Archive for the ‘Security’ Category
As it turns out, the scanners are actually pretty easy to fool.
On Thursday, security researchers from UC San Diego, the University of Michigan, and Johns Hopkins presented results from a months-long study that show how someone can hide weapons from the scanners through a number of simple tricks. From using Teflon tape to cover an object or just strategic placement of an object around the body, to more cunning approaches like installing malware onto the scanner’s console, a person could get away with a concealed weapon or explosive with little trouble.
Although the scanners the researchers tested – the Rapiscan Secure 1000 machines – haven’t been used in airports since 2013, they are still widely used in federal buildings like jails and courthouses. It cost taxpayers over $1 billion to have them installed in more than 160 airports.
Wired has more details on the study. One of the more striking aspects is how the researchers approached their testing, which differs from past experiments:
Unlike others who have made claims about vulnerabilities in full body scanner technology, the team of university researchers conducted their tests on an actual Rapiscan Secure 1000 system they purchased on eBay. They tried smuggling a variety of weapons through that scanner, and found—as [blogger Jonathan] Corbett did—that taping a gun to the side of a person’s body or sewing it to his pant’s leg hid its metal components against the scan’s black background. For that trick, only fully metal guns worked; An AR-15 was spotted due to its non-metal components, the researchers report, while an .380 ACP was nearly invisible. They also taped a folding knife to a person’s lower back with a thick layer of teflon tape, which they say completely masked it in the scan.
John Napier Tye is speaking out to warn Americans about illegal spying. The former State Department official, who served in the Obama administration from 2011 to 2014, declared Friday that ongoing NSA surveillance abuses are taking place under the auspices of Executive Order 12333, which came into being in 1981, before the era of digital communications, but is being used to collect them promiscuously. Nye alleges that the Obama administration has been violating the Constitution with scant oversight from Congress or the judiciary.
“The order as used today threatens our democracy,” he wrote in The Washington Post. “I am coming forward because I think Americans deserve an honest answer to the simple question: What kind of data is the NSA collecting on millions, or hundreds of millions, of Americans?”
Executive Order 12333 is old news to national-security insiders and the journalists who cover them, but is largely unknown to the American public, in part because officials have a perverse institutional incentive to obscure its role. But some insiders are troubled by such affronts to representative democracy. A tiny subset screw up the courage to inform their fellow citizens.
Tye is but the latest surveillance whistleblower, though he took pains to distinguish himself from Snowden and his approach to dissent. “Before I left the State Department, I filed a complaint with the department’s inspector general, arguing that the current system of collection and storage of communications by U.S. persons under Executive Order 12333 violates the Fourth Amendment, which prohibits unreasonable searches and seizures,” Tye explained. “I have also brought my complaint to the House and Senate intelligence committees and to the inspector general of the NSA.”
Cockroaches are some of the most resilient creatures on earth. They can live for 45 minutes without air and over a month without food. Cutting their heads off won’t even kill them—at least not immediately. Their bodies can live on for several days without their heads.
Now, a team of open source developers wants to make it easier for just about any company to build the sort of resilient cloud computing systems that run online empires like Google. They call their project CockroachDB, billing it as a database with some serious staying power. That may sound like an odd name for a piece of software, but co-creator Spencer Kimball—a former Google engineer—says it’s only appropriate. “The name is representative of its two most important qualities: survivability, of course, and the ability to spread to the available hardware in an almost autonomous sense.”
Like so many other open source projects designed to drive large online operations, CockroachDB is based on ideas published in a Google researcher paper, in this case a detailed description of a massive system called Spanner. Spanner is a sweeping software creation could eventually allow Google to spread data across millions of computer servers in hundreds of data centers across the world, and it took Google over five years to build. Even with Google’s research paper in hand, the CockroachDB coders still have their work cut out for them. But it’s a noble ambition.
At the Symposium on Usable Privacy and Security today, Stuart Schechter and Joseph Bonneau plan to reveal an experiment they designed to teach people to remember very strong, random passwords. With their process, which took a total of 12 minutes of users’ time on average, about nine out of 10 test subjects were able to remember a 56-bit password or passphrase–one for which a hacker would have to try quadrillions of guesses to successfully crack the secret.
“Our goal was to show that there’s a big dimension of human memory that hasn’t been explored with passwords,” says Bonneau, a fellow at Princeton’s Center For Information Technology Policy. “They may seem hard to remember up front. But if you’re given the right training and reminders, you can memorize almost anything.”
Schechter and Bonneau recruited hundreds of test subjects from Amazon’s Mechanical Turk crowdsourcing platform and paid them to take a phony series of attention tests. What they were really studying was how users logged in to those tests. Every time the login screen appeared, the user would be prompted to type in a series of words or letters on the screen. Over time that string of characters took increasingly long to appear, prompting the user to enter it from memory. More letters and words were added to it over time: After 10 days of testing, the user was required to enter a series of 12 random letters or six random words–for example, “rlhczwpsnffp” or “hem trial one by sky group” to start the test.
James Varney of the Times-Picayune in New Orleans, stayed at the Hyatt Place hotel in Riverhead, NY. He tried to look at the Drudge Report, but was blocked from doing so by his hotel’s internet connection.
In fact, he tried looking at a number of conservative websites, including Powerline and Instapundit. They too were blocked. He then tried a number of liberal websites from Talking Points Memo to DailyKos. None of them had access problems.
His hotel, Hyatt Place, uses Uniguest to connect its guests to the internet.
Digging deeper, I contacted the good people of Uniguest. A cheery online chatter at their corporate website praised my question as a very good one, asked for my e-mail so he could run it up the corporate flagpole and I await that response.
I also spent some time on the phone with Hyatt representatives. Well, most of that time was on hold, actually, but I did eventually get two bright, human voices. Both of them assured me no political line was being enforced.
Neither of them knew for sure but they were quite certain it was all a matter of security – it was virus and malware that prompted the warnings and kickoffs, not a point of view.
Federal officials can’t resolve 85 percent of 2.9 million “inconsistencies” on applications for ObamaCare even after nine months of trying, according to new data provided by the administration.
Most of the problems involve certifying citizenship and income, key components of the national health plan.
But some of the problems are downright nutty.
One unidentified state-run marketplace cited situations in which infants and young children were “erroneously identified as incarcerated, according to federal data,” the inspector general for the Health and Human Services Department revealed Tuesday.
Just 425,000 problematic applications have been resolved out of 2.9 million that states and the federal exchange reported, the Centers for Medicare and Medicaid Services told The Post.
Only citizens are eligible for ObamaCare, and only people at certain income levels are eligible for tax credits and subsidies.
But in 77 percent of the applications under scrutiny, federal records differed from what applicants submitted on those two key qualifications.
The CMS responded that the agency is “committed to verifying the eligibility of consumers who apply for enrollment in qualified plans.”
Snarky Lawmaker Reminds Former NSA Chief That Selling State Secrets Is Illegal
Gen. Keith Alexander, the former head of the NSA and U.S. Cyber Command, has launched the consulting firm IronNet Cybersecurity. It also may explain why a congressman has reminded the former spy that selling top secret info is a crime.
To capitalize on his recent departure from military intelligence—Alexander resigned in March following months of revelations by NSA whistleblower Edward Snowden—the general is offering his security expertise to the banking industry for the fire sale price of $600,000 per month after first asking for $1 million. There are threats everywhere, Alexander warns, and “It would be devastating if one of our major banks was hit, because they’re so interconnected.”
That may be, but Rep. Alan Grayson (D-Florida) is suspicious that Alexander has anything useful to offer at that price—unless, that is, he’s peddling national security secrets.
In letters sent Wednesday (.pdf) to the Securities Industry and Financial Markets Association, the Consumer Bankers Association, the Financial Services Roundtable and the Clearing House—all of which Alexander reportedly has approached about his services—Grayson made it clear to Alexander and those who might retain him that selling classified information is illegal.
Lois Lerner: Lerner was the Washington-based head of the IRS Exempt Organizations division until her recent resignation. Lerner and her attorney husband Michael Miles live on a $2.4 million property in Bethesda, Maryland.
Nikole Flax, former chief of staff to IRS commissioner Steven Miller: Flax was a busy bureaucrat during her tenure at the IRS, where she worked for Lerner in the exempt organizations division among other roles. Flax made 31 visits to the White House between July 12, 2010 and May 8, 2013, according to White House visitor logs
Michelle Eldridge, IRS national media relations chief: This 23-year IRS veteran was tasked with defending the IRS when it came under scrutiny in 2012 for whistleblower reprisal from its inspector general.
The Internal Revenue Service (IRS) cancelled its longtime relationship with an email-storage contractor just weeks after ex-IRS official Lois Lerner’s computer crashed and shortly before other IRS officials’ computers allegedly crashed.
The IRS signed a contract with Sonasoft, an email-archiving company based in San Jose, California, each year from 2005 to 2010. The company, which partners with Microsoft and counts The New York Times among its clients, claims in its company slogans that it provides “Email Archiving Done Right” and “Point-Click Recovery.” Sonasoft in 2009 tweeted, “If the IRS uses Sonasoft products to backup their servers why wouldn’t you choose them to protect your servers?”
Sonasoft was providing “automatic data processing” services for the IRS throughout the January 2009 to April 2011 period in which Lerner sent her missing emails.
But Sonasoft’s six-year business relationship with the IRS came to an abrupt end at the close of fiscal year 2011, as congressional investigators began looking into the IRS conservative targeting scandal and IRS employees’ computers started crashing left and right.
IRS commissioner: You know, e-mail isn’t necessarily an “official record”; Update: IRS Manual says it is
In discussing document retention at the IRS, it is important to point out that our email system is not being used as an electronic record keeping system. Furthermore, it should be remembered that not all emails on IRS servers or backup tapes qualify as an “official record,” which is defined (in 44 U.S.C. 3301) as any documentary material made or received by an agency under federal law or in connection with the transaction of public business and appropriate for preservation. Accordingly, our agency’s email system is not designed to preserve email. Rather, email that qualifies as “records” are printed and retained in compliance with relevant records control schedules. Individual employees are responsible for ensuring that any email in their possession that qualifies as a “record” is retained in accordance with the requirements in the Internal Revenue Manual and Document 12990 (Record Control Schedules).
That’s an odd argument to make, since federal law on record retention in other contexts explicitly require others to retain e-mail data as a record-keeping device. Earlier, I wrote about that at The Week:
The claim that the IRS recycles its backup tapes every six months is equally ludicrous. The federal government has more strict expectations for publicly held corporations. Sarbanes-Oxley regulations passed more than a decade ago specifically require retention of email data for five years, and make the kind of destruction claimed by the IRS in this instance a crime punishable by 20 years in prison.
The IRS claim raised eyebrows at the National Archives and Records Administration, which is tasked with preserving important federal records, calling itself “concerned” that a hard drive failure would wipe out two years’ worth of what should be permanent records. The IRS’s own manual made it clear that the storage of email was important enough to have permanent backups of their data. “IRS offices will not store the official recordkeeping copy of email messages that are federal records ONLY on the electronic mail system,” and even went so far as to require hard copies “for record-keeping purposes.”
The issue isn’t that some things should be kept in hard copy; it’s that the electronic copy of all e-mail is supposed to be retained for a much longer period, as well as storing important records by hard copy. That’s certainly the expectation that the federal government has of us.
Oh. Wait. That comes under the DOJ and the head of the Department of Justice is none other than Eric Holder. Nevermind. Move along. Nothing to see here….Disgusting.