stories filed under: "security"
TSA Agents Caught Stealing From Passengers & Helping Subordinates Steal As Well
from the feeling-safer? dept
jsl4980 alerts us to a TSA supervisor who has now admitted to regularly stealing from passengers at his security checkpoint at Newark airport. Not only that, but at least one subordinate also stole from passengers, and the supervisor knew about it -- just requiring a kickback of some of the stolen loot to keep quiet. Over the course of about a year, they stole somewhere between $10,000 and $30,000 from passengers. Feeling safer about flying yet?And, it turns out that's not the only such situation. Another article points out that some TSA agents at nearby JFK airport were able to steal approximately $160,000, including $39,000 from a single passenger. Nice to see that these are the people supposedly "protecting" us from those who wish to do us harm...
82-Year-Old Cancer Survivor Demands Apology From Airport Security Over Screening
from the threat-assessment dept
This isn't a TSA story, since it takes place up in Canada, but it involves the Canadian equivalent, who apparently had a bit of trouble dealing with an 82-year-old woman who had a (gel-filled) prosthetic breast to replace the one she lost in a mastectomy due to breast cancer. By failing to alert them to this "gel" on her body, she was later accused of lying to officials. She was also put through one of the lovely new full body scanner machines, in which passengers are required to lift their hands above their head. The problem? This woman is no longer able to do so. Rather than understanding this, security officials told her she had to. She then tried to lift her left arm with her right arm, and again security told her she was not allowed to do that. At this point she broke down and started crying. Eventually, security did let her get on the plane, but you have to ask what exactly they accomplished here in embarrassing this woman and making her cry.Filed Under: airport search, canada, privacy, security
Bulgarian Security/Cybercrime Researcher Missing For Months
from the uh-oh dept
This one's a bit scary. Security and cybercrime researcher Dancho Danchev, who has blogged about organized crime and online terrorist activities, has apparently been missing since September. ZDNet, where he sometimes blogged, has published a notice asking for help tracking him down, and publishing an email he sent shortly before he disappeared. That email included photos of a device he found planted in his bathroom, that he believed was from Bulgarian intelligence services. ZDnet has been trying to reach him for months -- and recently received information from a source in Bulgaria that Danchev is alive "but he's in a lot of trouble."Filed Under: bulgaria, crime, cybersecurity, dancho danchev, security
Financial Industry Favors Security Through Obscurity; Demands Cambridge Censor Paper Detailing Weaknesses
from the that'll-work dept
The chip and PIN system that is used for financial transactions throughout large parts of Europe and Canada (still surprised that it hasn't really come to the US...) has numerous vulnerabilities that have been detailed over the years. In the past year alone, there have been a number of problems and weaknesses highlighted with the system. Apparently, the financial industry isn't happy about this, but rather than fixing the problems it's reacting in the usual way: going after the messenger. Slashdot points us to the news that the UK Cards Association -- a trade group representing banks and credit card companies -- has asked Cambridge researchers to remove a thesis which highlights some of the vulnerabilities.You can see the demand letter embedded below, but it's fairly amusing. The letter claims that the publication (which you can read about on the author's (Omar Choudary) website, where he describes a device for intercepting, monitoring and modifying such data) "oversteps the boundaries of what constitutes responsible disclosure." In other words, they're not happy about it, so Cambridge should force the student to shut up. Of course, what's amusing is that after chiding Cambridge University for such irresponsible publishing, the Association then tries to downplay the significance of the whole thing anyway:
Fortunately, the type of attack described in the research is difficult to undertake and is unlikely to carry a sufficient risk-reward ratio to interest genuine fraudsters. And, in the unlikely event that such an attack were to take place in the UK marketplace, the banking industry's fraud prevention systems would be able to detect when such an attack had happened.So why take it down?
Nevertheless, publication of such details could encourage nuisance attacks on the payment card systems, undermine public confidence in them and/or give organised crime access to material they might be able to develop further.This, of course, is the very definition of an organization that thinks security through obscurity works. The thing is, if these students figured out these problems, it's pretty damn likely that organized crime already had figured out the same thing and probably have already developed the idea much further. Pretending otherwise is simply naive.
The UK Cards Association then goes on to lecture Cambridge University on its standards of what should be considered publishable, and worries about "future research." The response from Ross Anderson at Cambridge (linked above) is pretty straightforward, basically saying, yes, you absolutely should be worried about it:
The bankers also fret that "future research, which may potentially be more damaging, may also be published in this level of detail". Indeed. Omar is one of my coauthors on a new Chip-and-PIN paper that's been accepted for Financial Cryptography 2011. So here is our Christmas present to the bankers: it means you all have to come to this conference to hear what we have to say!A note to the financial industry: perhaps instead of worrying about student papers, you should worry about a system that is vulnerable to so many problems.
Filed Under: banks, cambridge, chip and pin, credit cards, obscurity, security, uk
TSA Punishes Pilot For Videotaping Security Problems At Airports
from the brushing-problems-under-the-rug dept
BackPackAdam alerts us to the news that a pilot in California is being disciplined by the TSA because he dared to film a video highlighting problems with security at San Francisco International Airport (SFO). The pilot himself was a Flight Deck Officer (FDO) and authorized to carry a gun on board of flights... but within days of him posting the videos to YouTube, he was met by four federal air marshals and two sheriff's deputies at his house, who ordered him to hand over his gun and to hand over his state-issued permit to carry a concealed weapon. He has since been informed that the TSA is reviewing his situation for possible disciplinary measures.Filed Under: discipline, pilot, security, tsa
Companies: tsa
New Research Shows How Easy It Is To Get Weapons Or Explosives Past Backscatter X-Rays
from the feeling-safer? dept
We've heard the various stories of folks getting weapons past the TSA's new scanners -- such as Adam Savage's famous video from earlier this year, or the more recent report of a guy getting past the scanners with a 6" hunting knife. Both of those stories appeared to just be about the bag scanners missing stuff on the conveyor belt. But what about the new backscanner x-ray machines? Well, Jay points us to some new research by two UCSF professors that indicates getting dangerous weapons or explosives past the new machines isn't that hard. They look at how the machines work and the various images currently out there, as well as their understanding of x-ray technology, and point out that since the x-rays need to pass through your body, if you flattened out some plastic explosives, they probably won't be noticed, or if you just put the weapon on your side the new machines probably won't spot them:It is very likely that a large (15–20 cm in diameter), irregularly-shaped, cm-thick pancake with beveled edges, taped to the abdomen, would be invisible to this technology, ironically, because of its large volume, since it is easily confused with normal anatomy. Thus, a third of a kilo of PETN, easily picked up in a competent pat down, would be missed by backscatter "high technology". Forty grams of PETN, a purportedly dangerous amount, would fit in a 1.25 mm-thick pancake of the dimensions simulated here and be virtually invisible. Packed in a compact mode, say, a 1 cm×4 cm×5 cm brick, it would be detected.Feeling safer? Once again, this isn't to say that there shouldn't be a security screening process, but if we have to go through all this trouble, shouldn't we at least have a system that is at least somewhat effective?
The images are very sensitive to the presence of large pieces of high Z material, e. g., iron, but unless the spatial resolution is good, thin wires will be missed because of partial volume effects. It is also easy to see that an object such as a wire or a boxcutter blade, taped to the side of the body, or even a small gun in the same location, will be invisible. While there are technical means to mildly increase the conspicuity of a thick object in air, they are ineffective for thin objects such as blades when they are aligned close to the beam direction.
Filed Under: backscatter, security, tsa, x-rays
Companies: tsa
How The US Response Turns 'Failed' Terrorist Attacks Into Successes
from the playing-the-game-they-want dept
Terrorism is a serious issue. No one's trying to downplay the fact that some very angry individuals are trying to kill an awful lot of Americans (and others as well). However, what's amazing is how incredibly bad the US appears to be at this particular game of chess. Robert Wright recently had a bit of an eye-opening discussion of how the US appears to have played into Al Qaeda's plan at almost every turn. It's another case of the US simply not understanding how to respond to a distributed threat, rather than a centralized one. The whole business is based on getting the US to overreact and overspend and get it caught in a quagmire that causes additional problems. And, increasingly, it looks like that's exactly what's happened.Along those lines, Bruce Schneier highlights how the US response fits right into Al Qaeda's plans, since our response is quite costly, while the attacks are really, really cheap. He points to an article in Foreign Policy that explains how the TSA's security policies are exactly what Al Qaeda wants. It's not about killing Americans or even "terrorizing" them. It's about trying to get the country spending more and more to try to stop the impossible -- leading to a bankrupting of the overall economy. Now, I will say that this goal is probably a lot more difficult to reach than Al Qaeda probably thinks, but it's no excuse for the US government following through and helping Al Qaeda.
But the really striking thing about all of this is that you realize how the US has turned each failed attack into a success for Al Qaeda. A clueless guy can't light his underwear on fire to take down an airplane? We spend billions in totally ineffective and intrusive TSA security procedures and machines that wouldn't have even caught that guy.
What we're doing is creating a circular situation where all we're doing is encouraging more ridiculous attacks by Al Qaeda. Even when they don't succeed, the fact that we're costing the country so much in silly security theater encourages Al Qaeda to do more -- and (perhaps) to get more ridiculous each time, knowing that we'll continue to overreact and spend ourselves silly to try to prevent another guy from trying to light his underwear on fire on a plane. Outspending (massively) an enemy worked when that enemy was the Soviet Union -- a centralized bureaucracy that simply couldn't keep up. But this is a very different beast, and responding using the same basic thought process isn't helping. It's making matters worse. As Wright notes in that first article: "We’re creating them faster than we’re killing them." And spending orders of magnitude to do so. Forget the fact that this isn't sustainable. It's just downright stupid from a strategic standpoint.
FBI Celebrates That It Prevented FBI's Own Bomb Plot
from the feeling-safer? dept
With all of the new security procedures we keep hearing about, it's important for the government to keep convincing us that we're under a very real immediate threat that could put us at risk at any moment. Along those lines, you may have heard over the weekend about how the FBI supposedly stopped a terrorism bomb plot in Portland, Oregon. Except it appears more and more people are scratching beneath the surface and realizing that the entire plot appears to have been cooked up by the FBI itself. Yes, it sounds like they found a dumb kid who was willing to carry out a bombing. But there doesn't appear to be any evidence that he actually had any ability to actually do so... until the FBI came along and provided him with all the details.Of course, this is hardly new. There appears to have been a very similar story just a month ago, involving a guy in DC who wanted to bomb Metro stations, but the only actual plotting he was able to do was after federal authorities stepped in and helped him plan everything.
Even that is hardly new. I remember a fascinating episode of This American Life back from the summer of 2009 describing (in great detail) a very similar story of a supposed "arms dealer" that the Justice Department championed as a success story when it arrested and prosecuted him for selling missiles to terrorists. The only problem is that the deeper you dig, the more you realize that the whole plot was also set up by the feds. The guy had no way to get a missile. It was actually provided by the feds themselves.
As that report notes, this is how the government has acted since 9/11. It basically creates its own terrorist plots, and then searches for willing participants... and then arrests them, and hypes how it prevented a terrorist attack, even if there's absolutely no indication that anyone involved would have actually been able to carry out any sort of attack (or arms deal) without the aid of the US government.
We've talked about "security theater," but this appears to be law enforcement theater, complete with actors and props. Feel safer yet?
Just Because 'National Opt-Out Day' Didn't Do Much, Does It Mean People Don't Care About TSA Searches?
from the say-what-now? dept
Last Wednesday, there was a lot of media attention paid to this concept of "national opt-out day" concerning the TSA's new "naked scan or grope" security options. I didn't cover that story at all. Leading up to it, I don't think I even mentioned the concept of the "national opt-out day" once, because the whole idea seemed pretty silly. In retrospect, it may have been worse than silly. Since there was no corresponding gridlock at airports, it appears that the press has now decided that because "national opt-out day" was a failure, it means people don't really care about the TSA's new policies. In other words, the failure of the protest means this "story" is over, much to the relief of the TSA and the administration, who now thinks it can go on ignoring the very real concerns of passengers.This is a problem.
It's no surprise that the media storm over the TSA procedures had an arc. It's how major media stories go. But, it's unfortunate that there was this misguided focus on getting a bunch of people to do stuff on a particular day (and a day when they are probably least interested in actually doing what's asked of them). Because of that, suddenly, to the major media, it feels like this story is "over." But to the people who are still worried about the scans or uncomfortable with being groped by the government without reasonable cause, it's unfortunate that this story will now get less attention. It's not because the issue is any less. And it's not because the TSA has responded to the concerns. It's because of this one silly, poorly thought-out "event," which became a part of the media spectacle and an easy way to end the story with a claim that the whole set of protests has been a failure.
Filed Under: journalism, opt-out day, press, privacy, security, tsa
