I’ve realized recently that I have no real idea of what’s happening in Iraq. On the one hand, we have bubbly optimists like Chrenkoff. On the other, people like Wall St Journal reporter Farnaz Fassihi, whose email is getting wide circulation.

The Iraqi bloggers I read (generally) sound more optimistic than despairing, which is good. It’s clear to me that the US needs to stay the course, as bad as that may well become, because pulling out would be an unmitigated disaster. Al Qaeda got a huge boost from the (US backed) Islamist victory over the Soviet Union in Afghanistan. Withdrawing from Iraq would give them another huge boost, even if they’ve lost in Afghanistan to the US.

(From Editor and Publisher on Fassihi, via BoingBoing.)

[Update: several people have asked, how can you believe that “it’s anything but *cked up over there?” My answer is reading the Iraqi blogs, it just doesn’t seem that what they’re witnessing is either the doom and gloom of the left wing press, or the sunshine of the right-wing press. Its really hard for me to judge what’s really going on at any sort of macro level.]

Nevada Gaming Commission vs. Diebold

It’s always good to see our best resources being applied to the most important things in society, like voting. The “independant” validation, paid for by the software creators, is closed to the public. But when the Nevada Gaming Commission gets into the act, it seems they know a scam when they see one. (Disclaimer: I voted in that Defcon study, but have no evidence my vote was counted.)

For more information, see the Black Box Voting book page, Avi Rubin’s site, or Rebecca Mercuri’s site. Dr. Mercuri was the first one I know of to start beating this drum, and we owe her a vote of thanks.

[Update: The story isn’t actually new. I’d heard Nevada was requiring audit trails, but hadn’t heard it was the NGC that was responsible until Randal Schwartz pointed it out to me. (I’d link to the message, but it hasn’t been through moderation yet.)]

Travel, Speaking Plans in October

I’m speaking at the Atlanta Chapter of the High Tech Crime Investigative association, October 11th, on a “Privacy Industry View of Reducing Cybercrime.” This is an extended version of Zero-Knowledge’s talk we gave to law enforcement.

I’m speaking at the Inaugural Security Leadership conference, in Arlington, Texas on the 19th, on “Beyond Penetrate, Patch and Pray,” which is a new talk that I haven’t put online yet.

I’ll be attending (but not speaking at) Phreaknic in Nashville, on the 22nd and 23rd.

“A Roadmap for Forgers”

Ed Felten has a great post over at Freedom To Tinker about Rather-Gate:

In the recent hooha about CBS and the forged National Guard memos, one important issue has somehow been overlooked — the impact of the memo discussion on future forgery. There can be no doubt that all the talk about proportional typefaces, superscripts, and kerning will prove instructive to would-be amateur forgers, who will know not to repeat the mistakes of the CBS memos’ forger. Who knows, some amateur forgers may even figure out that if you want a document to look like it came from a 1970s Selectric typewriter, you should type it on a 1970s Selectric typewriter. The discussion, in other words, provides a kind of roadmap for would-be forgers.

On top of educating forgers, the debate, at least for those who followed it, has provided an education in document authentication. So not only are the forgers smarter, but so is the general public. That’s a very good thing.

Many security problems are built into products because the designers don’t know about a problem, or become convinced that no one else will discover it. A better educated public helps to address both these issues: Designers are more likely to know about problems, and once they know them, management is less likely to dismiss them as improbable or obscure.

Cultural Imperialism At Its Best

Abdul Hadi al-Khawaja is being detained for 45 days over charges of inciting hatred against the [Bahrain] regime. His Bahrain Centre for Human Rights (BCHR) ignored warnings it had contravened association laws, a government statement said. The centre had protested at the arrest, saying Mr Khawaja was just “practising his basic rights, namely free speech”.

There are times I love cultural imperialism, and this is one of them. The idea that some rights are inalienable has spread around the world, and made the world a better place.

(Via BBC)

“Tomorrow is Zero Hour”

More than 120,000 hours of potentially valuable terrorism-related recordings have not yet been translated by linguists at the Federal Bureau of Investigation, and computer problems may have led the bureau to systematically erase some Qaeda recordings, according to a declassified summary of a Justice Department investigation that was released on Monday.

The problems, unsurprisingly, are managerial:

The F.B.I. “has not prioritized its workload nationwide to ensure a zero backlog in the F.B.I.’s highest priority cases – counterterrorism cases and, in particular, Al Qaeda cases,” the report found.

The 9/11 Commission report found flaws with the “lead office” system that the FBI has, where the office where a case originates gets all the credit. I wonder if that plays in here?

Audio recordings that relate to Qaeda investigations are supposed to be reviewed within 12 hours of interception under F.B.I. policy. But the report found that deadline was missed in 36 percent of nearly 900 cases that the inspector general reviewed. In 50 Qaeda cases, it took at least a month for the F.B.I. to translate material.

Heads ought to be rolling at this point.

Quotes are from a New York Times story, see also what the BBC had to say. The title, incidentally, is from a September 10th intercept.

Overall, it doesn’t make much difference that the Army kicked out nine linguists for being gay. That’s less than 1% of the workforce at the FBI. But it does indicate that our national priorities remain somewhat skewed.

Maybe if we stopped insisting that security and liberty are always opposed, and started talking about how liberty and security can complement each other, we’d be doing better?

The Two 9/11 Commisson Reports

I’ve just finished the 9/11 commission’s report. (Or use the Pdfhack version, a fine example of what can be done in the absence of copyrights.)

One of the things that stands out for me is the stark contrast between the history and the recommendations. The history is excellent. The recommendations, less so. My largest critique is that after the largest attack on American soil since the civil war, they fail to think big. They spend time drawing lines on org. charts.

Regular readers will note that I spend a lot of time looking at airline security. The recommendations there (around page 383) are clearly weak. More ID cards will not change things. We need to consider broader changes.

For example, they could have considered the drug war. The easiest way to smuggle weapons of mass destruction into the US would be to pack them in cocaine. Perhaps changes there are in order?

I’m not the first to notice this. Elizabeth Drew wrote a long article for the New York Review of Books, and the Center For Strategic and International Studies has an
analysis (PDF) worth reading. An English professor at DeAnza college also caught my eye.

“You will eventually be caught”

I believe that if you are a low- to mid-skilled intruder physically located in the United States, you will eventually be caught. The days when hardly anyone cared about prosecuting digital crime are ending. The FBI has 13 Computer Hacking and Intellectual Property (CHIPS) units with plans to open more. The Computer Crime and Intellectual Property Section (CCIPS) are available to US Attorneys across the country. The Secret Service operates 15 Electronic Crimes Task Forces. There are 5 Regional Computer Forensic Laboratories operating now with 8 planned to open in the coming years. The Internet Fraud Complaint Center (IFCC) is taking reports from victims of cyber crime and the National White Collar Crime Center supports law enforcement efforts. All of this adds up to a lot of federal, state, and local police working to bust bad guys.

(From Richard Bejtlich’s TaoSecurity.)

This feels wrong to me. Investigating computer crimes is still a very labor-intensive process.
(I’m experimenting to see how MarsEdit handles extended entries.)

Continue reading

Firefox Software Install UI

his changed recently — spyware ‘toolbars’ started to appear for Firefox as well. It was quite a surprise to see a dialog pop up when accessing an otherwise normal-looking (though advertising-heavy) page, using my Linux desktop, prompting me to install some ‘toolbar’ .xpi file!

Firefox 1.0PR now includes code to deal with this. Here’s how it works.

Justin Mason has a good bit on how Firefox reduces the chances that spyware will end up in your system. This is a nice start. I don’t know that it will work long term. When SSL came out, there were all sorts of sites with directions for working around the security and interoperability. Things like “Your browser will issue a warning. To use this site, click “please screw me.” Spyware sites will start to issue the same sort of message around installing new software to see their dancing bunnies.

Browsers have become big complex technologies. That’s not a slam at the browser folks–users want them to do more and more. As the browser replaces one set of buggy device drivers with another, it may need to start offering an internal security model that controls what APIs different plug-ins can use, etc. It may need to start controlling what modules can access what data, much like an operating system.

Airport Screening Still Fails Tests

Do current security plans depend on no guns getting onto the planes? I hope not.

Covert government tests last November showed that screeners were still missing some knives, guns and explosives carried through airport checkpoints, and the reasons involve equipment, training, procedures and management, according to a report by the inspector general of the Homeland Security Department.

From The New York Times. Use BugMeNot if you need a login.

In other “guns on planes” news, John Miller, the head of the LAPD’s counter-terror unit was detained Thursday after forgetting about a gun in his bag.

It’s interesting that Miller got where he is via a PR and reporting background. The obvious charge is security as theater. However, reporters often end up knowing a huge amount about their subjects, and so I don’t want to throw that charge without more research than I can do before dinner.

Verisign’s Kid Credentials

So Verisign has teamed up with I-safe to issue “USB tokens” to children. The ZDnet story states that it “will allow children to encrypt e-mail, to access kid-safe sites and to purchase items that require a digital signature, said George Schu [A Verisign VP].” To me that sounds a lot like an X.509 certificate, which Verisign has been trying, and failing, to flog to consumers for years. (It may be this.)

What’s unclear is the privacy implications. If this is a X.509 cert on a USB token, then what this means is that children will not have privacy in these “kid only” spaces. They’ll be subject to monitoring under their real name. This damages one of the best features of the internet, which is the ability of kids to go online and explore different identities fearlessly. Read their chatroom rules of use: Cyberdating is dangerous!

At least they’re up front in their terms of service: You are being watched. Your name will follow you. Yeah, I wanna go play there.

What’s In A Name?

“BRANSON, Mo. – A Branson man has put a face to the anonymous references people often make to “they” by changing his name to just that: “They.”

Not only is he making a statement about his name, but he’s messing with the entire English language,” friend Craig Erickson said.

How can you argue with messing with the entire English language?

(From AP via Languagehat.)