Just because you're paranoid, it doesn't mean they aren't out to get you

Last summer I got a new passport in preparation for my trip to Jamaica. Embedded in that new passport was an RFID chip containing an unspecified amount of data about me and my passport. I'm not a total paranoid freak but I'd read a bit about RFID and how easy it is for unauthorized people to read their contents. So, I'd purchased a passport jacket that contains mesh that will prevent just such a thing from happening. A few folks I know had looked at me with that "you're a little off, aren't you?" look when I explained the heavy-duty envelope for my passport. Well, not the US State Department is recommending that folks purchase such a jacket since a recent report has pointed out how easily they are read. Don't worry though. According to the State Department "hackers won't find any practical use for data skimmed from RFID chips" but who am I to trust them now? Of course, you could always disable the chip but that wouldn't exactly be legal.

The DMCA is endangering American security

The Digital Millennium Copyright Act effects more than copyright issues. According to Angel Gunn:

The cybersecurity review says we need to improve academic and industry collaboration on cybersecurity and other technology issues. It also states we should "expand university curricula; and set the conditions to create a competent workforce for the digital age."

What the cybersecurity review should have said is, "We are raising a nation of timid technophobes who mistake using MyTwitFace for being a geek. Meanwhile, we have comprehensively, at every educational level, stripped away useful teaching tools and criminalized modes of research and inquiry in the name of copyright and liability laws, and sooner rather than later we are going to reap the whirlwind."

Or, putting it simply: We made ourselves stupid and now we must pay.

Read the full article on betanews.

More from the White House on Cybersecurity

President Obama on Cybersecurity

Bonus: Bruce Schneier’s comments on the speech.

Configuring a public laptop: the result

A recent comment on my post about how to configure some public laptops reminded me and I'd not blogged the results.

First, in response to Scuba Steve who said "Giving public users administrator access is just stupid," I'll respond by saying that there needs to be a balance between security and usability. I've been in plenty of labs and on plenty of public computers where they're so locked down that I can't do the simplest of actions on that computer. When you sacrifice usability for security, you end up loosing in the end.

Granted, on its face, giving the public admin rights does seem risky. However, especially in Vista, when you don't have admin rights, there are a whole list of things that can seriously degrade your patron's experience. Remember, this isn't an office situation here, these are public-access computers. I think Steve would respond that this fact actually increases the risk more than in an office environment and I might tend to agree but it also changes the nature of the user. In an office, users are expected to do a certain list of things and therefore IT can anticipate how the computer will be used. Give access to the public and who know what they'll want to do.

Lastly, these computers are mostly going to small rural libraries who have minimal to no technical expertise on staff. Therefore, what security is installed needs to be manageable by non-IT professionals.

So, I'll stress again, there needs to be a balance. Here's the balance I believe I've found:

There are two accounts, one for staff which is password protected, and one for the public which is not. (Don't librarians just love handing out passwords to people?) Both accounts have full rights to the computer as far as Windows is concerned. I've also installed Steady State with the following two restrictions:

1. The public account is "locked". This means that no matter what the user does to the computer, upon logout (or reboot) the changes are immediately removed.
   
2. Access to Steady State has been blocked for the public account. This addresses Steve's question "What would stop them from uninstalling/deleting SteadyState, Deep Freeze or any other restoring software you install?" In other words, in order to change or uninstall Steady State you must be logged in as the administrator.

As a result, staff can log in as staff and make any needed changes, install/remove software or run updates to the system as a whole without needing to touch Steady State at all. To make a permanent change specific to the public profile (i.e. add or remove desktop icons) they'll just need to log in as staff, unlock the public account, log in as the public, make the changes, then log back in as staff and relock the public account. (That may sound complex but it doesn't involve multiple reboots like Deep Freeze or Centurion Guard do.)

In the end I believe that I've found the balance that fits our needs. I've been running this setup in our lab for the past month and will be doing so for the next month before I actually set up the laptops in question. So far, this setup is working as needed.

Let me stress again: this solution fits our needs. Blanket statements such as it's "stupid" to do something in every situation just shows that your thinking is locked and unfortunately rules out the flexibility that's required to solve certain problems.

Configuring a public laptop: Which direction should I take?

Here in Nebraska we're going to be giving grants to give libraries who don't already offer public access WiFi a Linksys WiFi router and a choice between a Dell laptop and a Samsung Q1. The question I have deals with how I should set up the laptops/Q1s. Before I describe the options keep the following in mind: a) They both run Vista. b) The fact that one's an UMPC and one's a traditional laptop is irrelevant. (At least I think the hardware is irrelevant. If you think it isn't please explain.) and c) The computers will be made available for public use. So, which would you choose?

Option #1
Set up a staff account with admin privileges and a public account as a standard user. This way the staff can run updates and change settings and the public can't alter anything.

Option #2
Have just one user account but install Windows Steady State so that no matter what the public does, a reboot solves everything. To make changes permanent the staff would just need to turn off Steady State first.

I have my opinions but I'm trying to see if I've missed anything. What do you think?

What It's Like To Fly With No ID Under The TSA's New Regulations

The Consumerist has the story of a man who's flown without ID under the new TSA rules. Here's the scary part:

So you know how the new TSA regulations went into effect yesterday, where you can only fly without ID if you "cooperate" with the TSA? Well, it turns out you also have to take a test about your personal life. They call up a service to administer it, and the last question they asked was which political party am I registered under (I correctly answered "democrat" and they still let me on board).

Read the full story on The Consumerist.

The War on Photography

Bruce Schneier, security guru weighs in on the large number of photography-related "security" stories of late.

Given that real terrorists, and even wannabe terrorists, don't seem to photograph anything, why is it such pervasive conventional wisdom that terrorists photograph their targets? Why are our fears so great that we have no choice but to be suspicious of any photographer? Because it's a movie-plot threat.

Read the full article at Schneier on Security.

Our Transportation Facilities Are Being Watched

Yet another "photographers are considered terrorists by default" story. This time from the blog of the Spokane County Transportation Department.

I was out taking pictures this morning of sites of transportation projects to be completed over the next twenty years. One of those projects is to move of the weigh station near Stateline further east along I-90. I stopped at the pretty much deserted weigh station and took a couple pictures, then drove off. About 10 minutes later I received a call on my cell phone from Washington State Patrol asking why I had been taking pictures of the weigh station!

The blogger's final comment is the most interesting:

I guess it makes me feel a little better to know that someone is watching the people who are watching our infrastructure. On the other hand, it kind of scares me that they could track me down that fast.

Read the whole story on the SRTC Transportation Blog.

More BS involving photography in public places

Wow, three stories in one day. The first from a professional photographer taking photos of the Port of Los Angeles. Seems the FBI paid him a visit.

So I inform them that I was under the impression that everything I was doing was legal. Security guards can't chase you off of public streets, and that I'm free to shoot whatever I want in public view. I inform them that my rationalization was that anything you can see from a public street isn't private (if they're trying to protect some secret, they shouldn't put it there), and if I really wanted to canvas the place, Google Maps' satellite view is a much better place to start. They confirm that yes, what I was doing was completely legal, but they're just doing their jobs, that it doesn't make sense, and that the "heightened security alert"... "will change soon". They informed me that most of their job lately has been following up with photographers who take photos in the port complex. They also informed me that they try their best to inform private security guards how to deal with confrontations with photographers, and that most of the guards have a bit of a skewed view on what's legal (oh my god this is true), and they're trying to correct that. They have had to correct guards who have insisted that photos be erased, or worse, have confiscated equipment in the name of homeland security. This doesn't help anybody, and makes their jobs harder.

Read the full story on the iStockPhoto forums.

Next from someone taking photos of the Red Line, amazingly enough, also in Los Angels.

Well last week here in Los Angeles, I was waiting to board the redline (subway) and snapped a picture with my cell phone camera. Not the best picture in the world, but I was just putzing around, waiting for the train, holding a quizno's to-go bag. Almost immediately, a vest wearing man with METRO emblazoned on his back who had been mopping the area nearby rushed up to me and the exchange went something like this:
Him: Hey! It's against the 9-11 Law to take pictures down hear man!
Me: You mean the Patriot Act?
Him: No pictures.
Me: Could you explain? What law do you mean?
Him: You are lawyer?
Me: No.
Him: No pictures. You could be a terrorist. Very strict!
Me: How about I take a picture of you?
Him: F**k you...(I couldn't believe it either)

Read the full story on Keith's MySpace blog.

Almost Arrested for Taking Photos at Union Station

Don't try to take hi-res photos at Union Station, even if you do work for NPR.

Then the security guard returned. She informed us that we would have to cease taking pictures immediately and leave. I asked what the problem was, and she said that this is a private space, and we didn't have permission from management to take pictures. I told her that we were testing equipment for potential use by NPR, showed them our press passes, and noted there were plenty of other people walking around with cameras. She seemed sympathetic to our position, but said she was relaying orders she'd received from someone higher up. I asked if we could speak with them, then twittered it:

Just got told by security to leave. Asked to speak with a supervisor to explain why we can't take pictures at union station.

Then it gets more bizarre.

Throughout the conversation, which I should point out was conducted in a cordial, but firm tone, we received mixed messages from the security guards. One told us the problem was that we were using a tripod, while another insisted it was because we had "that thing" on top of our tripod. They then changed the story again, and said that journalists couldn't take pictures without permission from management, and that Union Station is a private space run by a private company, not a public space. They never gave us an answer as to why we were first allowed to take photos in the first location, but could not do the same here.

Read the full story on Andy Carvin's Waste of Bandwidth.

Millimeter Wave

Here's the next stage in airport security:

According to the TSA:

I venture to say, Mikhail Baryshnikov may have exposed more in his ballet costume than this robotic images portrays. Why did we decide to put there up now? Because you've asked for it...Hopefully the editors of Reader's Digest will consider these for their next cover.

Read more at the Evolution of Security blog.

Security: Unclear on the Concept

I recently accepted SallieMae's constant suggestions that I should switch to receiving all of their communications via e-mail instead of paper mail. (I was holding out for a small decrease in my outstanding debt since I'd be saving them a lot in postage over the next 15 years, but we never did see eye to eye on that one.) Anyway, today I received my first "official" e-communication from them. It was a simple e-mail telling me that my account had been updated and my new bill was available for viewing on their Web site. So far, so good.

Attached was a 48k PDF file. Using Outlook 2007 I clicked on the attachment to preview it. This failed for an unspecified reason. So, I double-clicked the attached file to open it in Adobe Reader. At this point I was prompted for a password. I drew a blank. But then something made me try my Social Security Number as the password and viola, the document opened. It was the exact same text that was in the body of the e-mail message but this one was on SallieMae letterhead.

WTF? Either send me something that deserves to be behind a password or don't. Don't send me text "protected" by a password that's also being sent in the clear in a standard unsecured e-mail message.

SallieMae, just what point are you trying to make here?

The unintended consequences of large-scale storage

Jeff Atwood over at Coding Horror has posted about something called Rainbow Tables. Now, I don't want to turn this blog into a discussion of encryption so let me boil it down for you.

Windows passwords are stored in an encrypted format known as "hashes". When you enter your password, Windows encrypts it for you and compares it to the stored hashed version. If it matches, you're let in. If it doesn't you're not. There's no way to decrypt the hashed version of your password in any reasonable amount of time, if at all, and is therefore considered a secure method of storage.

The problem now is that you can get a database of pre-hashed content. Known as rainbow tables, these are basically a table with just two columns, first column, a word (or other combination of letters) and in the second, the matching hash. Now, if you have a hash, you can look it up in the table and see what the original password is. In other words, it's not decrypting the hash, its hashing all possible passwords in advance.

This is such a simple hack. So, why is it coming to light now. Well, the problem is large-scale portable storage. In the past, tables such as these were considered to big to bring to the computer you're trying to hack. But these days, a 1GB flash drive would allow you to carry a rainbow table that covered all conceivable passwords between one an 14 characters in length, containing just English letters. Here's Jeff's chart showing example storage requirements:

If you're suddenly not worried about a Rainbow Table measuring 64BG I've got a 500GB portable USB hard drive I'd like to show you.

Here's the bottom line, in Jeff's example, the password "Fgpyyih804423" (one that's probably a hell of a lot stronger than any password you use) was broken in just 160 seconds using a rainbow table.