Science Addiction

A dormant blog by Devanshu Mehta

Tag: Security

“Grey Hat” Guide: To Disclose or Not to Disclose

Jennifer Granick, Civil Liberties Directory at the Electronic Frontier Foundation is putting together a “Grey Hat” guide for security researchers. The problem, says Granick, is that the law has been a real obstacle to solving vulnerabilities.

The muddy nature of the laws that regulate computers and code, coupled with a series of abusive lawsuits, gives researchers real reason to worry that they might be sued if they publish their research or go straight to the affected vendor. By reporting the security flaw, the researcher reveals that she may have committed unlawful activity, which might invite a lawsuit or criminal investigation. On the other hand, withholding information means a potentially serious security flaw may go unremedied.

The guide seems to be a work-in-progress and Granick has solicited constructive feedback.

Change Watch: ACLU’s Wish List

Like I said earlier, everybody’s got a wish list for the new President. Not everyone provides a timetable the way the ACLU has.

They divide up their “Actions for Restoring America” in to things to do on the first day, the first 100 days and the first year. The first day includes things like stopping torture, closing Guantanamo, and ending extraordinary renditions. The next 99 days are more interesting from a geek policy standpoint.constvoter_button2.gif

  • Warrantless Spying: Yeah, no kidding. ACLU wants an executive order recognizing the president’s obligation to comply with FISA and prohibiting the NSA from warrantless spying. Hurray!
  • Freedom of Information Act: Under something called the “Ashcroft Doctrine”, the current administration chose not to release info for all FOIA requests if there was a “sound legal basis”. Translation: if we say so. The ACLU wants that to go away.
  • Real ID: They want Homeland Security to suspend the regulations for the Real ID Act- again, hurray if it happens.
  • Scientific Freedom: To remove political control of scientific and academic inquiry.
  • Media Consolidation: To urge the FCC to address the growing problem of media consolidation. I’m not sure what the FCC can do (other than reverse its rule loosening cross-media ownership), but it’s a noble goal.
  • Network Neutrality: To mold the FCC to enforce these principles. This was part of Obama’s technology policy paper, but it remains to be seen how much he involves government in enforcing it.
  • Online Censorship of Soldiers: “Those who would fight and die to defend our freedoms abroad should not be denied those same rights themselves.” Well said.
  • Fleeting Expletives: At times over the past 5 years it has seemed that the only purpose of the FCC has been to make sure that anyone who says a naughty word on television gets fined in to oblivion.
  • World Intellectual Property Organization: The negotiations that the US has had with WIPO have been restrictive of free speech and fair use of data. Must change.

All valid points. What remains to be seen is how much of a priority these concerns remain in such harsh economic times. In some cases, making the right kind of appointments to FCC and other positions should take care of concerns.

Until inauguration day on the 20th of January, I will be covering some of the aspects of the transition to the Obama administration that affect technology and open government in a series called Change Watch.

EFF Challenges Constitutionality of Telecom Immunity in Federal Court

nsa_logo

No Such Agency...

EFF, fighting the good fight-

The Electronic Frontier Foundation (EFF) Thursday challenged the constitutionality of a law aimed at granting retroactive immunity to telecommunications companies that participated in the president’s illegal domestic wiretapping program.

In a brief filed in the U.S. District Court in San Francisco, EFF argues that the flawed FISA Amendments Act (FAA) violates the federal government’s separation of powers as established in the Constitution and robs innocent telecom customers of their rights without due process of law. Signed into law earlier this year, the FAA allows for the dismissal of the lawsuits over the telecoms’ participation in the warrantless surveillance program if the government secretly certifies to the court that either the surveillance did not occur, was legal, or was authorized by the president. Attorney General Michael Mukasey filed that classified certification with the court last month.

The constitutional challenge is set to be heard on December 2. EFF has more information on the NSA spying issue.

Faulty Avionics Caused Qantas Jet Dive- not Wireless Mouse!

Turns out it wasn’t a random passenger clicking in morse code that caused the Qantas jet to dive [via BBC]:

The ATSB said its inquiries had found a fault in a computer unit that detects the angle at which the plane is flying.

Somehow I’d suspected it wouldn’t be consumer electronics. Of course, the fact that they even considered it means that something is wrong.

More on Wireless Devicess on Airplanes

Yesterdays story about Australian officials blaming a wireless mouse and other consumer electronics for severe problems in their avionics left me very confused. Either they were looking for an easy scapegoat or there is something seriously wrong with airline security.

In 2004, the FCC was considering lifting the ban on wireless devices in airplanes. However, in March of 2007 the FCC terminated that effort. This was their statement:

Federal Communications Commission (FCC) rules prohibit the use of cellular phones using the 800 MHz frequency and other wireless devices on airborne aircraft. This ban was put in place because of potential interference to wireless networks on the ground. [...]

The FCC determined that the technical information provided by interested parties in response to the proposal was insufficient to determine whether in-flight use of wireless devices on aircraft could cause harmful interference to wireless networks on the ground. Therefore, it decided at this time to make no changes in the rules prohibiting in-flight use of such devices.

The question is- in an environment where 4 ounces of liquid are deemed unsafe for travel, you would think the heavy-handed TSA would have banned cell phones and wireless mice a long time ago.

I’m not suggesting that they do that- in fact, I want someone to call Qantas and the Australian Transport Safety Board’s bluff. Or prove them right and take the entire airline industry down- because which suit wants to travel without their cell phone, laptop or PDA?

(Also: Scienceline investigates why you have to turn off your iPod at take off and landing.)

With Us or Against Us

You’re either with us or against us [via Schneier]:

The Maryland State Police classified 53 nonviolent activists as terrorists and entered their names and personal information into state and federal databases that track terrorism suspects, the state police chief acknowledged yesterday. [...]

Both Hutchins and Sheridan said the activists’ names were entered into the state police database as terrorists partly because the software offered limited options for classifying entries.

Bruce Schneier, who is generally the most sound source on these matters, says that “the database needs more nuance”. I say, the database doesn’t need to classify nonviolent activists at all! Included in these lists were people who belonged to groups opposing the Iraq war and groups opposing the death penalty. Reminds me of a question they have on the USCIS form you fill out to apply for naturalization [pdf] here in the United States:

Have you ever been a member of or associated with any organization, association, fund, foundation, party, club, society or similar group in the United States or in any other place?

Errr.. hasn’t everyone?

Track Your Stolen Laptop for Free

Researchers at the University of Washington and University of California, San Diego have released a free and open source software called Adeona. It tracks your stolen or lost laptop without relying on proprietary or centralized software or databases. And unlike commercial services, it preserves the privacy of the user- it uses cryptography mechanisms so that only the user has access to the laptop location information.

Adeona is designed to use the Open Source OpenDHT distributed storage service to store location updates sent by a small software client installed on an owner’s laptop. The client continually monitors the current location of the laptop, gathering information (such as IP addresses and local network topology) that can be used to identify its current location. The client then uses strong cryptographic mechanisms to not only encrypt the location data, but also ensure that the ciphertexts stored within OpenDHT are anonymous and unlinkable. At the same time, it is easy for an owner to retrieve location information.

It is licensed under GPLv2, and is available for Linux, Mac OS X and Windows. Like Lojack for cars, simply the prevalence of such software can serve as a deterrent for casual theft. A determined thief can replace the operating system before using (or selling) it, but a lot of consumer electronics theft is casual and opportunistic.

Coming Soon: Terrorist Armed with a Wireless Mouse

There is something wrong with this report, though I’m not sure what it is:

Passenger laptop computers are now being investigated as a possible cause of the Qantas mid-air emergency off Western Australia on Tuesday.

The Airbus A330-300, with 303 passengers and a crew of 10, experienced what the airline described as a “sudden change in altitude” north of its destination on Tuesday.

The mid-air incident resulted in injuries to 74 people, with 51 of them treated by three hospitals in Perth for fractures, lacerations and suspected spinal injuries when the flight bound from Singapore to Perth had a dramatic drop in altitude that hurled passengers around the cabin.

In July, a passenger clicking on a wireless mouse mid-flight was blamed for causing a Qantas jet to be thrown off course, according to the Australian Transport Safety Bureau’s monthly report.

Can modern airplane electronics be so dramatically affected by wireless mice and laptops? If so, the airline industry is doomed- forget about taking off your shoes and all your 3oz liquid bottles in little ziploc baggies. The real threat is in every business traveler’s carry-on luggage.

Of course, there is something wrong here. I am not quite sure what- but either the Australian Transportation Safety Bureau is looking for an easy scapegoat or there is a gaping security hole in our airlines that should be bigger news. I’m guessing it’s the former.

There is some interesting discussion in this slashdot thread, including the following from “pla”:

This has nothing to do with “I want to use my laptop/DS/phone, so make me happy as the paying customer”, and everything to do with “if an unauthorized wireless mouse can bring down a plane, we need the entire fleet of such badly defective planes grounded and fixed yesterday“.

Seriously. Any system that can’t deal with weak RF interference needs to hit the scrapheap. In any other industry, we’d see the customers suing – Imagine if Ford said using a bluetooth headset in their vehicles violates your warranty… They’d go bankrupt overnight. Only the fact that the aviation industry has slowly boiled the frog, making us expect horrible customer service at unpredictable (but high) prices, allows any of the BS we’ve put up with for the past 20 years (and the shout-and-taze squads aside, the airlines had problems long before 9/11).

Well said.

UPDATE: A little more info from the FCC. Still doesn’t resolve anything.

UPDATE #2: Turns out it was faulty avionics, not passenger laptops, that caused the dive. No kidding.

Airport Security Checkpoint: For Kids!

Is your child growing up with false hope? Never fear, Playmobil has just the toy for you:

From the Manufacturer: The traveler hands her spare change and watch to the security guard and proceeds through the metal detector. With no time to spare, she picks up her luggage and hurries to board her flight!

Presenting, the Playmobil Security Check Point- so your child can fantasize about a police-state before living in one. If your lucky, maybe she can run it! Of course, the best part are the reviews:

I was a little disappointed when I first bought this item, because the functionality is limited. My 5 year old son pointed out that the passenger’s shoes cannot be removed. Then, we placed a deadly fingernail file underneath the passenger’s scarf, and neither the detector doorway nor the security wand picked it up. My son said “that’s the worst security ever!”. But it turned out to be okay, because when the passenger got on the Playmobil B757 and tried to hijack it, she was mobbed by a couple of other heroic passengers, who only sustained minor injuries in the scuffle, which were treated at the Playmobil Hospital.

The best thing about this product is that it teaches kids about the realities of living in a high-surveillence society. My son said he wants the Playmobil Neighborhood Surveillence System set for Christmas. I’ve heard that the CC TV cameras on that thing are pretty worthless in terms of quality and motion detection, so I think I’ll get him the Playmobil Abu-Gharib Interogation Set instead (it comes with a cute little memo from George Bush).

Of course, remind your kid to leave the set at home the next time you travel. Never know what will happen if the authorities find a detailed model of their awesome security system in your luggage.

(via Schneier and Threat Level)

First: An Ode to the TSA

I created this video on a whim. I call it: “First, They Came for the Box Cutters”

Follow

Get every new post delivered to your Inbox.