Kip Hawley: "No, the TSA is Necessary Because This is War!"

CBS News did a story a few days ago on the Transportation Security Administration (TSA). Basically it was a tit-for-tat between Bruce Schneier, security pontificator extraordinaire, and Kip Hawley, the administrator of the TSA. Mr. Hawley's maintans that the TSA provides a necessary service because we are at war, and the obvious battleground, apparently, is airplanes. Surely, we must all realize that just because the terrorists used airplanes once, they can't possibly have enough imagination to go for another target next time. Mr. Schneier, wisely, disagrees, points out all the flaws in what the TSA does, and calls the whole thing "Security Theater;" a term whose origins are not entirely undisputed, but that is beside the point.

The interesting thing with this story is that neither of Messrs. Schneier and Hawley were quoted as addressing the currently most glaring flaw in the entire air transportation security apparatus. If one of our enemies actually wanted to terrorize the populace, why take on the risk of blowing up another plane? Just for fun, head on down to your local airport this week. Walk into the terminal area and take a look at the security line. At Dulles (IAD), Los Angeles (LAX), Chicago (ORD), Denver (DEN), Atlanta (ATL), John F. Kennedy (JFK), etc, the picture is the same. There will, at any given moment, be 500 to 1,000 people in line.

It took 5 terrorists per plane (four on one plane) to blow up the planes on September 11, 2001. Together, they managed to kill 2,751 people. That's  145 victims per attacker. Take those 19 terrorists, strap them full of explosives, and position them strategically in the lines the TSA has created leading up to the security checkpoints. I guarantee you that each one of them will kill 145 people, or more. Better still, have them get in line with a bag full of explosives, then leave the bag and step out of line. They will probably have two to three minutes to make a get-away before the bag explodes before anyone even so much as looks at those bags. One might even have more if one chats up the people next to oneself in line to watch the bag while the attacker runs to the restroom. Suddenly, we have the prospect of a devastating, coordinated attack that is far more insidious, far more deadly, and far more difficult to prevent, than the attacks of September 11. This one you can't inspect away. You can't put a security checkpoint to get into the security checkpoint.

The TSA, single-handedly, created this vulnerability by making the airport security checkpoints so incredibly inefficient (and, one might add, ineffective) that the lines leading up to them back up with hundreds, or, in the case of Dulles, even thousands, of people. If the terrorists really wanted to erode confidence in our transportation infrastructure, why not make the security checkpoints the most dangerous part of it?

Mr. Hawley, in your final few weeks, how are you going to protect the public you are sworn to protect from this attack? How are you going to prioritize our safety while we are waiting in line so that your spiffily dressed officers can declare us as posing no risk to the traveling public?

One "Hacker" Attempts to Rule The World

Wired, always a source for amusement and interesting literature, just carried a story on a "hacker" (the magazine's use of the term equates to "criminal") who attempted to dominate the market in stolen credit cards. It's a neat story about an unsavory character who is not going to get enough prison time. 

If you are too busy to read it, here is a synopsis:

Once upon a time, there lived in a far away land an evil dark lord. He lived in a dark castle with all kinds of dark objects around him. His most priced possession was the Mirror of Omniscience, which let him see into the lives of everyone else in the kingdom. His highest ambition was to take over the world and become ruler over all the land.
Luckily, there was a handsome and strong prince who wanted to preserve the beauty and way of life in this delightful communist enclave. The prince was deeply in love with the most beautiful woman in the whole kingdom. However, the dark lord had imprisoned her soul in his dark castle. So, the handsome prince set out to rescue her and save the kingdom from the impending disaster.

and the handsome prince broke the Mirror of Omniscience, and they all lived happily ever after.

You need to manually undo your MS08-078 mitigations





/* Font Definitions */
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;
mso-font-alt:"Calisto MT";
mso-font-signature:-1610611985 1107304683 0 0 159 0;}
panose-1:2 15 5 2 2 2 4 3 2 4;
mso-font-alt:"Times New Roman";
mso-font-signature:-1610611985 1073750139 0 0 159 0;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
mso-bidi-font-family:"Times New Roman";}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;

/* Style Definitions */
{mso-style-name:"Table Normal";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-fareast-font-family:"Times New Roman";
mso-bidi-font-family:"Times New Roman";

Just as an FYI, for those of you that used Microsoft's recommended mitigations for MS08-078. If you unregistered the
MSXML Island object you need to manually re-create
the registry entries after you install the patch to restore the functionality.
The patch does not re-create the registry entries. Unfortunately, it appears
Microsoft removed the actual registry entries from the bulletin and removed the
work-around information from the advisory altogether, so unless you created a
backup copy, you will need to look at an untouched system to find out what the
registry entry was.


Or, you can just copy this into a text file called
“WhyDidTheyRemoveTheInformationINeed.reg” and double-click it:


Windows Registry Editor Version 5.00













Lock your USB Token

Recently, Lev Bolotin of Clevx gave me a production sample of a USB token with a keypad on it. It's a pretty neat idea for certain uses. My immediate thought went to BitLocker in Windows Vista. You can store the BitLocker key on a USB stick, but you cannot prevent anyone who gets their hands on the USB stick from stealing the key. Nor can you require a PIN and the USB stick to unlock your drive. With Lev's stick, however, you can put a PIN on the USB stick itself. Unless you enter the PIN on the device before sticking it into the computer the stick won't give up the BitLocker key. In other words, you finally get the option for both a USB stick and a PIN to unlock your BitLocker volumes. 

I also like IronKey as a safe and secure USB stick. IronKey also permits multiple volumes, something that Clevx' technology currently does not have. In other words, IronKey lets you have one encrypted volume and one unencrypted one, both on the same stick. However, IronKey requires software installed on your computer to access the encrypted volume. This precludes its use to provide a second factor for BitLocker because the BitLocker key has to be available prior to booting the operating system, and IronKey's software cannot run unless the operating system is running. If you put your BitLocker key on the IronKey it must be on the unencrypted partition.

Clevx's PIN technology is currently available from Corsair in the Flash Padlock product.

More on BitLocker is available in Byron Hynes excellent TechNet Magazine article. I still run BitLocker on all my Vista computers.

Believe it or not; DRM for Zune is down!

Shocking, yes, I know, but in only four hours this evening Microsoft has managed to alienate over 150 additional customers with its insistence on Digital Rights Management (DRM). This time it is the DRM component of the Zune store that is down, according to the 164 posts so far over on the Zune forums. OK, so realistically, that probably means that about 100 times that many customers have been alienated, including my oldest son who is unable to use the $15 worth of Zune points that his mother just purchased for him because "Error C00D12F6: Can't verify your media usage rights. A local firewall may be blocking access to the Zune service".

Rest assured, it is not a firewall problem. It is just that the DRM servers on the Zune site are horked up, again. No DRM: no buying music. No buying music: unhappy son. Perhaps the best part of this was that a few customers who called the Zune support line (1-877-438-9863) to get help were told to reset their DRM components. That turns out to not be the best move they made tonight as after doing so they can no longer play ANY of the music they have purchased on the Zune store. Ever.

I will take guesses at this point for when the industry will FINALLY get it that DRM, while completely useless in combating actually piracy, is extremely useful in combating customer satisfaction.

If you really wanted to defeat the Zune DRM it really is not that hard. For one, you could use FairUse4WM. Alternatively, my old friend Rob Hensing, in the Security Engineering group at Microsoft recommends using the old trick of burning the songs on CD and ripping them again to remove the DRM from legally purchased music. Those ideas work for music. If your fancies turn to DVD movies on your Zune, there are some suggestions for how to do it from Microsoft employees on the TechNet and MSDN blogs sites. Keith Combs apparently prefers the Xilisoft DVD Ripper Platinum. Andy Pennel appears to have figured out how to rip DVDs to play both on his Zune and his Media Center PC, but won't tell you how on his MSDN blog. Probably a wise move considering he just admitted to a Federal Crime on a company-sponsored blog. Wouldn't want to give the prosecutor too much information now, would we? Rohan Thomas, however, discusses how to leverage new Silverlight features when ripping your DVDs on his MSDN blog. Steve Makofsky, over on the MSDN blogs, apparently uses DVD Decrypter and Nero Recode to get his DVD movies into a format suitable for playing on devices. That is the same piece of software Keith Combs used.

Did I mention, by the way, that Amazon sells music without DRM? It will play for sure on any device you have now or in in the future.