TSA’s Brand

Passing through Portland’s PDX Airport, I was struck by this ad for SeaPort Airlines:

No TSA.jpg

Things are pretty bad for TSA when right after “faster travel,” a company lists “No TSA” as its second value proposition. (Bottom left corner.)

It’s actually sort of impressive how much hate and resentment the TSA has built in the few long years of its existence.

44 Years

Fannie Lou Hamer.jpg

Mary Dudziak posted the testimony of Fannie Lou Hamer before the credentials committee of the 1964 Democratic convention. It’s worth reading in full:

Mr. Chairman, and to the Credentials Committee, my name is Mrs. Fannie Lou Hamer, and I live at 626 East Lafayette Street, Ruleville, Mississippi, Sunflower County, the home of Senator James O. Eastland, and Senator Stennis.

It was the 31st of August in 1962 that eighteen of us traveled twenty-six miles to the county courthouse in Indianola to try to register to become first-class citizens.

We was met in Indianola by policemen, Highway Patrolmen, and they only allowed two of us in to take the literacy test at the time. After we had taken this test and started back to Ruleville, we was held up by the City Police and the State Highway Patrolmen and carried back to Indianola where the bus driver was charged that day with driving a bus the wrong color.

After we paid the fine among us, we continued on to Ruleville, and Reverend Jeff Sunny carried me four miles in the rural area where I had worked as a timekeeper and sharecropper for eighteen years. I was met there by my children, who told me that the plantation owner was angry because I had gone down to try to register.

After they told me, my husband came, and said the plantation owner was raising Cain because I had tried to register. Before he quit talking the plantation owner came and said, “Fannie Lou, do you know – did Pap tell you what I said?”

And I said, “Yes, sir.”

He said, “Well I mean that.” He said, “If you don’t go down and withdraw your registration, you will have to leave.” Said, “Then if you go down and withdraw,” said, “you still might have to go because we are not ready for that in Mississippi.”

And I addressed him and told him and said, “I didn’t try to register for you. I tried to register for myself.”

I had to leave that same night.

On the 10th of September 1962, sixteen bullets was fired into the home of Mr. and Mrs. Robert Tucker for me. That same night two girls were shot in Ruleville, Mississippi. Also Mr. Joe McDonald’s house was shot in.

And June the 9th, 1963, I had attended a voter registration workshop; was returning back to Mississippi. Ten of us was traveling by the Continental Trailway bus. When we got to Winona, Mississippi, which is Montgomery County, four of the people got off to use the washroom, and two of the people – to use the restaurant – two of the people wanted to use the washroom.

The four people that had gone in to use the restaurant was ordered out. During this time I was on the bus. But when I looked through the window and saw they had rushed out I got off of the bus to see what had happened. And one of the ladies said, “It was a State Highway Patrolman and a Chief of Police ordered us out.”…

I was carried to the county jail and put in the booking room. They left some of the people in the booking room and began to place us in cells. I was placed in a cell with a young woman called Miss Ivesta Simpson. After I was placed in the cell I began to hear sounds of licks and screams, I could hear the sounds of licks and horrible screams. And I could hear somebody say, “Can you say, ‘yes, sir,’ nigger? Can you say ‘yes, sir’?”

And they would say other horrible names.

She would say, “Yes, I can say ‘yes, sir.'”

“So, well, say it.”

She said, “I don’t know you well enough.”

They beat her, I don’t know how long. And after a while she began to pray, and asked God to have mercy on those people.

And it wasn’t too long before three white men came to my cell. One of these men was a State Highway Patrolman and he asked me where I was from. I told him Ruleville and he said, “We are going to check this.”

They left my cell and it wasn’t too long before they came back. He said, “You are from Ruleville all right,” and he used a curse word. And he said, “We are going to make you wish you was dead.”

I was carried out of that cell into another cell where they had two Negro prisoners. The State Highway Patrolmen ordered the first Negro to take the blackjack.

The first Negro prisoner ordered me, by orders from the State Highway Patrolman, for me to lay down on a bunk bed on my face.

I laid on my face and the first Negro began to beat. I was beat by the first Negro until he was exhausted. I was holding my hands behind me at that time on my left side, because I suffered from polio when I was six years old.

After the first Negro had beat until he was exhausted, the State Highway Patrolman ordered the second Negro to take the blackjack.

The second Negro began to beat and I began to work my feet, and the State Highway Patrolman ordered the first Negro who had beat me to sit on my feet – to keep me from working my feet. I began to scream and one white man got up and began to beat me in my head and tell me to hush.

One white man – my dress had worked up high – he walked over and pulled my dress – I pulled my dress down and he pulled my dress back up.

I was in jail when Medgar Evers was murdered.

All of this is on account of we want to register, to become first-class citizens. And if the Freedom Democratic Party is not seated now, I question America. Is this America, the land of the free and the home of the brave, where we have to sleep with our telephones off the hooks because our lives be threatened daily, because we want to live as decent human beings, in America?

Thank you.

The Hazards of Not Using RFC 1918


RFC 1918 is a best-current-practicies RFC that describes network address ranges that we all agree we won’t use globally. They get used for private networks, NAT ranges and so on. There are three ranges: to to to

They are thus the Internet equivalent of the American phone system not using the exchange 555, only more useful. If you need to give an example IP address, you can use one of those without causing anyone consternation or irritation.

An example of why you want to use one of these addresses can be found (at least for the next few minutes) at Microsoft’s site for the IE 8 beta. One of the IE 8 features is the “SmartScreen Filter” which can tell you IP addresses you’re best not going to. An example is the picture accompanying my post.

If you check out that address,, at ARIN Whois, you find out that it’s owned by Microsoft themselves.

I suppose that using one of your own addresses as a hazardous address is better than using someone else’s, but immature people like Your Friendly Author will titter over it and point it out to other people as well.

There’s a reason RFC 1918 exists, and this is one of them. Oh, by the way, be sure to look at RFC 2606, which reserves the domains example.com, example.net, and example.org. It also reserves the top-level domains .test, .example, .invalid, and .localhost. Remember them.

Lessons for security from “Social Networks”

There are a couple of blog posts that I’ve read lately that link together for me, and I’m still working through the reasons why. I’d love your feedback or thoughts.

A blogger by the name of Lhooqtius ov Borg has a long screed on why he doesn’t like the “Social Futilities.” Tyler Cowan has a short on “fake following.”

I think the futility of these systems involves a poor understanding of how people interact. The systems I like and use (LinkedIn, Dopplr) are very purpose specific. I really like how Dopplr doesn’t even bother with a friend concept–feel free to tell me where you’re going, I don’t have to reciprocate. It’s useful because it doesn’t try to replace a real, complex relationship (“friendship”) with a narrowly defined shadow of the world. (In this vein, Austin Hill links a great video in his Facebook in Reality post.)

In information technology, we often replace these rich, nuanced concepts with much more narrow, focused replacements which serve some business purpose. Credit granting has gone from an assessment of the person to an assessment of data about the person to an assessment of the person’s data shadow. There are some benefits to this: race is less of a factor than it was. There are also downsides, as data shadows, blurry things, get confused after fraud. (Speaking of credit scoring, BusinessWeek’s “Your lifestyle may hurt credit score” is not to be missed.)

We’ve replaced the idea of ‘identity’ with ‘account.’ (I’ll once again plug Gelfman’s Presentation of Self for one understanding of how people fluidly and easily manage their personas, and why federated identity will never take off.) Cryptographers model people as Alice and Bob, universal turing machines. But as Adi Shamir says, “If there’s one thing Alice and Bob are not, it’s universal turing machines.” Many people have stopped Understanding Privacy and talk only about identity theft, or, if we’re lucky, about fair information practices.

So the key lesson is that the world is a complex, confusing, emergent and chaotic system. Simplifications all come at a cost. Without an understanding of those costs, we risk creating more security systems as frustrating as those “social networks.”

[Update: It turns out Bruce Schneier has a closely related essay in today’s LA Times, “The TSA’s useless photo ID rules” in which he talks about the dangers of simplifying identity into intent. Had I seen it earlier, I’d have integrated it in.]

TSA Breaks Planes (and a link to infosec)

Aero News Network has a fascinating story, “ANN Special Report: TSA Memo Suggests That Agency ‘Encourages’ Damaging Behavior.” It covers how a TSA goon climbed up a plane using equipment marked “not a handhold,” damaging it and putting the flying public at risk. It continues:

While this may be terrifying on a number of levels, the situation becomes far more questionable with the release of a recent memo from the TSA in which such damaging and destructive actions are apparently ENCOURAGED. The memo clearly states that, “Aircraft operators are required to secure each unattended aircraft to make sure that people with bad intent cannot gain access to the planes. But during the inspection, TSA’s inspector was able to pull himself inside of an unattended aircraft by using a tube that was protruding from the side of the plane. TSA encourages its inspectors to look for and exploit vulnerabilities of this type.”

There’s a couple of things I want to say about this. The first is that TSA seems to be orienting their “inspectors” towards the idea that no indignity or stupidity is too large. This is a natural result of there being no accountability.

While it’s fun to rage at the TSA like this, I don’t want to be throwing stones from a glass house. In information security, we sometimes tend this way. Security risks are seen as accruing to the career of the CSO. Smart CSOs shift jobs often to avoid having the risk (I forget who pointed this out, or I’d give credit.)

Implementing controls for a set of rare, high impact risks is hard. TSA, DHS and the President ought to be telling Americans not to be scared, and to realize that these things may happen again, despite our best efforts. This was the lesson of societies including the UK, France, Germany and Japan, not to mention Israel.

Fortunately, in information security, we have lots of common risks to go after, if only we’d pay attention.

Authenticating Alan Shimel is Certifiably Hard

Alan-Shimel.jpgAlan Shimel got hacked, and he’s blogging about it, in posts like “I’m back.” It sounds like an awful experience, and I want to use it to look at authentication and certificates. None of this is intended to attack Alan in any way: it could happen to any of us.

One of the themes of these posts is the difficulty of resolving the cases, especially when your password has been changed and your email accounts have been compromised. Alan’s spent a lot of time on the phone getting stuff cleaned up, and I’d like to look at that process a little.

Alan has various business relationships with organizations who know him only via email and credit cards, or perhaps with a PO. How should they handle a claim that an account has been hacked? How are they supposed to authenticate someone calling who doesn’t know the password, and wants to tie a new email account into the system? Doesn’t that sound like fraud? These organizations likely don’t know Alan’s driver’s license # or passport.

This problem isn’t hard because we lack technology, it’s hard because a networked system has emerged which makes it easy to do business all around the world with people you don’t really know. If Alan had a client cert, maybe that would have been stolen, too. If he had a smartcard, maybe that would have been attacked via a client-side trojan. He ran into these troubles, and documents them at Yahoo, in “Why Google is now my homepage instead of Yahoo:”

I have written and called to every address you can think of. They have asked for copies of my drivers license. They wanted all of my information when I first applied for an account (yes from 12 years ago). I have had to give them every email address I ever had (anytime you fill out information for a new account you should make a record of it and keep it somewhere safe. Don’t ask me where, but somewhere safe). Every mail address and zip code I have had. I sent them the answer to every secret question I can think of, but they won’t give me the question they want to answer. I sent them the hackers post bragging about getting my email account.

There may well be multiple guys named Alan Shimel out there-just seeing a faxed copy of a license isn’t very good authentication.

All we have in distant and simple relationships is persistence and that’s not that strong. We also have what Alan used, which is webs of trust. He called people who knew him and had them call people he knew:

As I have written earlier, I was lucky in that I was able to call on people to help me out. For instance my friends at FeedBurner/Google, Matt Shobe and Dick Costollo, quickly took control of my FeedBurner accounts, including the SBN feed. They were also to get someone live at Typepad to allow me to take back the blog. This took more time than it should have though. Until the Feedburner reached out to someone, the Typepad support team just kept sending a new password to mailboxes that the attackers controlled, even though I was mailing them from my stillsecure mail box! You could not get any of these people on a phone. Very frustrating! (“Our web infrastructure needs to be at public utility levels“)

Now, persistence and webs of trust seem like bad business models. They’re not easy to manage with regards to liability and contracts, but they are a great representation of how the world really works.

Closely related: “Certifiably Silly,” and “I’m certifiably wrong.”

Diebold/Premier vote dropping

A voting system used in 34 states contains a critical programming error that can cause votes to be dropped while being electronically transferred from memory cards to a central tallying point, the manufacturer acknowledges.

The problem was identified after complaints from Ohio elections officials following the March primary there, but the logic error that is the root of the problem has been part of the software for 10 years, said Chris Riggall, a spokesman for Premier Election Solutions, formerly known as Diebold.

So reports the Washington Post. Wow.

When Congress acts in haste, a la the HAVA fiasco, we all repent at leisure.

Write Keyloggers Professionally!


GetAFreelancer.com has a job for you if you need some high-paid work — write a remote keylogger.

Here are the project requirements:

We need a keylogger that can be installed remotely.

The main purpose is that the user A can send an email with a program to install (example: a game or a funny program) to the person B. When the person B install the program on his computer, he is installing at the same time an invisible keylogger on his computer. Then the person A is receiving the report by email of every keystrokes that the person B is doing on his computer.

They only want to pay $250 to $750, which seems fair given that the requirements don’t include undetectability. For that low a contract price, it seems only fair to give the victim a fighting chance.

Photo “Keylogger 1.0 Beta” by soulrift.

The Omnivore’s Hundred

I find it interesting that security people and foodies are strongly correlated. Or at least are strongly correlated among the ones I know. Very Good Taste has a list of things called The Omnivore’s Hundred, a list of things worth trying, modulo this and that. You mark things you have tried, and mark things you would never try or try again.

I found it via Cygnoir, who also gave a pointer to an easy-to-fill-out web page that will give HTML.

My results of that page are below.


The Food tasting meme

  1. Copy this list into your blog or journal, including these instructions.
  2. Bold all the items you.ve eaten.
  3. Cross out any items that you would never consider eating (or eating again)
  4. Optional extra: Post a comment http://www.verygoodtaste.co.uk linking to your results.

To make the filling out of this form and generating the HTML for it a bit easier, [info]reddywhp has played around with some PHP. Go to http://reddywhip.org/lj/foods/ and fill it out there. After filling it out, you will be given the code to copy and paste into your blog.

Livejournal users, remember to use your LJ-Cuts!

  1. Venison
  2. Nettle tea
  3. Huevos rancheros
  4. Steak tartare
  5. Crocodile
  6. Black pudding
  7. Cheese fondue
  8. Carp
  9. Borscht
  10. Baba ghanoush
  11. Calamari
  12. Pho
  13. PB&J sandwich
  14. Aloo gobi
  15. Hot dog from a street cart
  16. Epoisses
  17. Black truffle
  18. Fruit wine made from something other than grapes
  19. Steamed pork buns
  20. Pistachio ice cream
  21. Heirloom tomatoes
  22. Fresh wild berries
  23. Foie gras
  24. Rice and beans
  25. Brawn, or head cheese
  26. Raw Scotch Bonnet pepper
  27. Dulce de leche
  28. Oysters
  29. Baklava
  30. Bagna cauda
  31. Wasabi peas
  32. Clam chowder in a sourdough bowl
  33. Salted lassi
  34. Sauerkraut
  35. Root beer float
  36. Cognac with a fat cigar
  37. Clotted cream tea
  38. Vodka jelly
  39. Gumbo
  40. Oxtail
  41. Curried goat
  42. Whole insects
  43. Phaal
  44. Goat’s milk
  45. Malt whisky from a bottle worth $120 or more
  46. Fugu
  47. Chicken tikka masala
  48. Eel
  49. Krispy Kreme original glazed doughnut
  50. Sea urchin
  51. Prickly pear
  52. Umeboshi
  53. Abalone
  54. Paneer
  55. McDonald’s Big Mac Meal
  56. Spaetzle
  57. Dirty gin martini
  58. Beer above 8% ABV
  59. Poutine
  60. Carob chips
  61. S’mores
  62. Sweetbreads
  63. Kaolin
  64. Currywurst
  65. Durian
  66. Frog’s Legs
  67. Beignets, churros, elephant ears or funnel cake
  68. Haggis
  69. Fried plantain
  70. Chitterlings or andouillette
  71. Gazpacho
  72. Caviar and blini
  73. Louche absinthe
  74. Gjetost or brunost
  75. Roadkill
  76. Baijiu
  77. Hostess Fruit Pie
  78. Snail
  79. Lapsang souchong
  80. Bellini
  81. Tom yum
  82. Eggs Benedict
  83. Pocky
  84. Tasting menu at a three-Michelin-star restaurant
  85. Kobe beef
  86. Hare
  87. Goulash
  88. Flowers
  89. Horse
  90. Criollo chocolate
  91. Spam
  92. Soft shell crab
  93. Rose harissa
  94. Catfish
  95. Mole poblano
  96. Bagel and lox
  97. Lobster Thermidor
  98. Polenta
  99. Jamaican Blue Mountain coffee
  100. Snake

Disaster Recovery Drills Aren’t Just For IT

The Economist has a short but great overview on crisis management. The article is well worth reading completely, but there is one section that bears highlighting:

Be well prepared in advance. Potential members of a crisis management “team” should rehearse how they would manage the impact of an incident. It is a bit like learning the safety instructions on a plane before take-off: you hope you will never need them, but you know it would be unwise to miss the lesson. The team should include the chief executive and a representative of the press office. Thereafter, all external enquiries relating to a crisis should be answered by the team.

It’s amazing how often this step gets left out of business continuity plans and it is probably the most important. I heartily encourage all executives to not just plan but practice practice practice. This is the sort of thing that can really bite you hard at just the wrong time.

King Log or King Brutalist

brutalist third church of christ.jpg

A Christian Science church near the White House filed suit against the city on Thursday, accusing it of trammeling religious freedom by declaring the church a historic landmark and refusing to allow church leaders to tear it down.

The building, a stark structure with walls that soar toward the sky, is an eyesore or a work of genius, depending on who is discussing it. The 37-year-old church was designed by Araldo A. Cossutta, who had been an architect in I. M. Pei’s firm, and declared a landmark in December.

Supporters of preserving the church, the Third Church of Christ, Scientist, say it is a sterling example of a style of architecture called brutalism, which is identified by repetitive geometric design and raw concrete. (“Church Sues over Landmark Status”=

Me, I just think there’s something between irony and schadenfreude in there not only being a “brutalist” style of architecture, but that Washington DC wants to preserve it, over the objections of those subjected to it.

(Not to mention the questionable justification for the government creating and keeping a list of historic landmarks which their owners then must maintain.)

Photo: Washington DC 3rd Church of Christ Scientist, Amy.Arch

We’re all in it together

Ryan Singel reports at 27B/6:

The TSA was keeping the names of people who lost their wallets and needed to fly — even after ascertaining their identity and determining they were not a threat and could board a plane. It stored these names in a shared threat database. Then it decided that it won’t store the names of people who it was able to identify as not a threat.

The entire article is a must read.

I’m Certifiably Wrong

So there’s some great discussion going on in the comments to “Certifiably Silly,” and I’d urge you to read them all. I wanted to respond to several, and I’ll start with Frank Hecker:

Could we take the cost issue out of this equation please … [Adam: I’m willing to set it aside, because the conversation has spiraled.]

The real questions as I see it are

1) Leaving aside the issue of cost, what are the pros and cons of introducing self-signed certificates into the current browser model of SSL?

2) If the advantages of introducing self-signed certificates into this model outweigh the disadvantages, what is the best approach (from a technical and user experience perspective) to introduce self-signed certificates into the current SSL model?

3) If there is a good technical/UX approach to introduce self-signed certificates into the current SSL model, what is the likelihood of such an approach being adopted on a universal basis (i.e., by all browser vendors), and how might this be made more likely?

I’d argue that these are the wrong questions: the real questions underlying our disagreement are probably “do certification authorities do what they’re purported to do, and (if we agree they don’t), what do we do about it?”

I think we do two things: One, we stop investing so much in them, and second, we investigate the heck out of the alternatives, including persistence and organizational CAs, including CAs run by groups like the American Bankers Association. These are both in direct contradiction of the CA business model, and so they’ve been stillborn.

I’m not going to claim that either will have better user experience than the current SSL model, and that’s a low bar.

So I’m wrong, the issue isn’t really self-signed certs, it’s the CA model.

There were another points raised, by both Frank and Andy Steingruebl about my bookmark model, which is that it breaks PayPal. There are two ways to read this model: One is “always use bookmarks.” the other is “never click on a link in email.” I intended the first, the second is unclear, given the prevalence of webmail. Perhaps we could address this by having merchants send transactions to PayPal, and then if I choose to login via a bookmark, I get a list of pending activity.

The final point that Andy raised is organizations with lots of web sites. A reasonable point, and one I’m not sure how to address. Part of how I’d address it is that most of us don’t see all of those brands. I would be happy to see some of the brand profusion go away, which of course, doesn’t mean it would happen. (I consulted for a bank for several years, I can’t keep track of all the brands that they present around my retirement accounts.) If I can’t keep track of them when they’re ‘not’ security critical, I surely can’t keep track when they are, and it is unreasonable to expect me to.