homeabout kottke.orgarchives + tags

kottke.org posts about security

Is your smartphone betraying you?

posted by Jason Kottke   Jul 21, 2016

Introspection Engine

Edward Snowden and Bunnie Huang are working on a system to help smartphone users determine whether their phones can be tracked. Their aim is to protect journalists from being detected while they’re in the field.

National Security Agency whistleblower Edward Snowden has been working with prominent hardware hacker Andrew “Bunnie” Huang to solve this problem. The pair are developing a way for potentially imperiled smartphone users to monitor whether their devices are making any potentially compromising radio transmissions. They argue that a smartphone’s user interface can’t be relied to tell you the truth about that state of its radios. Their initial prototyping work uses an iPhone 6.

“We have to ensure that journalists can investigate and find the truth, even in areas where governments prefer they don’t,” Snowden told me in a video interview. “It’s basically to make the phone work for you, how you want it, when you want it, but only when.”

They are calling the device an introspection engine:1

Snowden and Huang are calling this device an “introspection engine” because it will inspect the inner-workings of the phone. The device will be contained inside a battery case, looking similar to a smartphone with an extra bulky battery, except with its own screen to update the user on the status of the radios. Plans are for the device to also be able to sound an audible alarm and possibly to also come equipped with a “kill switch” that can shut off power to the phone if any radio signals are detected. “The core principle is simple,” they wrote in the blog post. “If the reporter expects radios to be off, alert the user when they are turned on.”

Huang also announced today that he’s suing the US government over Section 1201 of the Digital Millennium Copyright Act:

Section 1201 means that you can be sued or prosecuted for accessing, speaking about, and tinkering with digital media and technologies that you have paid for. This violates our First Amendment rights, and I am asking the court to order the federal government to stop enforcing Section 1201.

  1. Good name, although I believe they missed a good opportunity to call it the Snow Bunnie. Perhaps that was the code name?

We Work Remotely

Some prime numbers are illegal in the United States

posted by Jason Kottke   May 06, 2016

The possession of certain prime numbers is illegal in the US. For instance, one of these primes can be used to break a DVD’s copyright encryption.

Terrorism, surveillance, civil liberties… pick two?

posted by Jason Kottke   Apr 14, 2016

Kurzgesagt examines what’s happened to our privacy, civil liberties, and security because of the threat of terrorism.

Edward Snowden’s Fermi Paradox solution

posted by Jason Kottke   Sep 21, 2015

Edward Snowden has come up with a solution to the Fermi Paradox that I hadn’t heard of before. Maybe we haven’t discovered intelligent life elsewhere in the Universe, says Snowden, because their communications encryption is indistinguishable from cosmic background radiation.

“If you look at encrypted communication, if they are properly encrypted, there is no real way to tell that they are encrypted,” Snowden said. “You can’t distinguish a properly encrypted communication from random behaviour.”

Therefore, Snowden continued, as human and alien societies get more sophisticated and move from “open communications” to encrypted communication, the signals being broadcast will quickly stop looking like recognisable signals.

“So if you have an an alien civilization trying to listen for other civilizations,” he said, “or our civilization trying to listen for aliens, there’s only one small period in the development of their society when all their communication will be sent via the most primitive and most unprotected means.”

After that, Snowden said, alien messages would be so encrypted that it would render them unrecognisable, “indistinguishable to us from cosmic microwave background radiation”. In that case, humanity would not even realise it had received such communications.

Snowden shared his hypothesis with Neil deGrasse Tyson on Tyson’s podcast, StarTalk.

The secret life of passwords

posted by Jason Kottke   Nov 20, 2014

Ian Urbina writes about what passwords mean to people beyond gaining access to emails or bank balances.

I began asking my friends and family to tell me their passwords. I had come to believe that these tiny personalized codes get a bum rap. Yes, I understand why passwords are universally despised: the strains they put on our memory, the endless demand to update them, their sheer number. I hate them, too. But there is more to passwords than their annoyance. In our authorship of them, in the fact that we construct them so that we (and only we) will remember them, they take on secret lives. Many of our passwords are suffused with pathos, mischief, sometimes even poetry. Often they have rich back stories. A motivational mantra, a swipe at the boss, a hidden shrine to a lost love, an inside joke with ourselves, a defining emotional scar - these keepsake passwords, as I came to call them, are like tchotchkes of our inner lives. They derive from anything: Scripture, horoscopes, nicknames, lyrics, book passages. Like a tattoo on a private part of the body, they tend to be intimate, compact and expressive.

See also Better living through motivational passwords and The world’s worst password requirements list.

Better living through motivational passwords

posted by Jason Kottke   Jul 02, 2014

When faced with a mandatory monthly password change, Mauricio Estrella decided to use it as an opportunity to improve his life.

My password became the indicator. My password reminded me that I shouldn’t let myself be victim of my recent break up, and that I’m strong enough to do something about it.

My password became: “Forgive@h3r”

I had to type this statement several times a day. Each time my computer would lock. Each time my screensaver with her photo would appear. Each time I would come back from eating lunch alone.

In my mind, I went with the mantra that I didn’t type a password. In my mind, I wrote “Forgive her” everyday, for one month.

I think this strategy might even work with the world’s worst password requirements.

My voice is my passport. Verify me.

posted by Jason Kottke   Sep 13, 2013

Soon, new iPhone owners will be able to use a fingerprint to access a phone or buy something on iTunes. Apple’s introduction of this fingerprint technology adds a nice layer of security and a bit of convenience for those whose fingers are too tired to type in a four-digit password. But soon, we will be interacting with a lot more devices that have no screens, and biometrics will be the logical way to secure our data. Companies have already developed ways to identify you, from your fingerprints to your heartbeat. And while these methods certainly seem more effective than simple (and often easy-to-hack) passwords, it’s a little worrisome that we’ll essentially be sharing even more personal data, right down to our person. In order to give us the promise of more security, companies will want to know even more about us. It feels like we’ve passed a point of no return. So much about us is stored in the cloud (our finances, our communication, our social lives) that we can’t turn back. The only way to protect what you’ve shared so far is to share some more. Protect your data with a password. Protect the password with some secret, personal questions. Protect all of that with your fingerprint or your heartbeat. Before long, you’ll have to give a DNA swab to access a collection photos you took yourself. It’s a trend worth watching. The last decade was about sharing. The next decade will be about protecting.

The NSA is decrypting all the things

posted by Jason Kottke   Sep 06, 2013

Edward Snowden’s leak of NSA documents keeps paying dividends. The latest report (in the Guardian, the NY Times, and Pro Publica) alleges that the NSA has cracked or circumvented many of the internet security protocols designed to keep communications private from third parties. From the Pro Publica piece:

The National Security Agency is winning its long-running secret war on encryption, using supercomputers, technical trickery, court orders and behind-the-scenes persuasion to undermine the major tools protecting the privacy of everyday communications in the Internet age, according to newly disclosed documents.

The agency has circumvented or cracked much of the encryption, or digital scrambling, that guards global commerce and banking systems, protects sensitive data like trade secrets and medical records, and automatically secures the e-mails, Web searches, Internet chats and phone calls of Americans and others around the world, the documents show.

Many users assume — or have been assured by Internet companies — that their data is safe from prying eyes, including those of the government, and the N.S.A. wants to keep it that way. The agency treats its recent successes in deciphering protected information as among its most closely guarded secrets, restricted to those cleared for a highly classified program code-named Bullrun, according to the documents, provided by Edward J. Snowden, the former N.S.A. contractor.

Cryptographer Matthew Green speculates on exactly how the NSA might have achieved these results and what the implications are.

Probably the biggest concern in all this is the evidence of collaboration between the NSA and unspecified ‘telecom providers’. We already know that the major US (and international) telecom carriers routinely assist the NSA in collecting data from fiber-optic cables. But all this data is no good if it’s encrypted.

While software compromises and weak standards can help the NSA deal with some of this, by far the easiest way to access encrypted data is to simply ask for — or steal — the keys. This goes for something as simple as cellular encryption (protected by a single key database at each carrier) all the way to SSL/TLS which is (most commonly) protected with a few relatively short RSA keys.

If you’re concerned about the privacy of your communications, security expert Bruce Schneier has some suggestions for keeping secure.

1) Hide in the network. Implement hidden services. Use Tor to anonymize yourself. Yes, the NSA targets Tor users, but it’s work for them. The less obvious you are, the safer you are.

2) Encrypt your communications. Use TLS. Use IPsec. Again, while it’s true that the NSA targets encrypted connections — and it may have explicit exploits against these protocols — you’re much better protected than if you communicate in the clear.

You commit three felonies a day

posted by Jason Kottke   Jun 10, 2013

In a book called Three Felonies A Day, Boston civil rights lawyer Harvey Silverglate says that everyone in the US commits felonies everyday and if the government takes a dislike to you for any reason, they’ll dig in and find a felony you’re guilty of.

The average professional in this country wakes up in the morning, goes to work, comes home, eats dinner, and then goes to sleep, unaware that he or she has likely committed several federal crimes that day. Why? The answer lies in the very nature of modern federal criminal laws, which have exploded in number but also become impossibly broad and vague. In Three Felonies a Day, Harvey A. Silverglate reveals how federal criminal laws have become dangerously disconnected from the English common law tradition and how prosecutors can pin arguable federal crimes on any one of us, for even the most seemingly innocuous behavior. The volume of federal crimes in recent decades has increased well beyond the statute books and into the morass of the Code of Federal Regulations, handing federal prosecutors an additional trove of vague and exceedingly complex and technical prohibitions to stick on their hapless targets. The dangers spelled out in Three Felonies a Day do not apply solely to “white collar criminals,” state and local politicians, and professionals. No social class or profession is safe from this troubling form of social control by the executive branch, and nothing less than the integrity of our constitutional democracy hangs in the balance.

In response to a question about what happens to big company CEOs who refuse to go along with government surveillance requests, John Gilmore offers a case study in what Silverglate is talking about.

We know what happened in the case of QWest before 9/11. They contacted the CEO/Chairman asking to wiretap all the customers. After he consulted with Legal, he refused. As a result, NSA canceled a bunch of unrelated billion dollar contracts that QWest was the top bidder for. And then the DoJ targeted him and prosecuted him and put him in prison for insider trading — on the theory that he knew of anticipated income from secret programs that QWest was planning for the government, while the public didn’t because it was classified and he couldn’t legally tell them, and then he bought or sold QWest stock knowing those things.

This CEO’s name is Joseph P. Nacchio and TODAY he’s still serving a trumped-up 6-year federal prison sentence today for quietly refusing an NSA demand to massively wiretap his customers.

You combine this with the uber-surveillance allegedly being undertaken by the NSA and other governmental agencies and you’ve got a system for more or less automatically accusing any US citizen of a felony. Free society, LOL ROFLcopter.

Update: For the past two years, the Wall Street Journal has been “examining the vastly expanding federal criminal law book and its consequences”. (thx, jesse)

National Insecurity Agency

posted by Jason Kottke   Jun 10, 2013

By now, you’ve likely heard of Edward Snowden, the former NSA contractor who leaked secret documents to the press regarding that agency’s electronic surveillance activities. From Glenn Greenwald’s excellent coverage for The Guardian, here are a few of the most interesting passages from interviews with Snowden.

From the moment he decided to disclose numerous top-secret documents to the public, he was determined not to opt for the protection of anonymity. “I have no intention of hiding who I am because I know I have done nothing wrong,” he said.

Despite these fears, he remained hopeful his outing will not divert attention from the substance of his disclosures. “I really want the focus to be on these documents and the debate which I hope this will trigger among citizens around the globe about what kind of world we want to live in.” He added: “My sole motive is to inform the public as to that which is done in their name and that which is done against them.”

He has had “a very comfortable life” that included a salary of roughly $200,000, a girlfriend with whom he shared a home in Hawaii, a stable career, and a family he loves. “I’m willing to sacrifice all of that because I can’t in good conscience allow the US government to destroy privacy, internet freedom and basic liberties for people around the world with this massive surveillance machine they’re secretly building.”

“All my options are bad,” he said. The US could begin extradition proceedings against him, a potentially problematic, lengthy and unpredictable course for Washington. Or the Chinese government might whisk him away for questioning, viewing him as a useful source of information. Or he might end up being grabbed and bundled into a plane bound for US territory.

“Yes, I could be rendered by the CIA. I could have people come after me. Or any of the third-party partners. They work closely with a number of other nations. Or they could pay off the Triads. Any of their agents or assets,” he said.

“We have got a CIA station just up the road — the consulate here in Hong Kong — and I am sure they are going to be busy for the next week. And that is a concern I will live with for the rest of my life, however long that happens to be.”

He left the CIA in 2009 in order to take his first job working for a private contractor that assigned him to a functioning NSA facility, stationed on a military base in Japan. It was then, he said, that he “watched as Obama advanced the very policies that I thought would be reined in”, and as a result, “I got hardened.”

The primary lesson from this experience was that “you can’t wait around for someone else to act. I had been looking for leaders, but I realised that leadership is about being the first to act.”

“I carefully evaluated every single document I disclosed to ensure that each was legitimately in the public interest,” he said. “There are all sorts of documents that would have made a big impact that I didn’t turn over, because harming people isn’t my goal. Transparency is.”

And from a second piece with a straight-up interview:

Q: Why did you decide to become a whistleblower?

A: “The NSA has built an infrastructure that allows it to intercept almost everything. With this capability, the vast majority of human communications are automatically ingested without targeting. If I wanted to see your emails or your wife’s phone, all I have to do is use intercepts. I can get your emails, passwords, phone records, credit cards.

“I don’t want to live in a society that does these sort of things … I do not want to live in a world where everything I do and say is recorded. That is not something I am willing to support or live under.”

Q: What do the leaked documents reveal?

A: “That the NSA routinely lies in response to congressional inquiries about the scope of surveillance in America. I believe that when [senator Ron] Wyden and [senator Mark] Udall asked about the scale of this, they [the NSA] said it did not have the tools to provide an answer. We do have the tools and I have maps showing where people have been scrutinised most. We collect more digital communications from America than we do from the Russians.”

Q: What is your reaction to Obama denouncing the leaks on Friday while welcoming a debate on the balance between security and openness?

A: “My immediate reaction was he was having difficulty in defending it himself. He was trying to defend the unjustifiable and he knew it.”

Q: Washington-based foreign affairs analyst Steve Clemons said he overheard at the capital’s Dulles airport four men discussing an intelligence conference they had just attended. Speaking about the leaks, one of them said, according to Clemons, that both the reporter and leaker should be “disappeared”. How do you feel about that?

A: “Someone responding to the story said ‘real spies do not speak like that’. Well, I am a spy and that is how they talk. Whenever we had a debate in the office on how to handle crimes, they do not defend due process - they defend decisive action. They say it is better to kick someone out of a plane than let these people have a day in court. It is an authoritarian mindset in general.”

Both of these pieces are very much worth reading in entirety. Also worth a read is Timothy Lee’s piece for The Washington Post, Has the US become the type of nation from which you have to seek asylum?

Four decades ago, Daniel Ellsberg surrendered to federal authorities to face charges of violating the Espionage Act. During his trial, he was allowed to go free on bail, giving him a chance to explain his actions to the media. His case was eventually thrown out after it was revealed that the government had wiretapped him illegally.

Bradley Manning, a soldier who released classified documents to WikiLeaks in 2010, has had a very different experience. Manning was held for three years without trial, including 11 months when he was held in de facto solitary confinement. During some of this period, he was forced to sleep naked at night, allegedly as a way to prevent him from committing suicide. The United Nations’ special rapporteur on torture has condemned this as “cruel, inhuman and degrading treatment in violation of Article 16 of the convention against torture.”

Weaponized smartphones and the Internet of Things

posted by Jason Kottke   Dec 28, 2012

We’ve spent the two dozen years putting computers in everything from our bodies to our cars. Now those devices increasingly have wireless connections to the outside world. Throw in a little lax security and the whole world becomes hackable.

Hospital equipment like external defibrillators and fetal monitors can at least be picked up, taken apart, or carted away. Implanted devices — equipment surgically implanted into the body — are vastly more difficult to remove but not all that much harder to attack.

You don’t even have to know anything about medical devices’ software to attack them remotely, Fu says. You simply have to call them repeatedly, waking them up so many times that they exhaust their batteries-a medical version of the online “denial of service” attack, in which botnets overwhelm Web sites with millions of phony messages. On a more complex level, pacemaker-subverter Barnaby Jack has been developing Electric Feel, software that scans for medical devices in crowds, compromising all within range. Although Jack emphasizes that Electric Feel “was created for research purposes, in the wrong hands it could have deadly consequences.” (A General Accounting Office report noted in August that Uncle Sam had never systematically analyzed medical devices for their hackability, and recommended that the F.D.A. take action.)

Your passwords can no longer protect you

posted by Jason Kottke   Nov 16, 2012

“You have a secret that can ruin your life.” That’s according to Mat Honan, and he should know. Several months ago he saw much of his online life hacked and deleted in an instant. In this Wired cover story (that includes some valuable tips for protecting yourself online), Honan breaks the news that “no matter how complex, no matter how unique, your passwords can no longer protect you.”

These birds teach their baby chicks a secret family password

posted by Jason Kottke   Nov 15, 2012

Fairy wrens have a cuckoo problem. Specifically, cuckoos lay their eggs in the nest of the fairy wrens and, if undetected, they would end up raising the baby cuckoos to the potential detriment of their own children. But what the fairy wren mother does is after laying her eggs, she sings a unique song to the eggs until they hatch. Having learned the song while in-egg, the hatched baby wrens sing back part of the song to get fed.

She kept 15 nests under constant audio surveillance, and discovered that fairy-wrens call to their unhatched chicks, using a two-second trill with 19 separate elements to it. They call once every four minutes while sitting on their eggs, starting on the 9th day of incubation and carrying on for a week until the eggs hatch.

When Colombelli-Negrel recorded the chicks after they hatched, she heard that their begging call included a single unique note lifted from mum’s incubation call. This note varies a lot between different fairy-wren broods. It’s their version of a surname, a signature of identity that unites a family. The females even teach these calls to their partners, by using them in their own begging calls when the males return to the nest with food.

These signature calls aren’t innate. The chicks’ calls more precisely matched those of their mother if she sang more frequently while she was incubating. And when Colombelli-Negrel swapped some eggs between different clutches, she found that the chicks made signature calls that matches those of their foster parents rather than those of their biological ones. It’s something they learn while still in their eggs.

(via bruce schneier)

The worst passwords of 2012

posted by Jason Kottke   Oct 26, 2012

I cannot believe these are some of the passwords people actually use:

1. password
2, 123456
3. 12345678
4. abc123
5. qwerty
6. monkey
7. letmein
8. dragon
9. 111111
10. baseball
11. iloveyou
12. trustno1

I feel more secure than ever with my “password2” password.

The world’s worst password requirements list

posted by Jason Kottke   Jun 04, 2012

I tweeted about this but wanted to document it here for posterity. The Attorney General of Texas Child Support website has the worst set of password requirements I’ve ever seen.

Password Req

Exactly eight characters? No consecutive repeating characters? This is the internet equivalent of everyone throwing their supposedly dangerous 3+ oz. liquid containers into one giant barrel where hundreds of people are queuing up for “security”. Makes you wonder how non-user-friendly the state’s actual child support process is.

Update: Here’s another bad password policy, courtesy of TechRepublic:

Password Req 01

Can’t contain two separated numbers? I don’t even. If you’ve run across other examples like these, tweet at me.

Update: Troy Hunt has a list of bad password practices…for example, here’s ING’s 4-digit PIN login:

Password Req 02

Four digits, numbers only…FOR A BANK! He also has a screenshot of American Express’ case insensitive password rule.

Update: Jonathan Cogley signed up to access the web site of a “major credit card company” (AmEx?) and ran into the case insensitivity as well.

Update: BTW, there are many resources out there about choosing good passwords, but I found this one particularly helpful.

Update: This one from the US Citizenship and Immigration Services site is very similar to the Texas one.

Password Req 03

Is there a consultant somewhere telling state and federal governments how not to do passwords? (via @kelseyfrost)

Update: I’ve gotten several notes about ING…their PINs are 6+ digits but still only numbers, which seems trivial to hack, even with their ever-shifting numeric keypad (readily OCR-able) and image verification (isn’t foolproof).

Update: Suncorp Bank requires that passwords be 6-8 characters and can’t contain consecutive numbers or special characters.

Password Req 04

Chase requires a password for your password so you can log in while you log in. Or something.

But the best one so far might be for Sabre Red, a booking system used by travel agents.

Password Req 05

7-8 characters in length, no special characters, no more than two repeating characters, and you cannot use the letters Z or Q (presumably a holdover from the days when phone keypads didn’t have Qs or Zs). Wow. (via @SteveD503, @albedoa & @TheLoneCuber)

Update: Here’s another one, from some unspecified site:

Password Req

(via @toepoke_co_uk)

Airport security: “so much inconvenience for so little benefit at such a staggering cost”

posted by Jason Kottke   Dec 22, 2011

Charles Mann visits the airport with security expert Bruce Schneier and a fake boarding pass. What he finds is a lot of security theater and not much security.

“The only useful airport security measures since 9/11,” he says, “were locking and reinforcing the cockpit doors, so terrorists can’t break in, positive baggage matching” — ensuring that people can’t put luggage on planes, and then not board them — “and teaching the passengers to fight back. The rest is security theater.”

(via df)

Liberty scattered

posted by Jason Kottke   Dec 13, 2010

Love the cover of the most recent issue of The New Republic.

Liberty scattered

Hacker double agent

posted by Jason Kottke   Nov 22, 2010

While assisting the Secret Service in bringing down a cybercrime ring called Shadowcrew, Albert Gonzalez was, unbeknowst to the agents he was working with, involved with a much larger scheme to steal credit card information on a massive scale. Despite making millions of dollars hacking into the databases of large companies, Gonzalez preferred living at home with his parents for three reasons:

1. he loved his mother’s cooking
2. he loved playing with his nephew
3. he could more easily launder money through his parents’ home-equity line of credit

When they pieced together how Gonzalez organized these heists later, federal prosecutors had to admire his ingenuity. “It’s like driving to the building next to the bank to tunnel into the bank,” Seth Kosto, an assistant U.S. attorney in New Jersey who worked on the case, told me. When I asked how Gonzalez rated among criminal hackers, he replied: “As a leader? Unparalleled. Unparalleled in his ability to coordinate contacts and continents and expertise. Unparalleled in that he didn’t just get a hack done — he got a hack done, he got the exfiltration of the data done, he got the laundering of the funds done. He was a five-tool player.”

Airport security: the Dick-Measuring Device or molestation?

posted by Jason Kottke   Oct 29, 2010

Jeffrey Goldberg on the TSA’s new security theater measures, including pat-downs that are so humiliating and uncomfortable that people won’t mind using the scanning machine that shows them naked.

I asked him if he was looking forward to conducting the full-on pat-downs. “Nobody’s going to do it,” he said, “once they find out that we’re going to do.”

In other words, people, when faced with a choice, will inevitably choose the Dick-Measuring Device over molestation? “That’s what we’re hoping for. We’re trying to get everyone into the machine.” He called over a colleague. “Tell him what you call the back-scatter,” he said. “The Dick-Measuring Device,” I said. “That’s the truth,” the other officer responded.

The pat-down at BWI was fairly vigorous, by the usual tame standards of the TSA, but it was nothing like the one I received the next day at T.F. Green in Providence. Apparently, I was the very first passenger to ask to opt-out of back-scatter imaging. Several TSA officers heard me choose the pat-down, and they reacted in a way meant to make the ordinary passenger feel very badly about his decision. One officer said to a colleague who was obviously going to be assigned to me, “Get new gloves, man, you’re going to need them where you’re going.”

The agent snapped on his blue gloves, and patiently explained exactly where he was going to touch me. I felt like a sophomore at Oberlin.

Empty the nation’s pools!

posted by Jason Kottke   Apr 06, 2009

From November 2007 but still relevant: Odds of Dying in a Terrorist Attack.

You are six times more likely to die from hot weather than from a terrorist attack

You are 87 times more likely to drown than die in a terrorist attack

You are 1048 times more likely to die from a car accident than from a terrorist attack

You are 12 times more likely to die from accidental suffocation in bed than from a terrorist attack

You are eight times more likely to be killed by a police officer than by a terrorist

I guess when you’re the President, it’s just not that impressive to say that you protected the nation’s populace from accidental suffocation in bed.

Really secure

posted by Jason Kottke   Feb 19, 2009

Along the lines of “what’s your mother’s maiden name?”, here are some even more secure user authentication questions.

What time was it when, in a drunken rage, you threw your novel into the fire?

If you could do it all over again, what would you do differently?

House keys copied from 200 feet away

posted by Jason Kottke   Nov 10, 2008

House keys left out on table + telephoto lens at a distance of 200 feet + SNEAKEY key duplication software = perfect working copies of your keys. Eep. The system also works with crappy cellphone camera photos.

Airport security theater

posted by Jason Kottke   Oct 17, 2008

I don’t know if this is sadly hilarious or hilariously sad. Jeffrey Goldberg took all sorts of crazy stuff through airport security — “al-Qaeda T-shirts, Islamic Jihad flags, Hezbollah videotapes, inflatable Yasir Arafat dolls (really), pocketknives, matches from hotels in Beirut and Peshawar, dust masks, lengths of rope, cigarette lighters, nail clippers, eight-ounce tubes of toothpaste (in my front pocket), bottles of Fiji Water (which is foreign), and, of course, box cutters” — and almost nothing was ever taken away from him or was a source of concern for airport security personnel.

We took our shoes off and placed our laptops in bins. Schneier took from his bag a 12-ounce container labeled “saline solution.”

“It’s allowed,” he said. Medical supplies, such as saline solution for contact-lens cleaning, don’t fall under the TSA’s three-ounce rule.

“What’s allowed?” I asked. “Saline solution, or bottles labeled saline solution?”

“Bottles labeled saline solution. They won’t check what’s in it, trust me.”

They did not check. As we gathered our belongings, Schneier held up the bottle and said to the nearest security officer, “This is okay, right?” “Yep,” the officer said. “Just have to put it in the tray.”

“Maybe if you lit it on fire, he’d pay attention,” I said, risking arrest for making a joke at airport security. (Later, Schneier would carry two bottles labeled saline solution-24 ounces in total-through security. An officer asked him why he needed two bottles. “Two eyes,” he said. He was allowed to keep the bottles.)

So hard to pick just one excerpt from this one…it’s full of ridiculousness. I don’t care how many blogs the TSA launches, this is a farce. (thx, anthony)

TSA Communication Plates

posted by Jason Kottke   Oct 03, 2008

Evan Roth has been putting metal plates with messages and symbols cut into them into his carry-on luggage when he goes through security at the airport.

Here’s Roth’s idea, which he calls “TSA Communication” and tells me has already made it through three trial airport runs: Take a metal plate, stencil and cut out a message — words or an image — place the plate at the bottom of your carry-on bag, and watch what happens as the TSA employee operating the airport X-ray machine notices … or doesn’t notice.

So far, he’s used plates with outlines of the American flag, a “NOTHING TO SEE HERE” message, and something he calls The Exact Opposite Of A Box Cutter, a plate with a box cutter shape cut out of it.

A mom let her 9-year-old son take

posted by Jason Kottke   Apr 15, 2008

A mom let her 9-year-old son take the NYC subway and bus home from Sunday shopping.

For weeks my boy had been begging for me to please leave him somewhere, anywhere, and let him try to figure out how to get home on his own. So on that sunny Sunday I gave him a subway map, a MetroCard, a $20 bill, and several quarters, just in case he had to make a call.

No, I did not give him a cell phone. Didn’t want to lose it. And no, I didn’t trail him, like a mommy private eye. I trusted him to figure out that he should take the Lexington Avenue subway down, and the 34th Street crosstown bus home. If he couldn’t do that, I trusted him to ask a stranger. And then I even trusted that stranger not to think, “Gee, I was about to catch my train home, but now I think I’ll abduct this adorable child instead.”

Upon telling the story to others, she encountered some resistance:

Half the people I’ve told this episode to now want to turn me in for child abuse. As if keeping kids under lock and key and helmet and cell phone and nanny and surveillance is the right way to rear kids. It’s not. It’s debilitating — for us and for them.

A chronological list of fears, from childhood

posted by Jason Kottke   Apr 07, 2008

A chronological list of fears, from childhood through parenthood. (via lone gunman)

The business of parenting

posted by Jason Kottke   Mar 31, 2008

Salon had an interview with Pamela Paul the other day, author of Parenting, Inc., a book about the business of parenting. Paul starts out by disparging the $800 stroller phenomenon. Ollie’s stroller was somewhat expensive (not $800 but not $100 either) but it’s well built, flexible in use, nicely designed (functionally speaking), and was far and away the best one for our needs. We didn’t feel good about spending so much money, but the eventual cost-per-use will be in the range of cents, so we’re really happy with our choice so far. Some parents buy expensive strollers more as a fashion statement, so I can see where Paul is coming from on this one.

I thought the rest of the interview was quite good. We’re still new to this parenting thing, but Paul seems to be on the right track. Here’s her take on the best toys for kids:

When you think back to the ’60s and ’70s, all the right-thinking progressive parents thought toys should be natural and open-ended. Crayola and Kinder Blocks and Lego were considered raise-your-kid-smart toys. Then, all this data that came out which said that kids need to be stimulated. They need sound! They need multi-sensory experiences! Now, the more bells and whistles a toy has, the supposedly better it is.

Our parents’ generation actually had it right. The less the toy does, the better. Everyone thinks: “Toys need to be interactive.” No, toys don’t need to be interactive. Children need to interact with toys. The best toys are 90 percent kid, 10 percent toy, the kind of thing that you can use 20 different ways, not because it has 20 different buttons to press, but because the kid, when they’re 6 months old is going to chew on it, and toss it, but when they’re a year they’re going to start stacking it.

And then later:

At the most basic level reuse, recycle, repurpose. The average American child gets 70 new toys a year. That is just so far beyond what is necessary. Most child gear, toys, books are a lot cheaper, relatively speaking, than they were decades ago. In the aggregate it ends up being a lot more expensive, because we’re buying a lot more of it, but kids just don’t need that many toys. Kids lose out when things become less special.

We’ve been avoiding toys that make noise and light up. Half of his toys are garbage — old toilet paper rolls, bags that our coffee pods come in, 20oz soda bottles filled with colored water or split peas, scraps of fabric, etc. — or not even toys at all — pots and pans, measuring spoons, etc. It seems like the right approach for us; Paul’s “90 percent kid, 10 percent toy” really resonates.

Paul also talks about not overstimulating kids. When I get up in the morning or come home from the office, it’s hard not to scoop Ollie up and give him constant attention until he goes to bed or down for a nap. Instead, I’ve been trying to leave him alone to play and explore by himself. He’s getting old enough that when he wants me involved, he’ll come to me. In this way, parenting is like employee management; give people the resources they need and then let them do their jobs.

This last bit reminded me of our trip to Buy Buy Baby (subtle!!) to procure baby proofing supplies. They totally had a Wall of Death designed to entice parents to coat their entire house in cheap white plastic.

The baby-proofing industry completely preys on parents’ worst anxieties and fears. It really doesn’t take a brain surgeon to baby-proof a house, and every store has the “Wall of Death” with like 10,000 products in it that you can affix to any potentially sharp surface in your house, if you choose to go that route.

It’s difficult not to feel incredibly manipulated by the Wall of Death. You know deep down that it’s ridiculous; your parents didn’t have any of this crap and you turned out fine. But then the what-ifs start gnawing away at your still-shaky confidence as a new parent. Our encounter with the Wall paralyzed us, and with the exception of those plastic wall outlet plugs, we’ve punted on baby proofing for now. We’re letting Ollie show us where all the problem areas are before committing to any white plastic solutions.

Bruce Schneier on the Portrait of the

posted by Jason Kottke   Jun 15, 2007

Bruce Schneier on the Portrait of the Modern Terrorist as an Idiot. “Terrorism is a real threat, and one that needs to be addressed by appropriate means. But allowing ourselves to be terrorized by wannabe terrorists and unrealistic plots — and worse, allowing our essential freedoms to be lost by using them as an excuse — is wrong.”

SiteKey sucks

posted by Jason Kottke   Apr 12, 2007

I’ve used Bank of America to do my online banking in the past and their SiteKey “technology” always irritated the hell out of me because it led me to believe that Bank of America thought I was:

a) a criminal


b) an idiot

instead of:

c) a customer

The basic idea behind SiteKey is that when you log in to your account, you’re shown a photo of, say, an orange kitten before you enter your password so that you know you’re not on the site of a phisher who knows nothing about your orange kitten but wants to collect your login info. In addition, the site makes you verify your identity with a security question — like “what’s your favorite food?” — before using the site from a new IP address, which means if you’re on a cable or DSL connection, this happens every couple weeks when your current IP expires…or whenever BofA feels like they should throw up another virtual pane of bulletproof glass between you and your account information. For those who don’t fall for phishing scams — by accessing sites directly through bookmarks or by typing URLs into the location bar — SiteKey is nothing but an irritant and a deterrent and there’s no way to switch it off.

On Tuesday, Christopher Soghoian and Markus Jakobsson published a clever method by which password phishers could get around SiteKey. The method takes advantage of a simple hole in the logic concerning SiteKey…that anyone who knows your account’s login name and state of residence can see both your SiteKey image and any challenge questions, no password required. All the phisher has to do is ask for the login name and state of residence, send that info to the BofA site (via a script running on the phisher’s machine), get back a security question, display that, send the answer to the BofA site, get back the correct SiteKey image, display that, and collect the person’s password, all while presenting a nearly seamless Bank of America-like experience to the user.

Hopefully this gaping monster of a security hole will convince BofA that not only does SiteKey security not work, it’s not even security and they’ll soon be rid of it.

Update: Here’s an even easier SiteKey exploit.

I have your password. I did this with a freakin’ Bachelor of Arts degree. It took me about three hours of messing around to get the basics set up, and another few hours to spit and polish. It’s a couple of dumb HTML pages with a few snippets of PHP, and a pinch of Javascript thrown in. There is nothing sophisticated here. I don’t think this even qualifies as a “hack.” I think you should be concerned.

An anonymous author (they cannot legally reveal

posted by Jason Kottke   Mar 26, 2007

An anonymous author (they cannot legally reveal their identity) describes their National Security Letter gag order. Since the Patriot Act, the FBI has been sending out tens of thousands of these Letters, the recipients of which have no choice but to comply and keep absolutely quiet about it. “Living under the gag order has been stressful and surreal. Under the threat of criminal prosecution, I must hide all aspects of my involvement in the case — including the mere fact that I received an NSL — from my colleagues, my family and my friends.”