Global POV: At the Intersection of Technology and Culture

Gagged by a lawyer

by David Holtzman

A Caymans Islands financial institution, the Julius Baer bank, has taken some Scientology-like steps to have controversial content taken down from the Net. Wikileaks.org, a whistle-blowing web site published a secret internal bank document which purportedly details how the bank helps their customers hide assets and launder cash.

The bank got Dynadot, the California-based hosting company for Wikileaks, to not only take down the site, but also to "lock" the domain name, keeping Wikileaks from moving the site elsewhere. They then got a Northern California judge to sign off on the agreement between the bank and the hosting company. All of this was done ex parte, without giving Wikileaks a chance to respond. Their site is still down.

I have always been worried about this kind of thing, specifically the usage of domain names as a club to batter small and relatively powerless organizations into submission. Shame on Dynadot (is that a real name?). The ICANN-accredited domain name registrar rolled over far too easily.

I understand why someone who didn't like something that someone said on a website would want it taken down. But shoving a lawyer down someone's throat is an elitist way to gag someone. When the Internet was decentralized, this kind of stunt would have been almost impossible. I blame ICANN for not stomping the registrar.

Posted on February 19, 2008

Fragging a satellite

by David Holtzman

The United States Navy is going to attempt to shoot down a falling spy satellite. The government announced several weeks ago that a recently launched NRO (National Reconnaissance Office) satellite had failed and communication had been cut off before it could be told to dump its half-ton load of hydrazine fuel. Even though the NSC originally pooh-poohed any danger caused by the falling bird, President Bush announced yesterday that an Aegis Cruiser will launch a non-explosive anti-ballistic missile to try and disintegrate the space craft.

The Internet is buzzing with conspiratorial rumors on the US action. The actual danger from the falling parts seem negligible as 90% of the ground trace is over open water. Many people believe that the US is secretly testing an ABM system or even worse a seaborne satellite-killer. The satellite is apparently an Imaging Radar craft. Aviation Week says that it is no bigger than 15' x 8', much of which is probably a fragile, easily burned-up fold-out radar dish. Of course, there could be another payload on the satellite that would cause an international incident if discovered.

Based on my admittedly 20 year-old experience, I suspect that they just don't want the little pieces to fall over Russia or China, just in case a studyable chunk survives. Plus, the military likes to test stuff and this is a golden opportunity to attempt to shoot a falling object from a Cruiser. (anti-meteors?) Either way, I hope they make the video public; it should be quite a fireworks show.

Posted on February 15, 2008

cryptofascists

by David Holtzman

A federal judge in Vermont has ruled against the government in a child porn case that hinges on forcing a defendant to divulge his PGP password phrase. While one ruling does not make a precedent, this case will be referenced in the future, I suspect.

What's at stake here is bigger than it may appear. The future of digital identity, content and privacy may very well hinge on the outcome of this controversy. Since government cannot effectively shield our personal information or protect our intellectual property, we must protect ourselves, ourselves, whether we are individuals or corporations. To do this, we need encryption. Crypto tools are only as useful as our ability to keep others out. IMHO, the 5th Amendment gives us the right to protect ourselves from self-incrimination and in the digital world--that means crypto.

Posted on December 17, 2007

I'm turned in by Japanese--oh

by David Holtzman

Starting today, Japan will be photographing and fingerprinting all foreigners that enter the country. Their ostensible reason is that they are afraid of terrorism and want to compare the photographs and fingerprints to international databases.

Unfortunately they refuse to specify how long they will keep the information, meaning they will store it indefinitely.

It's going to be very difficult for anyone in the world to have privacy if countries keep doing these kind of things. If every country does this, than any well-traveled individual has too many copies of their fingerprints floating around.

Why is this a problem? Because fingerprints are often used for identification in biometric systems. Easy access to someone's fingerprints is a great way to steal someone's identity. If Japan only checked the prints and erased them after the visitor left the country, it would be less of an issue.

Of course it's hypocritical for an American to complain about this seeing as how all non-Canadian and Mexican visitors have been experiencing the same treatment for the last few years.

This is why the US needs to be careful with which way it decides to go on controversial security/privacy issues. Even if the measure seems to be reasonable from an US safety perspective, it invites other countries to do the same thing to Americans traveling abroad.

And the same argument applies to torture.

Posted on November 19, 2007

Spearphishing in the treacherous waters of the Internet

by David Holtzman

A Mr. Drew Biondi had an unfortunate problem recently with his Yahoo email account. Someone broke into his account and generated a mass email to all 600 of his contacts in his account. The Email was a variation of the infamous "NIgerian" spam scam where some quasi-officious Nigerian (usually a government minister) hits people up for money, sometimes as a prelude to collecting a large fortune. The latter is a variant of the 150 year old "Spanish Prisoner" scam.

Spearphishing is a personalized variant of phishing, in which an email appears to come from someone known to the recipient.

I expect to see the next big wave of phishing based on this technique. Enough personal information on all of us has been accumulated by now and correlated to email address to generate this kind of wave of personal attacks. I suspect that many people are going to be taken in when companies like Plaxo and Myspace get hacked or turn rogue and social networking info is all turned against us.

Posted on November 11, 2007

The temperature of Hong Kong

by David Holtzman

I'm traveling this week in Hong Kong and I as I was walking through the airport, a guard asked me to take off my hat. I asked why and she said that it was because they had automatic temperature scanners. They were remotely scanning for fevers for SARs.

I"m not sure how I feel about this. Technology is wonderful, I think. What if I had a fever, though?

Posted on October 26, 2007

Right hotel, wrong network

by David Holtzman

Staying at a hotel in Vancouver this week, I had an unusual and disquieting experience. I took out my laptop and looked for Wi-Fi networks and found a ton; several of which could have been from the hotel. I called the desk and confirmed which one was correct. Surprisingly enough, when I picked it and launched a new browser, I got two of them. One was 5 bucks more expensive and they were different 3rd party companies. One had a bill-to-room option and one just wanted a credit card. Curious now, I took some time and talked to hotel staff until I found one who knew what a computer was.

The story was that a fly-by-night company had set up a system in an office across the street from the hotel and was using the hotel's ssid to harvest credit cards. The hotel didn't know how to stop it, so they tolerated it.

Okay, stupid on the hotel's part, but this does bring up a bigger issue about identity. There's no real way of validating ssids or any of the other hundreds of text string-based identity schemes in use across the Internet.

We need a globally interoperable Identity scheme (perhaps OpenID) and somehow need to strike the balance of certain authentication vs. potential government abuse. I'm interested in suggestions.

Posted on October 22, 2007

A bad day in Black Rock

by David Holtzman

Congress has just approved a new Intelligence bill authorizing full immunity for the phone companies for spying on Americans.

Posted on October 18, 2007

Toy-Air

by David Holtzman

The TSA has decided to pay extra security to remote control toys at airports. This came about partially because there has been a growing wealth of anecdotal evidence implicating remote controls in car bombs and other nefarious terrorist plots.

TSA has decided not to ban these toys and their remotes, but will be paying extra attention to them. This will bring about what I am going to coin a term for: DASSLE: Delay & Hassle. And who wants that? They claim that they will be ignoring TV remote controls and garage door openers, but really, how can they differentiate between them?

I can't blame TSA for this. It's a reasonable precaution, but there are many reasonable precautions. There are too many normal household things that can be used for terrorist acts by well, terrorists.

The ultimate solution is to force us all to strip and change into coveralls, locking our goods and clothes into bomb-proof storage containers that fly in the hold. Unpleasant and we'll all look like we're in Conair, but that may ultimately prove to be what it takes to make us truly safe (other than from lost bags, delayed flights, no food and appallingly rude customer service).

Posted on October 02, 2007

Clowning around in airports

by David Holtzman

TSA's Bibliophiles

Wired reports that airport screeners want to know what you're reading. Privacy advocates obtained database records showing that the U.S. government routinely records the race of people pulled over for extra screening along with offhanded answers to routinely asked questions about the purpose of a trip. The Identity Project, which published a report about its investigation into the Homeland Security's data vacuum called the government's border screening program a "surveillance dragnet". The government stores passenger name records (PNR) for years and PNR's typically contain destinations, e-mail contact information, special meal requests, payment information and frequent flyer miles.The Identity Project is funded by the Electronic Frontier Foundation's John Gilmore. A Privacy Act request filed by the Project asked for data stored for five individuals. Among them Gilmore who's reading material "Drugs and Your Rights" was including in a report. It also noted that he had small flashlights with marijuana leaves on the side.

The TSA becomes more surreal and airports become more circus-like as they continue to encroach on the private lives of Americans to protect our national security. When airport guards feel that it is their job to read and report on the choice of reading material of Americans, it's time for us all to be quiet and watch their antics--send in the clowns.

Posted on September 21, 2007

Auctioning off security

by David Holtzman

A Swiss start-up company, WabiSabiLabi, is providing a high-end luxury product for today's information consumptive society--security. Their wares are software vulnerabilities. They provide an auction service connecting up those who discover these flaws (typically researchers) and those who may wish to buy them (usually the affected companies).

Sure this sounds outrageous, but it's actually quite common for researchers to sell the results of their findings to companies, helping them close their products' holes. This approach is designed to create an efficient marketplace, valuing the data close to what the market will actually bear.

The take home point here is that in the future, everything that can be learned will be for sale. Every piece of data has its price and perhaps the biggest use of the Internet over the long haul is to be the efficient market machine, valuing every point of electronic information, no matter how esoteric.

Posted on July 17, 2007

Bordering on insanity

by David Holtzman

The US has slipped its new passport rules by another six months, specifically in the case of Americans traveling across the Canadian, Mexican or Caribbean borders by land or by sea. Americans will only have to show id cards instead of passport until probably next summer. The reason for this latest slip in border crossing rules stems from the US government's inability to keep up with the backlogged applications (currently 3 million).

I understand the desire to secure the border and stop known terrorists from getting in to the US and I'm not thrilled with an open Mexican border for immigration reasons..but the US Canadian border should be as permeable as humanly possible. It is in the best interests of both countries to make it trivial to cross back and forth. There are many border cities on both sides where residents of both countries pass over throughout the day. I live in both countries and I'm bothered by the growing problems created by needless and meaningless security measures in both countries.

How come we can't have open borders with Canada (including trade) the way that the Europeans have with the EU?

Posted on June 21, 2007

The terrorism schism--whoring technology

by David Holtzman

Google Earth is the newest security scapegoat in the ongoing war against terrorism. The aborted plot to blow up JFK airport announced last week by the FBI contained the interesting informational nugget that the bad guys were using Google Earth to plan their plot. Several articles have appeared in the press since then suggesting that the Google Earth views should be banned as a security precaution.

The CNET editorial listed above rightly points out the silliness of this kind of Luddite censorship and suggest (tongue-in-cheek) that cell phones should be banned because 9/11 terrorists used them.

Technology is agnostic. No matter how much we might wish that some high-tech capability only worked for "good guys", it is a useless yearning...technology is apolitical, amoral and vaguely whorish--providing services, not just to the highest bidder, but to any sailor with the price, new in town or not.

Tech is about more than buying a phone or logging into a satellite viewing program, it is about a lifestyle. The people who best understand and subsequently exploit technology are the ones who grew up on it, viscerally understand it and crave it--Western running dog capitalists. A kid growing up in a primitive society with restrictive, even brutal customs, a lack of tolerance and respect for the majority of the human race, suppression of the rights of women and a fanatical sense of narcissistic self-righteousness can never truly compete in a war of technology with our open-minded, video game playing consumerist children.

The war of technology will always be won by the true believers-- in technology.

Posted on June 05, 2007

The invisible terrorist

by David Holtzman

I and others have been saying this for awhile--terrorists are increasingly difficult, if not impossible to profile. An article in today's Washington Post details why and gives several examples of non-stereotypical Muslim terrorists. More and more of them are Christian, blue-eyed and don't wear veils. The Post interviews sseveral European police officials who flat out say that profiling is no longer good enough to catch terrorists.

Yet, the United States is sinking big, big money into profiling systems like the old TIA and TANGRAM and numerous other data fusion/profiling systems. Why?

There is only reason -- America believes that it's right and everyone else is wrong and that this country can make workable profilng systems.

The only kind of profiling system that is likely to work consistently is not one that evaluates immutable attributes like race and religion and birth place, because these can all be worked around by recruiting outside the normal ranks. The kind that will work is the kind that looks at "psychographics", not "demographics." What they need to profile is ideology, not background. And to this, the government will need orders of magnitude more personal information than they do for traditional profiling systems. They will need to know what everyone buys, eats and where they go. The ultimate goal is to understand what we are all thinking. And I do mean everyone, because in this new world, all of us, Muslim or not, born in the Mideast or right here in the USA--all of us are suspected terrorists. Unfortunately for us it will be easier to get that kind of data on citizens than visitors.

To accomplish this goal, the United States government will need an unprecedented amount of visibility into the everyday lives, habits and opinions of every single American.

Posted on March 12, 2007

Patently wrong---hunting down critics

by David Holtzman

A new corporate trick threatens legal action for patent violations against a security researcher attempting to demonstrate how insecure RFID chips really are.

These chips are starting to pop up everywhere from toll road payment devices to building access cards and by the end of next year, in all American passports. Eventually they will replace bar codes and become the major source of inventory control for retail.

I've seen (or at least read about) several demonstrations where security researchers proved that these chips can be read at a greater distance than claimed by proponents and that they can be cloned or hacked. This becomes quite important, because once a billion of these little buggers become deployed in everything from blue jeans to I Dream of Jeannie tapes, it'll be too late to pull them back.

Wired reports that a prominent maker of RFID chips, HID Global, is taking the unusual step of issuing a cease-and-desist letter to a researcher named Chris Paget, who was preparing to demonstrate a method of cloning RFID building access cards at the Black Hat DC conference. Their grounds? They are claiming that cloning a card violates their patent.

I'd like to make the joke that this is patently absurd, but it's more serious than that. As author Jennifer Granick from Stanford rightly points out, this suggests a great way to stifle dissent against corporations---defensively patent the kinds of devices that can be used to monitor the problems with the primary technology.

Granick gives the farfetched example of tobacco companies patenting devices that measure the health effects of smoking. I think that that might be difficult because in the world of organic science and I suppose taxidermy, there's more than one way to skin a cat. But the effect on computer tech could be chilling, because there's usually only way to access digital devices because of protocol and specified interactive data exchange (handshaking).

It would be quite feasible for tech companies to use this technique to not only suppress competition, but also criticism, and that is clearly not what patents were intended to be used for.

As I've written before and probably will again, intellectual property law has gotten out of control in this country. What else can you expect when you have a large group of educated, litigious and detail-oriented fussbudgets getting to write all of the rules? IP lawyers. It's like playing chess with people who get to redefine how a knight moves throughout the game, optimizing on whatever is most convenient to them.

Congress should be protecting us from this. Why aren't they, I wonder? Don't we pay them enough?

Posted on February 28, 2007

Cracked and blue

by David Holtzman

09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0

The seemingly endless waiting period is over. The much-vaunted AACS scheme of copy protection used by both Blu-Ray and HD-DVDs has finally been cracked a couple of weeks ago by a hacker named arnezami; the result is the string of hexadecimal characters at the top of this post. These high density DVD formats are so new even I don't have one yet and I'm a sucker for new, untested and sometimes dangerous technologies.

There was a lesser crack a couple of months ago that broke a couple of dozen DVDs, but the importance of this one is that it has compromised the whole system because what it reveals is the master processing key for the encryption...that plus the volume ID specific to each disk breaks the AACS protection. This crack enables one to read all of the disks.

Blu-Ray has other untested, probably equally vulnerable protection schemes, of course. There are things that the industry can do to recover from this, but they're not pleasant ones. They can change the key of course, but that will make all existing players unable to play new movies (see, you knew being an early adopter was dangerous). They can, and undoubtedly will, change the scheme used to generate the volume IDs

I have often written about the dim future prospects of DRM. My belief is that the focus in the digital world should be on attribution not retribution. It's a far bigger crime to plagiarize than it is to steal. The proliferation of shared movies (and music) does not necessarily hurt the studios because the kid willing to watch a movie in a 6 inch window on his PC was not likely to watch the movie anyway.

Even the PT Barnum of his generation, Steve Jobs, is shrewdly advocating that music companies stop using DRMs for onine music sales. I expect that this will happen, maybe this year, maybe next. Movies a year or two later.

The unfortunate part of this from a consumer viewpoint is that in an attempt to make up for perceived lost revenue, the studios will almost certainly get more aggressive with compulsory advertising on DVDs, which I hate already. If a couple million people download American Pie X and are force-fed commercials, why is that so financially bad?

Here's the irony--The studios are going to start looking a lot more like broadcast television, providing low-cost entertainment and making their money off of the ads. At the same time, conventional television is morphing in many strange ways, with cable companies like HBO leading the way with business models whereby they make all of their money on the back end of DVD sales.

Posted on February 14, 2007

Vampire spam

by David Holtzman

I think that we are in the calm before the spam storm. It could get a lot worse. Here's how:

Spam is mostly annoying right now because it is the McDonalds of the Internet, clogging the arteries and stopping the good stuff from getting through. Spam is annoying although it can be a little dangerous when it carries a viral payload.

Now imagine that a spambot can harvest your contact list that many of you (not me) give freely to sites like Plaxo or Linkedin. Perhaps it also sucks down some email headers seeing who you talk to. The bot now has an idea of who emails you frequently enough to be of interest along with your inner circle of friends, acquaintances and drug dealers. Now this is a bigger leap, but if the bot can guess who you are in the real world (thanks sig files), it can correlate your online identity (email address) to your relationship web of friends and acquaintances and tie the whole mess to your real world identity. Once that happens, it's trivial to enhance the report by using Google and other pay sites and if cheap enough, add credit bureau, telephone information and DMV (motor vehicle bureau) records including pictures to the rapidly increasing dossier.

You might be thinking that this is paranoid--why would anyone spend the money to come after little old me? The answer is that it's not that much money; the beauty of automated bots is that they're free; more or less; you fire 'em and forget 'em. The computational cost is transferred to some poor yutz's PC that has been zombified by a previous viral spam. If you take over enough computers by rapid proliferation of a virus, you could build dossiers like this on pretty much everyone in the country in a couple of weeks. Of course it would take a huge pervasive security breach to infect a lot of computers at once. Vista upgrades anyone?

So what do we end up with? Absolutely personal spam. Spam sent from our friends and relatives. Maybe from our family and with subject lines and text that appear eerily personal. How do they do the last thing? Easy--you figure out the key words in a body of selected text like your scarfed up emails and pull out the significant nouns and verbs, drop them into a sentence generator and there you go.

Now how the hell do you stop that kind of spam? It's no longer zombies, now the spam is going to come back at us looking like its someone we know. It's vampire spam. And you know what? It will suck.

Posted on February 08, 2007

It's alive! Security and Turing Tests.

by David Holtzman

One of the more interesting issues that have surfacing out of the murky security waters of the Internet is the newly-found relevance of what computer scientists call the Turing Test. This thought experiment, conceived of by noted British mathematician Alan Turing, seeks to determine the moment of sentience of an artificial being. It goes like this: you're in a room communicating by teletype (put new communications technology here). You have a lively conversation with someone somewhere else, using the equipment. At the end of a set period of time you can't tell whether they're a human being or an automaton. They've passed the Turing Test.

As far as I know, nothing has yet passed this quiz. A well-known 40-year old program called Eliza and its desendants often fool people for a few seconds. The Turing test that we might run into the most frequently is the "Completely Automated Public Turing test to tell Computers and Humans Apart" or CAPTCHA. This is the word in a picture that you have to type in to get access to some sites. The belief is that software cannot spot the word in the picture (not completely true) and therefore the reader is human. In fact, spammers are beating this system through the use of cheap or free human labor, coopting others to look at the picture and type the word. I think using the human being as a visual sensor does not break the spirit of the Turing.

I think that Turing tests are going to be big business and so intrinsic to our daily online life that we will shortly become very tired of them. Ultimately they are the only protection against spam. One way to look at the spam/counter-spam wars is that spambots and their enemies are quickly evolving as AI programs. They are getting quite adept at doing their job and may some day be viewed as alive in some sense, since they seem to have the main attributes; they reproduce and they protect themselves.

I believe that the very near future will see a war of semi-intelligent probes and hacking tools, spambots and viruses aht will attempt to punch through the hard shell of our personal computers and suck out our soft data goodness within. This battle moves too fast for humans to get involved. As anyone who runs a blog knows, spam has even worked its way down to blog comments and even spurious log entries.

It's a good time to be studying artificial intelligence. Once a discredited study, I expect it to get much bigger and more interesting as a spam fighting tool.

Posted on February 05, 2007

Sony's mind trick

by David Holtzman

Sony reached an agreement with the FTC over their infamous "rootkit" incident last year. Sony had installed a intrusive (and badly written) rootkit on some of their audio CDs, in such a way that when the consumer had bought the music and played it on their PC, the rootkit was surreptitiously installed on their hard drive. Once there, it would do things like stop the music from being copied onto MP3 players, monitor how the tunes were used and occasionally phone home to Sony and tell them what else you have on your computer. (A rootkit is a program that installs itself on your computer and then twiddles the operating system to hide it's presence--sort of like Obi Wan Kenobi using the Jedi mind trick on Imperial Stormtroopers "These aren't the droids you're looking for.")

The settlement worked out to $150 per user to repair damage to their computer. I haven't seen the details yet, but I imagine that the submitting user will have to show that there was in fact, repairable damage to their machine plus proof of purchase of the CD. In other words, although there were millions of CDs sold with the damaging software installed, it's unlikely that Sony will pay off on many of them. In fact, as per usual with this kind of settlement, the biggest beneficiaries will undoubtedly be the lawyers on both sides who probably high-fived each other in the hallways, congratulating each other on collecting another round of high-priced fees.

So, and this is a serious question--why isn't what Sony did an act of terrorism? Wilful attacks on private property, spying on American citizens and potential disruption of computer networks sound like something that the Taliban might have tried.

Why aren't Sony executives being brought up on criminal charges? The recording motion picture industries have been getting away with a lot in this country in the last few decades. This is one of the most outrageous acts, but it's not an isolated incident. If Congress would get the entertainment industries tongues and wallets out of their pants, perhaps they would protect us from these predatory actions on the part of companies like Sony.

I believe that there are worse things going on out there in cyberspace created and released by the Mad Doctors of Hollywood. Viruses and spambots, zombie nets and trojan horse files floating around the Internet plaguing our personal computers may in some part, someday, be traced back to these clowns at companies like Sony.

Posted on February 01, 2007

When intelligence agencies go bad

by David Holtzman

There are several court cases pending involving the NSA's extraordinary wiretaping of Americans, but apparently the judges hearing the cases are getting fed up.

For a while now, the Bush administration has invoked extraordinary security measures to keep noncleared people away from the goodies. This includes judges, clerks and of course, opposing lawyers. Civil libertarians have long carped about this situation, complaining that it upsets the very nature of the adverserial American legal system. Some of them are getting close to issuing rulings to cut through the Gordian knot as happened during the Watergate era.

I have two worries; short and long term.

My short term worry is that if not stopped, the Bush/Cheney/Satan approach to government will have permanently upset the checks and balances of our system. It may take a long while to put it right again.

My long term worry is that when we do put it right, in true American fashion, we will overcompensate in the other direction and hamper our intelligence services to the point of futility. We need a robust intelligence function, but we also need one that is monitored--excesses in the heat of need must needs justified later to cooler third party heads.

I wonder if any of the current crop of candidates can effect this sense of balance?

Posted on January 26, 2007

Myspace, my kids, my God

by David Holtzman

Myspace is providing a way for parents to check up on what their kids are doing on the popular social networking site. The downloadable software codenamed "Zephyr" lets the adults see what name and age their child is using, while still preserving the privacy of email and profiles.

I understand why they're doing this...they're under attack by pretty much everyone. It's funny really, considering Myspace is owned by News corp, the media megalith owned by none other than Montgomery Burns Murdoch himself. The attacks couldn't happen to a nicer company.

However, blaming Myspace for problems with kids on the Internet is like blaming Hugh Hefner because kids read Playboy. How about the parents? What they need is a better way to do age verification and that's it. Let the poor guys alone, their 15 minutes of fame are ticking by and they should have a chance to make it or not on their own business sense instead of being brought down by the "whataboutthekids" legal jackals.

Posted on January 18, 2007

Loonie opportunity

by David Holtzman

Slashdot mentions a CIBC article that three US defense contracters traveling through Canada have discovered that they were carrying a bugged Canadian coin (a Loonie or one dollar piece). The coins had tiny RFID chips embedded inside them.

This is a little bizarre because RFID has limited range (2-30 feet depending on the antenna). You couldn't track someone across an airport, for instance. These coins would seem to serve one major purpose--fingering the person carrying them for a short period of time as a target. I say "short period of time" because the subject might very well spend the mony. Although as an American who travels extensively in Canada, I've found that most Americans psychologically don't think of coins when they buy things bigger than a pack of gum.

I don't know if the story's true or not, but it's certainly interesting. My suspicion is that it was done by an intelligence agency (probably Canadian) to mark a target for commercial intelligence collection. It's too complicated and sophisticated a ploy for an individual to do and too expensive for most PIs or law enforcement types to even contemplate.

It really makes you wonder about those new RFID-enabled US passports, though.

Posted on January 11, 2007

Zombies come out and play

by David Holtzman

The John Markoff of the New York Times has written an article warning of the danger of botnets or networks of slaved zombie computers. This has of course, been a problem for a long time, but it's never really a mainstream threat until it's been announced as such in the Times.

The problem comes from numerous viruses and malware that infect susceptible computer systems (read: Windows boxes) and leave a back door open for later usage. Markoff interviews a professor who claims that there are over 65 million infected computers. So you may be wondering why all the digital undead? They are roped together electronically to launch attacks against selected targets by their masters. Sometimes they're scanning for selected financial information (although I think that this threat is overplayed). More likely they're used to launch Denial of Service attacks. The concerted probing of millions of machines can knock any network off the air, commercial or government.

And that's the root of my concern. The existence of such a vast network of botnets is a national security threat of the highest order. Perhaps, even probably, some of these slaved boxes are controlled by groups that we would define as terrorists. They could use them to blackmail companies and perhaps already have, but more threateningly, could be used to shut down, say Wall Street...the Pentagon...perhaps the New York Times itself (again).

Why is our government allowing this threat to exist? A massively parallel cyber attack could easily cripple national infrastructure, possibly cost lives by jamming up the online abilities of hospitals and first responders and certainly cost billions of dollars. As we become more institutionally dependent on the Internet for our daily well-being, the potential harm resulting from its disruption escalates to an equivalent level of crisis as would be another attack on a US airplane, passenger train or cargo ship.

Posted on January 09, 2007

Meat our illegal friends

by David Holtzman

In an odd and vaguely disturbing twist on the growing national problem of Identity Theft, 1,000+ immigrations officials swarmed into packing plants owned by Swift and company and arrested a gaggle of illegal aliens. The weird twist to this story is that the charge was identity theft. It turned out that many of the illegal workers were using stolen Social Security numbers to get hired. Apparently the agents checked everyone at all of the plants, seperating the legals from the nons on the spot, effectively shutting the company down for the day, while their workers were culled and processed, although hopefully the metaphor ends there.

So my first thought when reading this story was why do I have take my shoes off at airports? If the government can't spot a huge amount of illegal aliens who have stolen identities so often that it's became an employment method for an entire industry for crissakes, then who cares what's in my shoes? Clearly it's not hard to get into the US across the borders. Clearly Social Security numbers are a horrible identification method. Clearly the Feds are clueless, even with the help of their trusty megamillion computer systems--this decade's sop to the defense contracting industry.

If we can't stop illegal aliens how can we hope to catch terrorists?

I live in Herndon, Virginia, an incorporated town near Dulles airport in the Washington, DC area. Up until a few years ago, the biggest controversies in this burb were whether to pay for a dog walking park and how to get the subway to stop out here. In the last few years it's become one of the hotspots in the illegal alien problem as the percentage of illegals in the town has risen dramatically in recent years to a double digit number. A controversy last year over a day laborer's site catapaulted the town to national prominence as the town divided into two camps fueled by outside wingnut agitators. Last spring, the mayor and town council of Herndon, reasonable people, were swept aside by rabid Know-Nothings who goose-stepped into office on the strength of a single issue--dealing with illegal immigrants living in the town.

Throughout this controversy, I bemusedly watched the furor and wondered not why or when, but how? How had 5-10,000 people crossed the Rio Grande and made their way across much of the United States and ended in the Northeast corner in Herndon, Virginia?

What does that say about our National Security?

Posted on December 13, 2006

Chertoff condemns the Web

by David Holtzman

Homeland Defense secretary Michael Chertoff lambasted the Web yesterday while giving a speech at the International Association of the Chiefs of Police.

He said that the Web could become a Terrorist training camp because the technology enables the individual to learn new skills without traveling to a camp. He also said that spies and satellites were going to be less useful in tracking these new online terrorists.

Well, duh.

Where has Chernoff been? The potential to use the web for nefarious purposes has always been there. All technology is agnostic; if it can be used for good, then it can be used for...less than good.

Certainly the government needs to develop abilities to monitor what's going on on the Net, but it won't help much. The nature of the Net unfortunately, makes it all too easy to facilitate groups of people talking and planning things in secret. That's actually one of its attractive qualities, IMHO.

Posted on October 17, 2006

No security

by David Holtzman

It's not hard to make a bomb. You can mix a couple of colorless liquids together or mold a grey pasty clay. You can hide it in a water bottle, or in a shoe or inside a teddy bear. It's not hard to make a bomb.

It's easy to kill a lot of people. You can make a good poison from castor beans or from common cleaners. You can scrape a sheep and create innocent-looking powders like anthrax. Poisons and diseases can be hiding in makeup, candy bars or as powder in an envelope. It's easy to kill a lot of people.

It's simple to make a weapon. All sorts of everyday things can be deadly if in the wrong hands and wielded maliciously. Boxcutters, pieces of broken glass, sharpenened belt buckles, knitting needles and pocket knives can all cut and unlike the song, the first cut isn't necessarily the deepest.

The news that the TSA is banning liquids and gels from airplanes is only surprising in that it has taken this long to enact. Our counterterrorism efforts have often been reactive, not anticipatory, and this prohibition on liquids is no exception to the rule.

Every normal item carried by an airline passenger could be hiding a deadly surprise. Bottles, shaving kits and shoes; chessboards, paperback books and ipods; even a ham sandwich could have a nasty surprise hidden in the Grey Poupon.

The only way to assure airline security is to ban almost all carry-on baggage, search everyone to the skin and exhaustively examine checked luggage. The best way to assure this would be to issue every passenger a disposable jumpsuit, force them to strip and shower and wear the special clothing at the gate. Even then, we'd have to be x-rayed and occasionally cavity searched (and not by dentists, either).

I'm not actually kidding about this. It would be a reasonable way to minimize risk, although of course, not foolproof.

At a minimum, I expect the liquid ban to become permanent and joined by a prohibition on electronic devices like phones, ipods and laptop computers.

There is no security in this world, but it's worth remembering that there never has been. We Westerners are now aware of this truth that people in the mideast have known for many years.

Posted on August 11, 2006

Taking a bite out of Apple

by David Holtzman

Computerworld reports from the Blackhat conference that a couple of researchers have successfully attacked a MacBook using a wi-fi hack. It's news because Apple has been smugly sniping at Microsoft Windows machines for being less than secure (true) and harder to use (truer) and no fun (truest).

This doesn't surprise me a bit. The underlying point is that No Computer System is Secure. This truism is often swept out with other dirt by the PR brooms, but is one of the underlying truths of the computer age. If there is a sufficient reason, any computer system will eventually go down to a concerted attack. In this case, the motivation was a presentation at an important peer conference. Imagine how much stronger it might have been if there had been a lot of money involved.

Part of the problem is that the lifecycle of computer systems is such that there is simply not enough time for systematic testing of every release, allowing bugs or at least opportunities to creep in.

Apple is no worse than anyone else, probably better. So far, they have been very good about patching security holes when they're pointed out. This is in sharp contrast to companies like Cisco, who sued Michael Lynn last year for demonstrating a significant flaw in Cisco routers, (Lynn was also investigated by the FBI).

Computer security is a function of time and money. The more money that's at stake, the less viable any particular security system will prove to be. The future of data security will not be fortress walls, but hidey holes. If you really want to protect important computer information, hide it.

Posted on August 03, 2006

Burgle the Boss

by David Holtzman

The FBI sensitive computer systems have been cracked. According to a Washington Post article, a contractor for BAE hacked a highly classified database in 2004. Four times. He got the passwords of 38,000 FBI employees using some shareware programs, which sound suspiciously like crack, a password-guessing program that's been used for at least 15 years.

Among the information contained in the database were details of counterespionage programs and get this--the Witness Protection Program.

What's wrong here? The FBI has undoubtedly spent hundreds of millions of dollars on their systems. Hell, I even worked on one once. Is it dumb computer programmers? Nope. Do they need more high tech systems to protect their computers? Nope. Do they need to understand Computer Security? Yep.

Stupid users are often blamed for security problems. "A junior technician made a mistake in the data center and exposed 14 million credit reports" or "one of our analysts took home a laptop with the personal information of every single American ever to serve in the military." We are then relieved to hear that the political appointee has fired the offending employee/contractor. That's a relief...for a second I thought that we had a security problem.

Fire the manager who let FBI agents use passwords that could be broken using crack, a program that every 15 year old script kiddy knows how to use. Fire the designer who made it that easy to get to multiple sensitive databases from a single system. Fire the security manager who wasn't actively looking for intruders.

The less-than-completely-computer-aware walking among us have a fatal, almost a religous belief that computers protect information like a locked safe. Because they can't imagine how to break into one, they can't conceive of anyone else doing it. Managers should know better. How do you fix computer security problems? Burn the boss.

Posted on July 06, 2006

The cowards of the civil service

by David Holtzman