through security. So where are all the terrorist attacks? If Chas Licciardello can get so close to the President of the USA, why hasn't a real terrorist managed it?

It isn't because the terrorists are afraid of our security, or because they're less competent than The Chaser. It's because they're few and far between. Despite the constant cries that the sky is falling, terrorists are thin on the ground. Unless you live in one of a few high-risk places, terrorism is a rare risk. The dangers of over-reaction are far greater than the danger we're trying to protect from.

The Chaser's press release can be read here; over here we have a long thread of comments where one angry right-winger (claims to be an ex-soldier; reads more like a scared little boy) gets angry at The Chaser for exposing the Emperor's New Clothes and says they should have been shot to punish them for discovering just how lousy the security really was. Oh my.

Thanks to Hasimir, who first brought The Chaser's cunning stunt to my attention (via Mrs Impala).

Salad dressing at the airport

This is comedy gold: guy has a bottle of salad dressing confiscated at the airport, and he calmly retrieves it from the trash and carries it onto the plane:

Now, keep in mind this was a trash barrel full of highly dangerous liquids and gels! More than three ounces of this stuff could take down an entire plane, and I was standing next to gallons of it!

Questions about the deadly liquids flooded my mind: why would these be dropped into an ordinary trash barrel, and not a special explosion-proof containment unit? Why would they combine the hazardous liquids so carelessly? Most importantly, why would they leave a barrel of liquid dynamite right next to innocent American air travelers?

Security in the Green Zone

Professor Juan Cole reports on the terrible security situation of the American Green Zone in Baghdad:

The Green Zone was originally supposed to be the safe place in Iraq, with the area outside it (everything else) called the "Red Zone." The US Embassy in Baghdad appears to have forgotten what the phrase "Green Zone" means, since a spokesman there told the LAT, "There's fire into the Green Zone virtually every day, so I can't draw any conclusions about the security situation based on that . . ."

Let me draw the conclusion. If you've got fire into the friggin' Green Zone every day, then we can draw the conclusion that the security situation in Baghdad sucks big time. When you've got people killed and a large number of people wounded in the one place in Iraq that was supposed to have a "permissive" security environment, then security in general is the pits.

(Emphasis in original.)

Mortar fire into the Green Zone is bad enough, but even worse is the fact that the Iraqi Police Colonel Mahmoud Muhyi Hussein, director of security in the Green Zone, was kidnapped. That requires significant insider knowledge.

Security and privacy

Security and privacy are often seen to be in opposition: we're often asked to give up some of our privacy for safety. By letting the trusted good guys watch everything we do, presumably the bad guys won't have a chance to do anything bad.

The Royal Academy of Engineering has just released a report disagreeing with that view. They claim that it is possible to design systems that increase security without eroding privacy.

For many electronic transactions, a name or identity is not needed; just assurance that we are old enough or that we have the money to pay. In short, authorisation, not identification should be all that is required. Services for travel and shopping can be designed to maintain privacy by allowing people to buy goods and use public transport anonymously.

The Register has more, and the full report is here [PDF file].

Security. Yeah right.

From time to time, I'm forced by the cruel Fates to do Internet banking with the NAB (formerly National Australia Bank). When I log in, their website pops up a window complaining that the browser I'm using (Firefox) isn't supported, and I should use one of their supported browsers, Internet Explorer, Firefox(!) or Netscape Navigator.

(Who still uses Netscape Navigator???)

Mac users will be rightfully annoyed that Safari doesn't get a look-in, and Opera users will likewise be feeling left out in the cold.

Unlike some banks which will remain nameless (you know who you are!), at least the NAB gives you the option to ignore their oh-so-helpful suggestion to use IE or the browser you're already using, and their Internet banking works quite well under Firefox on Linux.

If I tick the "Don't bother me with this again" checkbox, I get a day or three of peace until the next minor update to their website, then I start getting those spurious unsupported browser warnings again.

The NAB has recently gone on a security splurge, telling all and sundry how concerned they are with computer security. Then why are they still supporting Internet Explorer, the number one security hole on the Internet bar none? For a couple of dollars a customer, they could send everyone a CD with Firefox on it. Instead, they muck about with half-hearted security fixes like SMS alerts, which will work really well until some phisher simply does a man-in-the-middle attack. It's a band-aid, not a fix.

Here's a simplified way it might work: you start up your security hole browser and go to the NAB website. Unknown to you, Windows' DNS lookup has been compromised, so when you go to www.nab.com.au, you're actually going to a look-alike site in Bulgaria or North Korea. Everything you type into the phishers' site gets passed on to the real NAB site, except that when you transfer $50 to your Aunt Tilly's bank account for looking after your kitten for the week, the phishing site modifies the data to transfer $5000 into their account, then passes it on to the NAB. The NAB sends you an SMS code, and you dutifully enter it into the phishing site, which sends it on, all nice and clean.

Apart from a small delay, well within the expected variation of Internet speed, you won't notice a thing until you go to transfer some more money tomorrow and discover you're $5000 short.

(This man-in-the-middle attack isn't unique to Windows. It could happen with any operating system that is compromised. But Windows and IE leave so many more opportunities for compromise.)

It's easy to say that you take security seriously. But that doesn't mean that they're prepared to actually take steps to make on-line banking really secure. So long as the browser and operating system are so easy to compromise, phishers will always be ahead of the game.

Testing Star Wars

It's times like this that I actually have to force myself to look in a dictionary to reassure myself that "Conservative" isn't a synonym for "idiot".

Taylor Dinerman, writing for Pajamas Media, has an exclusive story of President Bush's alleged plans to build an orbital battle station, and the dastardly, treasonous plans of the Democrats to ... test the missile defence technology before deployment.

Shock horror gasp!!!

Democratic leaders are poised to gut America’s missile defense - at the same time North Korea and Iran are testing long-range missiles that can strike the U.S. and its allies, including Israel, Japan and Britain.

[Emphasis in original.]

Yes folks, you saw it here. The party of "fiscal restraint" (ha ha!), the Republicans, intend to spend possibly hundreds of billions of dollars deploying military technology that has never been tested, and Dinerman considers this not only a reasonable thing to do but a good thing.

Certainly testing sounds reasonable. Why not make sure the stuff works before blowing billions on it? But the testing fixation ignores that, like software, most successful weapons systems are best debugged after being deployed.

As anyone in software development will tell you, that is completely false.

Of course, some companies have made money by skimping on testing and using their customers as inadvertent guinea pigs and testers. Buggy releases of software are very common. But while the worst culprits may be guilty of inadequate, half-hearted testing, even they don't release software with no testing. "It compiles? Quick, ship it!" is just a joke, it doesn't really happen.

One can often get away with inadequate testing in software. The consequences of your word processor crashing or your Internet browser using the wrong size for text is not particularly dire. But when your untested missile defence system shoots down a passenger plane over Texas instead of a nuclear missile heading for New York, people tend to complain.

Dinerman misrepresents the historical situation, claiming that Britain's 1940s air defences had never been tested. Of course, they had never been tested in combat until the first time they saw combat, but to say they had not been tested is ludicrous. Does Dinerman really think that the British anti-aircraft guns had never been test fired to see if they would hit what they were aimed at? Dinerman is completely wrong: the British air defences had a long and rigorous testing program, not only leading up to the war but through the war. See, for instance, the book Sigh for a Merlin which describes the career of test-pilot Alex Henshaw:

Thousands of Spitfires were tested and manufactured at this site throughout the war, by the end of which 37,000 test flights had been made...

or the BBC's "People's Museum":

We all know the story of the dashing fighter pilots but we rarely hear about the test pilots. Testing a newly designed plane was a highly dangerous task and a huge responsibility, and it was thanks to these men that the Spitfire became the plane it was.

Dinerman's understanding of the purpose of testing has cause and effect completely backwards:

Yet test failures are a normal part of the development process of any weapon system. Consider the M-1 tank. Its early tests were riddled with failures, yet now it is one of the most effective tanks in the world.

Rather than the M-1 being so effective despite the test failures, it is effective because of the test failures. All the major bugs were ironed out before combat. Imagine if Dinerman got his way: the first time bugs in the M-1 were discovered would have been when they were under attack. Trust me, the last thing you want to discover in full combat is unexpected bugs.

I could spend another few thousand words going through Dinerman's article, point by point, but of more interest is the comments -- by my estimate, something like fifteen times as many words written by readers than in the article itself.

What strikes me as significant about the comments is the amount of with fear and hate (not to mention a lot of wishful thinking and ignorance) they display. Just a few examples:

"IN CASE YOU DID NOT NOTICE, SEVERAL COUNTRTIES ARE IN A RACE TO OBLITERATE OUR COUNTRY!THEY COULD CARE LESS IF YOU ARE A NICE PERSON.THEY WANT TO KILL ALL OF US!IF RUSSIA OR IRAN COULD THEY INVADE US IN A SECOND."
[Ed: They're in a race? Like, "First one to destroy the Damn Yankies wins a medal"?]

"If a city goes up in a nuclear cloud, I sure hope it's a 'blue' one."

"Yes, I'm Christian, and I think war is good. Watch youselves, you better believe I'm counting the 'aye' votes in the rush to Armageddon."

"Peace is not the absence of hostility but is what is achieved through complete and absolute victory."
[Ed: The USA and the UK (or Canada if you prefer) are at peace, and have been for almost 200 years. There was no "complete and absolute victory" the last time they were at war, the War of 1812. [1]]

"The future election map resulting from their [the Democrats] folly will eventually look like this: No blue states. Six red states. Forty-four blackened and smoldering states."

My nomination for "Spoke Too Soon Award" of the year goes to Ralph Drury, for his comment written on December 1 2006:

... nobody but the good ol' US of A has the technology to have even the remotest chance of hitting any orbiting body. China today would have a difficult time even hitting Los Angeles, let alone a moving target 1,000,000's of times smaller and alot further away.

On January 11 2007, China made a successful test of an anti-satellite missile by destroying one of their aging satellites in orbit.

Thanks to Mokka mit Schlag.




[1] (And the White House burned burned burned...) Back

Windows Vista, DRM and security

Some interesting (as in the Chinese curse) things happening with Windows Vista and DRM:

Bruce Schneier writes:

Windows Vista includes an array of "features" that you don't want. These features will make your computer less reliable and less secure. They'll make your computer less stable and run slower. They will cause technical support problems. They may even require you to upgrade some of your peripheral hardware and existing software. And these features won't do anything useful. In fact, they're working against you. They're digital rights management (DRM) features built into Vista at the behest of the entertainment industry.

[...]

It's all complete nonsense. Microsoft could have easily told the entertainment industry that it was not going to deliberately cripple its operating system, take it or leave it. With 95% of the operating system market, where else would Hollywood go? Sure, Big Media has been pushing DRM, but recently some -- Sony after their 2005 debacle and now EMI Group -- are having second thoughts.

It seems also that Microsoft's commitment to increased security isn't necessarily a commitment as such... after Joanna Rutkowska found a serious security hole in Vista, one senior engineer and Microsoft Technical Fellow suggested that:

...potential avenues of attack, regardless of ease or scope, are not security bugs.

Well, I suppose if you define away security bugs by fiat, Microsoft will be able to say they have got rid of all security bugs in Vista.

At this point it is worth bringing up Peter Gutmann's cost analysis of Windows Vista content protection:

Providing this protection incurs considerable costs in terms of system performance, system stability, technical support overhead, and hardware and software cost. These issues affect not only users of Vista but the entire PC industry, since the effects of the protection measures extend to cover all hardware and software that will ever come into contact with Vista, even if it's not used directly with Vista [...]

In order for content to be displayed to users, it has to be copied numerous times. For example if you're reading this document on the web then it's been copied from the web server's disk drive to server memory, copied to the server's network buffers, copied across the Internet, copied to your PC's network buffers, copied into main memory, copied to your browser's disk cache, copied to the browser's rendering engine, copied to the render/screen cache, and finally copied to your screen. If you've printed it out to read, several further rounds of copying have occurred. Windows Vista's content protection (and DRM in general) assume that all of this copying can occur without any copying actually occurring, since the whole intent of DRM is to prevent copying. If you're not versed in DRM doublethink this concept gets quite tricky to explain [...]

It's a fantastic document, long but not too technical.