My Complaint Letter to the TSA

2010-11-23 15:45:54 by chort

Surrendering my 4th amendment rights should not be a condition of travel within the United States.

With strengthening of cockpit doors and revised flight procedures to restrict cockpit access, the likelihood of a hijacking being leveraged to use an aircraft as a weapon has been drastically reduced. Couple that with passengers' realization that compliance with terrorists is not in their best interest, the probability of any future airline attack causing more casualties than the passengers and crew on board is near nil.

This means that airplanes are not unique from sports stadiums, shopping malls, trains, buses, subways, cinemas, or scores of other kinds venues where inflicting hundreds of casualties is possible.

We cannot create a police state where every citizen must be viewed naked or sexually groped in order to venture into public places. Stop the Security Theater with airplanes and the inconvenience to millions of people who must fly for their jobs every week.

Brian Keefer

You may send your own complaint to the TSA here.

PS Of the last 3 terrorist attempts vs. aircraft going to the United States, only 67% were against passenger planes, none of them were hijackings, and none of them went through TSA security. Given those facts, do you really think drastic and invasive escalations against US citizens are necessary?

Update: Thanks to @georgevhulme for pointing out several typos. Also thanks to @mckeay for reminding me that money talks--I've stopped flying short trips (as of last year) due to TSA hassles, and have been driving instead. That takes money away from airlines, pollutes more, and (statistically speaking) causes more deaths. How is this "security" helping again?

If I Were a CSO pt1

2010-11-17 11:59:28 by chort

If I were a CSO, I'd go to firms like Securosis for analysis. Why? Because they have a no BS approach. They call out vendors for bogus claims and useless products. People who have been in the security field for a long time and have really looked critically at enterprises and vendors can spot regurgitated marketing spin a mile off. We can also tell when advice being given has no foundation in actual experience.

It seems like the vast majority of "analysis" is simply an indicator of herd mentality. I don't want to know what a bunch of people with no idea are doing; I want to know what intelligent and measurably successful people are doing. The "conventional wisdom" is often wrong. The "best practices" are rarely updated, and usually only with additions of new practices, not subtractions of outdated practices.

That sentiment is echoed by few analysts outside of Securosis, but one of them is Josh Corman from The 451 Group (which has recently hired a few common-sense folks to fill out their ranks). I'm not familiar with The 451 Group's work, but if their hiring practices are any indication (in addition to Corman, they've also picked up Wendy Nather) it's probably solid.

It's about time people started applying healthy skepticism and subject-matter expertise, rather than the modern-day version of "nobody got fired for buying IBM".

If you want to follow the Securosis guys on Twitter they are (in part): Rich Mogull, Mike Rothman, Adrian Lane, and David Mortman.

Striking a Balance on Airport Security

2010-11-16 23:44:30 by chort

There has been a lot of press and grass-roots coverage of the TSA recently, specifically revolving around the increased usage of backscatter x-ray devices and more invasive physical inspections. Various DHS and TSA officials have made statements to the effect that they're sympathetic to the complaints, but the new measures are "necessary" and they're "striking a balance" between constitutional rights and security.

When I hear someone say "strike a balance" I visualize a see-saw, or a scale of justice, where the two sides are equally weighted in order to balance them. If we were to take the comments by Janet Napolitano and John Pistole at face value, we might reasonably think they're trying to find a middle ground somewhere between completely acceptable (say, passing through a magnetometer) and totally unacceptable (like cavity searches). The problem is that there is no balance. The scale is so far tilted to the side of violating constitutional rights that even a former Director of TSA Security Operations, Mo McGowan, actually admitted these measures violate the 4th amendment.

Read the rest of this story...

The Problems in Certifying Software Safety

2010-11-03 14:38:57 by chort

I just finished reading @TanAtHNN's 1999 paper contrasting inspection of electrical devices and safes with software and information security products (thanks toJosh Corman for brining it up). The paper pointed out failings of prominent technology associations in the area of certification, and indicated encryption standards (such as FIPS) as examples of how it could be done right.

Overall I think the paper raises good questions. I think you would be hard-pressed to find people in the industry (especially security researchers) who don't think companies should be held to a higher-than-current standard for information technology. I believe the paper comes up a bit short, however in recognizing the differences between physical productions and digital products.

Read the rest of this story...