Schneier on Airport Security Profiling

It’s been a long time since I cited security expert Bruce Schneier, who brings rational thought and common sense to discussions dominated by fear and gut reactions. The Trouble With Airport Profiling asks “Why do otherwise rational people think it’s a good idea to profile people at airports?” Responding to a proposal that TSA address its airport security efforts to “Muslims, or anyone who looks like he or she could conceivably be Muslim” Schneier argues that such profiling would put air travelers at greater risk:

  • It is not accurate.

Post 9/11, we’ve had 2 Muslim terrorists on U.S airplanes: the shoe bomber and the underwear bomber. If you assume 0.8% (that’s one estimate of the percentage of Muslim Americans) of the 630 million annual airplane fliers are Muslim and triple it to account for others who look Semitic, then the chances any profiled flier will be a Muslim terrorist is 1 in 80 million. Add the 19 9/11 terrorists — arguably a singular event — that number drops to 1 in 8 million. Either way, because the number of actual terrorists is so low, almost everyone selected by the profile will be innocent.

  • It is under-inclusive.

[T]o assume that only Arab-appearing people are terrorists is dangerously naive. Muslims are black, white, Asian, and everything else — most Muslims are not Arab. Recent terrorists have been European, Asian, African, Hispanic, and Middle Eastern; male and female; young and old.

  • It is too easy to avoid.

A wolf in sheep’s clothing is just a story, but humans are smart and adaptable enough to put the concept into practice.

  • It carries significant social and political costs.

iPhone Tracking

Pursuing iPhone Thief, Officer Knew Right Buttons to Push is a cute little tale of a thief’s comeuppance and a perfect microcosm of the tradeoffs between security and privacy. The article relates how a New York City cop used the Find My iPhone app to locate and recover a stolen iPhone (and arrest the thief) in less than 30 minutes. The app is free to download and install and simple to use: enter the Apple ID and Apple Store password of the target phone in the app’s search screen, select Go, and the phone’s location pops up on Google Maps. You can track the phone as its location changes, lock it, and play a submarine-sonar beeping sound or send and display a message on it. All that’s required is that the target phone be signed into and have Track My Phone enabled on Apple’s iCloud.

And that’s where one trades privacy for security. Once activated anyone who knows the owner’s Apple ID and password can track the phone’s location. My wife left the house early this morning to play tennis. After reading the article I checked her location–indeed she was at the tennis facility. (Current iPhone technology does not allow me to verify that she was indeed “playing tennis” there.)

Comforting, or creepy?

Stuxnet

“How digital detectives deciphered Stuxnet, the most menacing malware in history”–Ars Technica’s lengthy article on the Stuxnet virus created to damage centrifuges used in Iran’s nuclear weapons program–reads like a beach page-turner.  The story is too complicated to delve into hear. so read if you have any interest in Stuxnet, the “world’s first real cyberweapon,” or in the face of 21st century cyber warfare. Imagine the havoc if a similar weapon attacked at the U.S. banking system. Fascinating and chilling.

Stuxnet

I’m months behind the curve on the story of the Stuxnet virus that destroyed Iran’s nuclear-fuel processing capability, but this 13-minute PBS video provides an excellent summary of Stuxnet’s fascinating and disturbing combination of espionage, cyber-warfare, International politics, sci-fi, and network security.  (Thanks to YS, who tries to keep my brain from turning to mush over the summer.)

Schneier on Security in 2020

Security in 2020 is a fascinating, provocative post from security expert Bruce Schneier’s latest newsletter.  He briefly looks at the current focus of IT security, (each concept he discusses is captured in in what he acknowledges are invented “ugly” words): deperimeterization — “dissolution of the strict boundaries between the internal and external network” — , consumerization — “consumers get the cool new gadgets first, and demand to do their work on them” — , and decentralization — cloud computing.  Then he projects developing trends:  deconcentration — “general-purpose computer is dying and being replaced by special-purpose devices” — , decustomerization — “we get more of our IT functionality without any business relationship” — , and depersonization — “computing that removes the user, either partially or entirely.”  Get past the IT-professional jargon.  Each term nails a distinct trend.

Discussing the delivery of IT services without fee-based relationships he says

We’re not Google’s customers; we’re Google’s product that they sell to their customers. It’s a three-way relationship: us, the IT service provider, and the advertiser or data buyer. And as these noncustomer IT relationships proliferate, we’ll see more IT companies treating us as products. If I buy a Dell computer, then I’m obviously a Dell customer; but if I get a Dell computer for free in exchange for access to my life, it’s much less obvious whom I’m entering a business relationship with. Facebook’s continual ratcheting down of user privacy in order to satisfy its actual customers — the advertisers — and enhance its revenue is just a hint of what’s to come.

With respect to “computing that removes the user”–things talking to things–he says

The “Internet of things” won’t need you to communicate. The smart appliances in your smart home will talk directly to the power company. Your smart car will talk to road sensors and, eventually, other cars . . . The ramifications of this are hard to imagine . . . But certainly smart objects will be talking about you, and you probably won’t have much control over what they’re saying.

Schneier’s summation:

One old trend: deperimeterization. Two current trends: consumerization and decentralization. Three future trends: deconcentration, decustomerization, and depersonization. That’s IT in 2020 — it’s not under your control, it’s doing things without your knowledge and consent, and it’s not necessarily acting in your best interests.

Worth reading for anyone interested in how technology shapes our lives.  Especially Internet law students.

“The Ethics of WikiLeaks”

The above-titled Institute for Global Ethics piece explores right-versus-right elements of the WikiLeaks story:

This latest play has caused pundits to scramble toward one pole or the other. Some see WikiLeaks as a radiant shaft of light, cutting through official obfuscation and sharing vital information every citizen deserves to know. Others see it as a treasonous breach of confidentiality, seizing up the well-oiled protocols of international negotiation and endangering the lives of military, diplomatic, and intelligence operatives around the world. Blinded by such polarizations, few see the story for what it is: a right-versus-right dilemma raising profound questions about the role of information in a democracy.

It concludes with a perspective I’ve not seen elsewhere:

In the end, then, WikiLeaks is about how we define war. A citizenry in a state of war makes short shrift of those who disclose such secrets. A citizenry in a state of peace tolerates and even encourages them. How we view WikiLeaks depends on which state we think we’re in.

WikiLeaks II

The best source I’ve found of potential criminal charges in connection with WikiLeaks’ release of diplomatic correspondence is from the Congressional Research Service.  Dated December 6, written by Legislative Attorney Jennifer K. Elsea, and 21 pages long, Criminal Prohibitions on the Publication of Classified Defense Information describes the leaked documents, communications between WikiLeaks and the U.S. Government, the criminal statutes protecting classified information, and other relevant legal issues.  It includes this summary:

This report identifies some criminal statutes that may apply, but notes that these have been used almost exclusively to prosecute individuals with access to classified information (and a corresponding obligation to protect it) who make it available to foreign agents, or to foreign agents who obtain classified information unlawfully while present in the United States. Leaks of classified information to the press have only rarely been punished as crimes, and we are aware of no case in which a publisher of information obtained through unauthorized disclosure by a government employee has been prosecuted for publishing it. There may be First Amendment implications that would make such a prosecution difficult, not to mention political ramifications based on concerns about government censorship. To the extent that the investigation implicates any foreign nationals whose conduct occurred entirely overseas, any resulting prosecution may carry foreign policy implications related to the exercise of extraterritorial jurisdiction and whether suspected persons may be extradited to the United States under applicable treaty provisions.

WikiLeaks

Tomorrow’s Internet law class-our last this semester–will focus on WikiLeaks.  (Good luck loading wikileaks.org.  The first topic may be “if a website’s URL does resolve to the site’s home page, does the site exist?” Another of the top four Google responses to a search for wikileaks.org also failed to load: http://cablegate.wikileaks.org/.    The two sites that loaded, with links to the leaked U.S. diplomatic correspondence, are http://213.251.145.96/ and   http://213.251.145.96/cablegate.html.)  This week it is hard not to find news stories, blog posts, rants, and raves about WikiLeaks’ dissemination of the diplomatic cables.  In no particular order, with no endorsement of their respective stances, and with no representation that these are the best courses of information, here is some of what I’ve read:

I’ll post more links when I access my laptop at school.

WikiLeaks is a mother lode of discussion topics:  freedom of speech, freedom of the press, national security, criminal law, extradition, ethics, Internet culture, network architecture, network security, file-sharing technology, citizen journalism, hacking, the 24-hour news cycle . . . and more, no doubt.

Hypocrisy, for example. WikiLeaks’ founder Julian Assange’s stated goal for WikiLeaks is to puncture organizations that maintain their authority by conspiring to hide information about their activities. In other words, secrecy–whether practiced by the United States government or sorority Alpha Sigma Tau–is inherently bad, therefore revealing secrets is inherently good.  Zunguzungo.com’s* lengthy, reverential exegesis of Assange’s writings favorably characterizes his definition of a conspiracy as “simply any network of associates who act in concert by hiding their concerted association from outsiders, an authority that proceeds by preventing its activities from being visible enough to provoke counter-reaction.”  Let’s see–network of associates . . . act in concert . . . hide concerted association . . . prevent visibility to outsiders . . . not accountable to anyone . . . doesn’t that perfectly describe WikiLeaks and its supporters?

Unless the topic is, say, engineering or math, I distrust binary thinking.  Reducing complex problems to black-and-white alternatives requires no thought, no analysis, no understanding of human nature, no judgment, no room for growth, no self-doubt, no capacity to listen, no compassion, no heart, no soul, none of what is special about humanity.   Assange’s blind faith in transparency makes him just another True Believer whose ego requires imposing his beliefs on the world.

*Which the website defines, apparently, as “harmonization [variant: harm minimization]”**

**To which I reply, wtf?

Viral Extortion

As described here, Kenzero is a diabolical Trojan virus that blackmails Internet porn users with their  browsing histories.  As described in the linked article from The Telegraph it enters a computer when a user downloads sexually “explicit Hentai anime” (Googling the term was as far as I wanted to go). It then activates,

popping up an installation screen that prompts the computer user to type in personal information. The virus then takes screengrabs of a user’s browsing history, and publishes a list of all the sites they have visited online. A dialog box or email is then sent to the user, demanding a credit card payment of around £10 to remove the list from the internet.

The article does not say whether those responsible for the virus actually remove the incriminating browsing history.  Two morals:  keep your virus software up-to-date, and if downloaded porn asks you for your name, just say no.

No Safety in Numbers

Apropos of nothing other than my curiosity, here are tag clouds of the most popular usernames and passwords from Dragon Research Group. “a not-for-profit, non-revenue generating entity, comprised of a geographically dispersed set of trusted volunteers who are passionate about making the Internet more secure.”  If your username is user and your password is password then the good news is, you are not alone!