security theater.

Dear Airlines,

In case you were wondering why I cut back on my flying, you might want to think about the following.

• False Authority Syndrome (via)
• Forge Your Own Boarding Pass
• The Virus That Ate DHS
• FBI Raids Fake Boarding Pass Creator’s Home

It’s not you: it’s them.

(P.S. You might want to do something about this.)

Schneier on Security: Faulty Data and the Arar Case.

Via Schneier on Security, Criminal Terrorism Enforcement in the United States During the Five Years Since the 9/11/01 Attacks.

Bruce has great commentary on his post.

Bruce Schneier’s essay What the Terrorists Want is really excellent.

I’d like everyone to take a deep breath and listen for a minute.

The point of terrorism is to cause terror, sometimes to further a political goal and sometimes out of sheer hatred. The people terrorists kill are not the targets; they are collateral damage. And blowing up planes, trains, markets or buses is not the goal; those are just tactics. The real targets of terrorism are the rest of us: the billions of us who are not killed but are terrorized because of the killing. The real point of terrorism is not the act itself, but our reaction to the act.

And we’re doing exactly what the terrorists want.

We’re all a little jumpy after the recent arrest of 23 terror suspects in Great Britain. The men were reportedly plotting a liquid-explosive attack on airplanes, and both the press and politicians have been trumpeting the story ever since.

In truth, it’s doubtful that their plan would have succeeded; chemists have been debunking the idea since it became public. Certainly the suspects were a long way off from trying: None had bought airline tickets, and some didn’t even have passports.

Regardless of the threat, from the would-be bombers’ perspective, the explosives and planes were merely tactics. Their goal was to cause terror, and in that they’ve succeeded.

Imagine for a moment what would have happened if they had blown up 10 planes. There would be canceled flights, chaos at airports, bans on carry-on luggage, world leaders talking tough new security measures, political posturing and all sorts of false alarms as jittery people panicked. To a lesser degree, that’s basically what’s happening right now.

Ars Technica: Diebold voting machine failures strike again in Alaska.

Schneier on Security: Last Week’s Terrorism Arrests.

Banning box cutters since 9/11, or taking off our shoes since Richard Reid, has not made us any safer. And a long-term prohibition against liquid carry-ons won’t make us safer, either. It’s not just that there are ways around the rules, it’s that focusing on tactics is a losing proposition.

It’s easy to defend against what the terrorists planned last time, but it’s shortsighted. If we spend billions fielding liquid-analysis machines in airports and the terrorists use solid explosives, we’ve wasted our money. If they target shopping malls, we’ve wasted our money. Focusing on tactics simply forces the terrorists to make a minor modification in their plans. There are too many targets — stadiums, schools, theaters, churches, the long line of densely packed people before airport security — and too many ways to kill people.

Security measures that require us to guess correctly don’t work, because invariably we will guess wrong. It’s not security, it’s security theater: measures designed to make us feel safer but not actually safer.

Via Boing Boing, Diebold Voting Machines can be beaten with a flip of a switch..

Upon examining the inner workings of one of the most popular paperless touch screen voting machines used in public elections in the United States, it has been determined that with the flip of a single switch inside, the machine can behave in a completely different manner compared to the tested and certified version.

“Diebold has made the testing and certification process practically irrelevant,” according to Dechert. “If you have access to these machines and you want to rig an election, anything is possible with the Diebold TS — and it could be done without leaving a trace. All you need is a screwdriver.” This model does not produce a voter verified paper trail so there is no way to check if the voter’s choices are accurately reflected in the tabulation.

Sweet. Hacked Ad Seen on MySpace Served Spyware to a Million.

An online banner advertisement that ran on MySpace.com and other sites over the past week used a Windows security flaw to infect more than a million users with spyware when people merely browsed the sites with unpatched versions of Windows, according to data collected by iDefense, a Verisign company.

Michael La Pilla, an iDefense “malcode” analyst, said he first spotted the attack Sunday while browsing MySpace on a Linux-based machine. When he browsed a page headed with an ad for DeckOutYourDeck.com, his browser asked him whether he wanted to open a file called exp.wmf. Microsoft released a patch in January to fix a serious security flaw in the way Windows renders WMF (Windows Metafile) images, and online criminal groups have been using the flaw to install adware, keystroke loggers and all manner of invasive software for the past seven months.

I have been wondering this for a while too: jwz asks if Filevault is worth it?

(My initial impression is no, use GPG to encrypt the important stuff, as Filevault has too many risks. But the discussion around it is moderately interesting — for those so inclined.)

Cisco, ISS file suit against rogue researcher.

In what universe does suing people who point out major security holes in the backbone of the internet sound like a good idea?

Some things I just don’t understand. Sorry.

What with the recent identity theft scams going about, I thought it prudent to go through my and Merrystar’s credit reports again. (Talk about an evening of fun! American Idol and Experian!)

Helpful sites:

• US Department of Justice’s page on Identity Theft
• Privacy Clearinghouse: ChoicePoint response (well done)
• CALPRIG’s Consumer Protection page.

In the meantime, I can’t wait for the Annual Credit Report legislation to get to the Northeast, even if their website uses absurd security theater. (e.g. forcing visitors to type in the link to access the site, just because a certain cough browser cough IE cough has an unfixed address spoofing bug, instead of recommending an actual fix, like using Mozilla? Pure theater. But I digress.)

Residents of the western and mid-western states can already order free reports from the Big Three credit bureaus; DC will be ready in September. Joy.