The Daily Parker

Politics, Weather, Photography, and the Dog

Are we finally having a constructive discussion about security?

The Boston Globe thinks it's time to do away with the TSA:

Let’s face it: The Transportation Security Administration, which annually costs taxpayers more than $7 billion, should never have been created. The responsibility for airport security should never have been federalized, let alone entrusted to a bloated, inflexible workforce. Former TSA administrator Kip Hawley calls it “a national embarrassment that our airport security system remains so hopelessly bureaucratic” and warns that “the relationship between the public and the TSA has become too poisonous to be sustained.” More tests and more failures won’t fix that. Scrapping the TSA would.

Fearmongers might howl, but abolishing the agency wouldn’t make air travel less secure. Given the TSA’s 95 percent failure rate, it would likely make it more secure. The airlines themselves should bear the chief responsibility for protecting planes and passengers at airports. After all, they have powerful financial incentives to ensure that flights are free of danger, while at the same time minimizing the indignities to which customers are subjected. Their bottom line would be at stake. The TSA feels no such spur.

I am posting this from an airplane, by the way. I understand that this has the potential for tragic irony.

Don't selfie secrets

By "secrets" I mean any data you don't want known to the public. In a recent incident (via Schneier), that should include posting a selfie of yourself holding a winning betting ticket:

A woman has lost $825 she won betting on the 2015 Melbourne Cup after she posted a photo of herself holding the winning ticket on Facebook.

According to The Daily Mail, a woman named Chantelle placed a $20 bet on the 100-to-1 shot Prince of Penzance at this year’s Melbourne Cup, Australia’s most prestigious Thoroughbred horse race.

Chantelle believes that though her fingers were covering up part of the ticket’s barcode in her selfie, a “friend” on her profile might have used her photo and [another photo of the ticket] to piece together the complete barcode, run it through an automated machine, and claim the winnings themselves.

So, kudos to Chantelle for knowing not to post the entire barcode, but, um, maybe she shouldn't have posted any of it?

More guns on planes?

The Economist reports that gun seizures at TSA checkpoints have risen dramatically:

TSA agents discovered 68 firearms in travellers’ carry-on bags. That is the most the agency has ever found in a week. Of them, 61 were loaded, and 25 had a round in the chamber, ready to fire.

The record probably won’t stand for long. The prior high-water mark for intercepted guns was  set a month earlier, when TSA agents found 67 firearms. As the Washington Post points out, it’s all part of a steady upward trend that stretches back at least a decade. In 2005, for every 1,000 air travellers, TSA agents discovered an average of less than one gun. In 2015, through the summer, the figure is more than three.

And of course that is just what TSA is catching. In a recent test, agents posing as passengers were able to sneak fake weapons and bombs through airport security 96% of the time. If the TSA agents were as sloppy last week as that exercise suggested, then there weren’t just 68 firearms packed into carry-on bags; there were more like 1,700.

Why are there so many more guns at TSA checkpoints? Possibly because there are so many more guns:

Gun production has more than doubled since President Obama took office, as gun advocates who fear that the president might crack down on the sale of firearms rush out to buy them, either in protest or in fear of future restrictions. But Mr Obama has not been able to persuade Congress to enact new gun-control measures, and so sales have continued to climb unimpeded.

I love living in a 19th-century country, don't you?

FitBit attack vector?

Via Schneier, a report that FitBit trackers could, in theory, spread malware to users' computers:

The athletic-achievement-accumulating wearables are wide open on their Bluetooth ports, according to research by Fortinet. The attack is quick, and can spread to other computers to which an infected FitBit connects.

Attacks over Bluetooth require an attacker hacker to be within metres of a target device. This malware can be delivered 10 seconds after devices connect, making even fleeting proximity a problem. Testing the success of the hack takes about a minute, although it is unnecessary for the compromise.

"Fortinet first contacted us in March to report a low-severity issue unrelated to malicious software. Since that time we’ve maintained an open channel of communication with Fortinet. We have not seen any data to indicate that it is currently possible to use a tracker to distribute malware," [FitBit said].

The researcher has made it clear that this is a proof-of-concept attack, and not one that exists in the wild.

Figuring out the Safe Harbor fallout

As I mentioned yesterday, the European Court of Justice ruled yesterday that the US-EU Safe Harbor pact is illegal under European law:

The ruling, by the European Court of Justice, said the so-called safe harbor agreement was flawed because it allowed American government authorities to gain routine access to Europeans’ online information. The court said leaks from Edward J. Snowden, the former contractor for the National Security Agency, made it clear that American intelligence agencies had almost unfettered access to the data, infringing on Europeans’ rights to privacy.

The court said data protection regulators in each of the European Union’s 28 countries should have oversight over how companies collect and use online information of their countries’ citizens. European countries have widely varying stances toward privacy.

The Electronic Frontier Foundation examines the implications:

[I]f those reviews [of individual companies' transfers] continue to run against the fundamental incompatibility of U.S. mass surveillance with European data protection principles, the end result may well be a growing restriction of the commercial processing of European users' data to within the bounds of the European Union.

That would certainly force the companies to re-think and re-engineer how they manage the vast amount of data they collect. It will not, however, protect their customers from mass surveillance. The geographic siloing of data is of little practical help against mass surveillance if each and every country feels that ordinary customer data is a legitimate target for signals intelligence. If governments continue to permit intelligence agencies to indiscriminately scoop up data, then they will find a way to do that, wherever that data may be kept. Keep your data in Ireland, and GCHQ may well target it, and pass it onto the Americans. Keep your data in your own country, and you'll find the NSA—or other European states, or even your own government— breaking into those systems to extract it.

Harvard law student Alex Loomis highlighted the uncertainties for US-based companies:

But ultimately it is still hard to predict how national and EU authorities will try to enforce the ECJ decision in the short-run because, as one tech lobbyist put it, “[c]ompanies will be working in a legal vacuum.”  Industry insiders are already calling for more guidance on how to act lawfully. That’s hard, because the EU Commission’s decision is no longer controlling and each individual country thus can now enforce EU law on its own. Industry experts suggest that the turmoil will hurt smaller tech companies the most, as the latter lack separate data centers and accordingly are more likely to rely on transferring data back to the United States. As I pointed out last week, that might have some anticompetitive effects.

In short, data transfers between the EU and US are now a problem. A big one. Fortunately at my company, we don't keep any personal information—but we still may have a heck of a time convincing our European partners of that, especially if Germany and France go off the deep end on privacy.

On the reading stack

These crossed my various news feeds today:

I've now got to really understand the implications of the EU ruling. More when I do.

The Internet self-corrects (sort of)

Canadian Julia Cordray created an app described as a "Yelp for people," and apparently failed to predict the future:

Except of course it took the rest of the world about two seconds to figure out that filtering the world to only include those with positive feelings was not exactly realistic, and all the app was likely to do was invite an endless stream of abuse, bullying, and stalking.

It wasn't long before people were posting Cordray's personal details online – seemingly culled from the Whois information for domain names she owns. Just to highlight how out of control these things can get, one heavily quoted tweet providing her phone number and home address actually provided the wrong information.

Meanwhile, the company's website at ForThePeeple.com has fallen over.

We'll have this app, of course. I'm interested to see how U.S. and U.K. libel laws deal with it. Or not.

Update: Just looking at their Facebook page, I can't help but wonder if this is just a parody. But no, these women are delusional, and their app is not a new idea—just one that no one before them has ever had the immorality to produce.

Sadly, I think it will be a success.

Upgrades!

In the last 48 hours, I've upgraded my laptop and surface to Office 2016 and my phone to Android 5.0 and 5.1. Apparently T-Mobile wants to make sure the Lollipop update works before giving you all the bug fixes, which seems strange to me.

All four update events went swimmingly, except that one of my Outlook add-ins doesn't work anymore. Pity. I mean, it's not like Outlook 2016 was in previews for six months or anything...