Long Bits of Stuck in McCarran International Airport

Kudos to McCarran International Airport (Las Vegas) for having free wifi. And congrats to my fellow Defcon attendees for stealing the cookie that authenticates me to this blog off that wireless net.

  • Tech Policy points to Bill West at Counterterror blog, in “Liberty & Security vs. Terror – an American Perspective.” Its worth reading in full.

    I wonder how the devil is feeling nowadays, since his lair has frozen over. The likes of me, a 29-year law enforcement veteran who spent half his career working organized crime and national security cases, has found common ground with the ACLU. I’m talking about the random police searches of bags conducted in the New York subway system recently implemented as a result of the twin terrorist attacks against the London transit system in July.

    …mass intrusion, for security, into our individual liberties by government, even if it’s slow and subtle, that should concern all of us. We do live in the 21st century, and the founders of our country never envisioned the possibility of mass destruction, but this is still America and we live under that remarkable document known as the Constitution.

    (The Counterterrorism group blog is fascinating to me. Much of what they write is great, and some, like “Michael Cutler: Don’t privatize federal aviation screeners,” just misses the boat. My question is not how dedicated the screeners are; its how effective they are. And evidence is, Federal screeners are no better than private screeners.)

  • Eric Rescorla asks the question, “Who should pay for your identity theft protection?” Eric’s answer is much longer and more eloquent than mine, which is that ID theft protection is like a mobster coming in and saying “Fine credit rating you’ve got here. It would be a real shame if anything were to happen to it.”
  • Speaking of protection rackets and the downside of credit agencies, Alex Tabarrok reports in “Heard on the Train” that Columbian kidnappers pull your credit file to calculate optimum ransom.

    Experian would be proud: Think of all the fingers that won’t be cut off to demonstrate the seriousness of the kidnappers.

  • If you’re in Portland, OR on Tuesday, Meet the Flockers at Doug Fir Lounge. I met one of the Flock guys this weekend, and while he wasn’t saying precisely what they’re doing, the orientational frame he drew appealed to me. I’m not going to say anything else here until they say it’s ok.

Why Not Accept Random Searches?

In comments, Izar asks why we feel that having policemen check up on us is an affront to our liberty. He also asks that we call him a “serf of the totalitarian state machine,” so I shall.

I suppose I might feel differently if, regularly, people around me were being murdered by terrorists. But the happy truth is that both attempted and successful terrorism are incredibly rare events in the United States. I am far more likely to be killed by an idiot yacking on his cell phone while changing lanes than I am to be killed by a bomb. Given the ease of access to guns, explosives and the like, this is probably due to effective action by police and intelligence agencies. I do wonder where the court cases are. Further, the effectiveness of random, limited bag searches is highly questionable.

My concerns center around the cost of surveillance. I mean more than the fiscal costs–also spiritual and societal.

The fiscal costs of checking bags everywhere is huge. In Israel, it makes sense because of the imminent threat, and also because if you don’t check bags, people will feel insecure (scared) and shop elsewhere. So if we’re not voting substantially more money to the police, I’d prefer to see them enforcing traffic laws over checking bags. Also, the rarity of bombings in the US will drive the checkers to look for other things (drugs, evolution textbooks, pictures of Mohammed Atta being carried by a professor doing research into terrorism.) They’ll find things to find to make themselves feel useful.

This isn’t intended as a slam against those doing the job. Dedicated people hate feeling useless, and so they’ll look for things, other than bombs, to find, so that at the end of the year, they will not have found nothing. As I understand things, had you searched every single bag of every rider of every metro system in the United States last year, you would have found exactly no bombs. It’s very hard to do a job like that.

The spiritual and societal costs come when people are being watched constantly. Rather than doing things that people expect will make them happy, people will filter and color their decisions based on what a cop might think. To resist social pressure in making decisions is very difficult. To resist that pressure when it is literally embodied in an armed officer of the state is even harder. When those officers are trained to exploit the natural obedience to authority that Milgram demonstrated, it is even harder.

And so, the intrusive presence of the police creates an aggressive pressure to confirm. To not do certain things. What things? I don’t know. I suspect that Steve Mann is having lots of problems today. Enough to discourage anyone else from exploring that space. But what I do know is that all ideas are born new. They are experimented with, and explored. A prime value of liberty is that free societies invent and create more new faster than centrally planned or controlled societies. That’s been a strength. And no, police checking bags will not, by itself, change that. But liberty is easy to erode, and hard to rebuild.

So can I say what the cost of searching a bag will be? Yes. It will be some clever inventor who can’t bring his invention to a critical meeting because he’s stopped and searched by the police. We’ll never know what that invention is, because bad luck has prevented us from seeing it. Maybe its a new bomb detector. A way to clean up pollution. A cure for cancer. The pages of the great American novel scattered accidentally to the winds.

All to prevent the zero metro bombings that occurred last year in the United States. Of course, no one had ever crashed an airplane into a building before, either. But the actions that we take must be consummate with the risks, effective, and cost-effective.

PS to Izar: is a Totalitarian State Machine like a finite state machine, only without any decision points?

Job Openings

My friend and colleague Scott Blake is looking for smart people:

I have openings for 5 information security
analysts. Level of seniority is negotiable, but I prefer senior-level
folks. I’m looking for the following specialties: security awareness
training/communications, secure application development, risk assessment,
network architecture, and security policy development.

I also have an opening for a process facilitator/administrator type
(Security Project Administrator is the title). This is a nearly-entry
level position for someone technically savvy, but not necessarily a
security specialist. Should be ambitious.

If interested, go to www.libertymutual.com and click on Careers. Though there you can
find the jobs. Search for security in Portsmouth, NH (all positions are
here, though it may be possible to negotiate office space in Boston,
Indianapolis, Kansas City, Wausau, and a few others). Liberty is a rock
solid company that’s great to work for. Relo assistance available for most
positions. If now isn’t a good time for you, check back after the first of
the new year. I expect to be opening another 6+ positions then.

A lot of my thinking about security and its relation to the business has been shaped in conversations with Scott over the years, and I expect that the folks who get these jobs will find them a good career move.

Are Police the Best Response?

A few weeks ago, it came out that the MTA wasn’t spending their security budget:

In December 2002, the Metropolitan Transportation Authority announced it had completed a lengthy assessment of potential threats to the city’s transportation infrastructure, from subway lines to major bridges. The authority, which had begun the study in the weeks after the Sept. 11 attacks, said it was committing nearly $600 million to improve the security of the sprawling transportation network.

But to date, two and a half years after that announcement and nearly four years after Sept. 11, only a small fraction – about $30 million as of March – has been spent, and nearly all of that on consultants and additional study.

Slate has some commentary as well, in “Planning Gridlock.”

My take is that the number one way they should be spending the money is real training for the real first responders: the people of New York. Teach them how to spot a bomber. Teach them what to do. Teach them first aid and CPR. Because the people of New York will always be the first ones present at a terrorist attack in New York, and their response will make a difference.

Canadian Telco Telus Blocks access to Union Website, How to Access

Michael Geist has the scoop at “Telus Blocks Subscriber Access to Union Website.” Short version: Telus and their union are fighting. Telus has chosen to prevent their customers from reaching “Voices for Change, the union website.

I urge Telus customers to call and customer support and ask what’s up. Repeatedly. Voices for change also suggests that Telus customers “TELUS customers can pass this proxy URL to TWU members they know who uses TELUS as their ISP: http://vfc.proxy.pfak.org/.” I’ll also suggest that TOR would be a fine way to bypass Telus censorship until you can get a decent ISP.

Risks of Data Collection and Use

David Cowan tells a sad story about his experience with unauthorized data collection and use in “Freshman Week.” Speaking of unauthorized data collection and use, Jonathan Krim reports that “License-Screening Measure Could Benefit Data Brokers:”

Jason King, spokesman for the American Association of Motor Vehicle Administrators, said commercial data brokers are notorious for refusing to correct their databases if they contain erroneous information.

“We worry that it’s garbage in, garbage out,” King said. By contrast, he said, states verify Social Security numbers directly with the Social Security Administration and are developing a system to authenticate birth certificates.

Even folks at AAMVA, who have never met a privacy invasion they didn’t like, don’t like this one. (Oh, and Choicepoint says they didn’t lobby for it. So who did?)

The bill would be a form of corporate welfare, where the data broker selected would be able to use the data, collected under threat of criminal penalties, to “correct” and “update” their other data. This is the same thing that the national change of address forms do; give your new address to every marketer in the country, under color of “updating” their records.

Why should we give these unregulated, irresponsible companies like Lexis-Nexis this bit of help?

(Thanks to Alice of Presto Vivace for the pointer, and the corporate welfare angle.)

If You Have Nothing to Hide…

In “Behind-the-Scenes Battle on Tracking Data Mining,” the New York Times reports that the Department of Justice really does care about privacy, and really doesn’t want those nosy Congressional committees poking about how the government operates. So, why should they care? Are they hiding something?

Of course, this being a New York Times article, there’s a small error or two…:

The government’s use of vast public and private databases to mine for leads has produced several damaging episodes for the Bush administration, most notably in connection with the Total Information Awareness system developed by the Pentagon for tracking terror suspects and the Capps program of the Department of Homeland Security for screening airline passengers. Both programs were ultimately scrapped after public outcries over possible threats to privacy and civil liberties, and some Republicans and Democrats in Congress say they want to keep closer tabs on such computer operations to guard against abuse. (Emphasis added.)

As another paper reported yesterday, “Flight Database Found to Violate Privacy Law.” No, wait. That wasn’t another paper at all. That was the New York Times, reporting on a program that’s been scrapped! Or perhaps it wasn’t so scrapped. I guess renaming it from “CAPPS” to “CAPPS II” to “Secure Flight” to “Free Wheelchairs for paraplegic children” actually worked!

Hat tip D “Something to hide” M for the pointer.

What Do You Have to Do To Get Fired Here?

Ryan Singel has the scoop. The GAO report to Congress is also covered in the New York Times, “Flight Database Found to Violate Privacy Law:”

“Careless missteps such as this jeopardize the public trust and D.H.S.’ ability to deploy a much-needed, new system,” Senator Susan Collins, Republican of Maine, wrote on Friday to Secretary Michael Chertoff of the Department of Homeland Security.

Three times is not ‘careless missteps,’ Senator. It’s TSA learning that they can get away with it. They’re the result of small violations going unpunished. So my question is not really “What do you have to do to get fired here,” but “How many laws do you need to break to get fired here?”

Consent, Submit, Forest, Trees

Kip Esquire has a good post, “On ‘Consenting’ versus ‘Submitting’ to a Search.” The upshot is:

If you happen to be stopped for a search such as this, you should not say “Yes I consent” or “Sure, go ahead.” Rather try saying something like “I consent to nothing, but if you are requiring me to submit to a search, then I will comply.” That may sound a little too “Borg drone,” but it should preserve your Fourth Amendment rights.

I got this wrong in a comment, and I want to discuss that a little.

I don’t believe that our Constitutional rights were intended to, or ought to, turn on a turn of phrase, or slip of tongue. They ought to be more robust than that. This brings to mind a good post at Prawfsblog, where Hillel Levin discusses missing the forest for the trees, and ends, “Missing the Quarter-Pounder for the French Fry,” which ends:

If this analysis sounds familiar to you, it is probably because I have applied the same reasoning in the past. Sometimes we lawyers are so locked into doctrinal minutia and the role of the court that we lose sight of the quarter-pounder for the french fry.

I think that Thomas’ comment in Kelo sums it up best: “Something has gone seriously awry with this court’s interpretation of the

Iowa State, 2037 SSNs and 2,379 CC, “Hacker”

The Iowa State University is sending out a warning to alumni Wednesday after a hacker had access to the alumnae association Web site.

A computer at Iowa State University’s Alumni Association was hacked into, allowing outside access to thousands of Social Security numbers and pages of credit card information.

By tapping into the computer, the hacker had access to 2,031 student and volunteer Social Security numbers and 2,379 credit card numbers.

Those who did not receive an e-mail from the association should be OK, NewsChannel 8 reported.

From The Iowa Channel, “Hacker Gets Access To ISU Alumni Information.”

New York to Randomly Beat People In Hopes of Beating Terrorists

Police will begin randomly beating people entering city subways, officials announced Thursday after a new series of bomb attacks in London.

“We just live in a world where, sadly, these kinds of security measures are necessary,” Mayor Michael Bloomberg said. “Are they intrusive? Yes, a little bit. But we are trying to find that right balance.”

More seriously, they’re “only” abandoning the idea that the police can’t search you without a reason, and “only” as you enter the subway. (Try getting around New York without using the subway.) See “Police to Check Bags on NYC Subways,” or “Backpacks that Go Bloom(berg).” Apparently, you’ll be “free” to leave the subway and enter at another station, which means that you’ll either be followed, or the measure is not only unconstitutional, its entirely worthless as a security measure.

The right balance involves celebrating our values and our commitment to liberty. It may involve training people in New York how to distinguish between a suicide bomber and a ‘character.’ But it sure doesn’t involve random searches.

My readers have provided great commentary about profiling and security in the comments on Homegrown Bombers, ID Cards, Intelligence Activity, and Profiling,” and “‘Israeli Style Profiling’.”