Two examples of totally ineffective security responses in today's news. First, in suburban Chicago, a commuter-rail ticket agent called police about a man with a gun boarding a train, causing a two-hour delay as heavily-armed cops evacuated and searched the train. They found the man with the gun when the man in question saw the commotion and identified himself as a Secret Service agent, not realizing he was himself the target of the search:
Metra spokeswoman Judy Pardonnet said the incident began when a plainclothes Secret Service agent asked a Naperville ticket agent whether there were metal detectors aboard the BNSF Line train and indicated he was carrying a gun.
Kristina Schmidt of the Secret Service office in Chicago said a preliminary review showed the agent had acted properly and identified himself to the ticketing staff.
Schmidt said the agent noticed the Metra employees eyes go to his waist and look at his service weapon as he was taking out his wallet to buy a ticket.
"He verbally identified himself as law enforcement and said that he was armed," Schmidt said. "That was pretty much the extent of their conversation."
Assuming all was fine, the agent boarded the train, she said.
It was a few minutes later that police boarded the train. The agent again identified himself, Schmidt said, not realizing his interaction with the Metra employee had led to the train being stopped.
The ticket agent had told police a suspicious man was asking "unusual questions that were security-based" at the Naperville Metra station, Naperville Police Cmdr. Dave Hoffman had said. Officers were unsure if the man got on the train so authorities decided to stop it near Lisle to search for him, he said.
Farther afield, in the U.K., a official for a prision lost an encrypted memory stick containing personal health information about prisoners. The problem? The password was taped to the stick (via Bruce Schneier):
Health bosses have apologised after a memory stick containing patient information was lost at Preston Prison.
An urgent investigation was launched after the USB data stick – with the password attached to it on a memo note – went missing on Tuesday, December 30.
The stick may have contained information of up to 6,360 patients.
Kudos to everyone involved for using your heads and keeping us all safe!
Via Bruce Schneier, a woman brought clearly-labeled gunpowder through a TSA checkpoint, in the regulation size baggies:
Mind you, I had packed the stuff safely. It was in three separate jars: one of charcoal, one of sulphur, and one of saltpetre (potassium nitrate). Each jar was labeled: Charcoal, Sulphur, Saltpetre. I had also thoroughly wet down each powder with tap water. No ignition was possible. As a good citizen, I had packed the resulting pastes into a quart-sized "3-1-1" plastic bag, along with my shampoo and hand cream. This bag I took out of my messenger bag and put on top of my bin of belongings, turned so that the labels were easy for the TSA inspector to read.
I expect she'll get noticed the next time she flies...
From my dad, yet another New York Times article to make you all warm and fuzzy inside:
Thieves Winning Online War, Maybe in Your PC
Despite the efforts of the computer security industry and a half-decade struggle by Microsoft to protect its Windows operating system, malicious software is spreading faster than ever. The so-called malware surreptitiously takes over a PC and then uses that computer to spread more malware to other machines exponentially. Computer scientists and security researchers acknowledge they cannot get ahead of the onslaught.
As more business and social life has moved onto the Web, criminals thriving on an underground economy of credit card thefts, bank fraud and other scams rob computer users of an estimated $100 billion a year, according to a conservative estimate by the Organization for Security and Cooperation in Europe. A Russian company that sells fake antivirus software that actually takes over a computer pays its illicit distributors as much as $5 million a year.
I spent part of this afternoon rooting around in my email correspondance from 1999 and 2000. Forgetting the wherefores and whatnots of the emails themselves, just getting into the Outlook files proved difficult. How many passwords does anyone remember from nine years ago? I actually remember a few, but not, unfortunately, the ones I needed.
Sure, I found them eventually, but heavens. That's half an hour of my life I'll never get back, and it was my own fault.
I've largely solved Yesterday's frustration (more of a PEBCAK issue than anything else, wouldn't you know?) so now I have a new one: the touchpad on my laptop isn't working. It's probably a driver issue, but still, it makes navigating—doing anything, really—that much more difficult.
Anyway. On to New York for my first-and-only Yankees game.
Forgot to mention: Philadelphia beat Altanta 12-10 yesterday. As soon as I get my technical problems fixed I'll have photos of the massive thunderstorm that caused a two-hour rain delay. And after a nail-biting day when the Cubs and Milwaukee were tied for first place, the Cubs won and Milwaukee lost, putting us a full game up once again.
Windows is designed to be secure (don't laugh). One security measure is to lock users out after a certain number of failed login attempts. Vista, however, tries lots more times to login than you might think. So, even if you mis-type your password once or twice, Vista might think the KGB is trying to break into your laptop and lock you out.
I know this because, 36 hours into a 7-day trip, I appear to be locked out of my laptop.
Now, I can unlock my laptop in seconds by logging in while connected physically my network. Only problem, my network is 1100 km away and I won't reconnect to it for a few days.
So, great, at least my laptop is secure from someone who knows my UID and password. Of course, if someone ripped the hard drive out and connected it to another machine, he could read the unencrypted parts without any problem. Since I would like to keep the laptop intact, and it's the encrypted parts that I kind of need right now, it's inconvenient, to say the least.
When I calm down and I don't want to beat the Windows Vista team lead over the head repeatedly with my laptop, I'll explain why this "security" only matters if you aren't actually a malicious hacker, and why if you are a malicious hacker it's irrelevant. In other words, what I'm going through at this exact moment is much like the people lining up for crosses in Monty Python's Life of Brian: it'll only hurt if you're honest.
Via Dad, it seems a network administrator for the City of San Francisco has locked out all the other administrators:
A disgruntled city computer engineer has virtually commandeered San Francisco's new multimillion-dollar computer network, altering it to deny access to top administrators even as he sits in jail on $5 million bail, authorities said Monday.
Terry Childs, a 43-year-old computer network administrator who lives in Pittsburg, has been charged with four counts of computer tampering and is scheduled to be arraigned today.
Childs created a password that granted him exclusive access to the system, authorities said. He initially gave pass codes to police, but they didn't work. When pressed, Childs refused to divulge the real code even when threatened with arrest, they said.
He was taken into custody Sunday. City officials said late Monday that they had made some headway into cracking his pass codes and regaining access to the system.
He's about to find out that you can sit in jail on a contempt of court charge for, well, ever.
The first—the most serious one—comes from David Brooks via my friend RB:
Let’s take a look at what [Clinton is] going to put her party through for the sake of [a] 5 percent chance [of winning]: The Democratic Party is probably going to have to endure another three months of daily sniping. ... For three more months (maybe more!) the campaign will proceed along in its Verdun-like pattern. There will be a steady rifle fire of character assassination from the underlings, interrupted by the occasional firestorm of artillery when the contest touches upon race, gender or patriotism. The policy debates between the two have been long exhausted, so the only way to get the public really engaged is by poking some raw national wound.
The other story, via Bruce Schneier, concerns a weird but scary Craigslist hoax:
Two hoax ads on Craigslist cost a Jacksonville man thousands of dollars in property Saturday and could land the pranksters in jail on theft and burglary charges.
The classified ads popped up Saturday afternoon on the Web site saying the owner of a home ... was forced to leave the area suddenly and that his belongings, including a horse, were free for the taking, said Jackson County sheriff's Detective Sgt. Colin Fagan.
The only problem is that Robert Salisbury has no plans of leaving his home any time soon.
Finally, a new dating website that left my friend TLC "flabbergasted but intrigued:"
You fill out a profile which consists of photos, your height, body type, education, occupation and a personal statement, and get rated by other members of the In My League community on a scale of one to ten based on your attractiveness.
Once you've been rated five times, you'll see your rating and all of your matches. Your matches are people who are within one point of your rating either way on the ten point scale. You can send messages and flirts to your matches, and when you appear as someone else's match, they send messages and flirts to you.
So if you're a 7.0, you'll be able to contact members who are rated as high as 8.0. And nobody rated below a 6.0 will be able to get in touch with you.
We live in interesting times.