Archive for the ‘DHS’ Category
TSA: it wouldn’t be so bad if there were a point
January 3rd, 2007
So, the other day I was going from Seattle to Manchester. And believe me, it was one hell of a trip… The day was kicked off by finding out that SeaTac had no power in Terminal A, and ended 20 hours later (finally) in New Hampshire where I found out that the TSA had searched my luggage. Now, I don’t know about you, but in past when people have searched my belongings, they didn’t wind up breaking stuff. This time, however, the gloves were off. Those guys did it all – wrinkled my suits, made little “snowballs” out of my shirts, pulled matched socks apart, and finished it off by breaking stuff; specifically, by breaking the zipper on my suitcase and by breaking my belt. Now I got the suitcase for free from LL Bean, but it retails for a hundred and change; the belt I bought at Banana Republic for 80 dollars (don’t ask – I was at a conference and needed a belt.) So, almost 200 dollars worth of damage. They did, however, leave a little courtesy form-letter telling me they had “inspected” (read: gone apesh*t on) my luggage.
Now, I’m usually pretty calm about stuff like this. They’re just doing their job, right? And all of this stuff has a security benefit, so it’s worth it, right? Um… Well, maybe not. Now, you all have had to hear me gripe about why this stuff doesn’t do anything for security – like why it’s “good marketing” for TSA to put on a show of checking for stuff when the security benefit it provides is basically nil. I’ve had countless conversations with security folks, the majority of whom believe that the TSA security measures are useless. And now yet another respected news outlet is saying it too. And you know what? He’s totally right. The security measures are a show… And underneath the show? Continued incompetence.
Incompetence like the fact that they have yet to fix the problems with the Watch List. Now, you might say that inconveniencing a few thousand people is worth the price of increased security; and maybe you’d be right – if this watch list did anything. But it doesn’t – in fact it does the opposite. It wastes money that could be spent efficiently on terrorism prevention, it wastes cycles that could be spent on doing something productive, *and* it makes travel more painful all around thereby accomplishing the terrorists’ original goal of disrupting our way of life. Wanna get pissed off? Take a look at the TSA fact sheet for 2006 where the DHS lists their “highlighted” accomplishments for 2006. Accomplishment number one is this BS about the liquids… They “trained over 40000 people” and “conducted extensive explosive testing” (all at taxpayer expense) for a threat that we all know isn’t feasible. And when TSA finally clued in to the fact that it’s bogus? They “proved their flexibility” by “modifying the ban”. And what did that cost us, the taxpaying public? Hundreds of millions that could have been spent on developing automated approaches to baggage screening that won’t leave innocent travelers with wrinkled clothes and no belt.
Now that’s progress.
Posted in 
Airport Security: How to make life suck and have people love you for it.
September 12th, 2006
OK, so remember when we were talking about behavioral screeners at airports? Well, apparently they’ve decided to expand that program; check it out:
But security officials here are so impressed with behavior pattern recognition techniques – which they say can distinguish a nervous traveler from a dangerous one – that they say they plan to expand their use more widely in Miami than at any other U.S. airport. If officials have their way, all 35,000 of the airport’s workers – including janitors, skycaps, even Starbucks coffee servers – will be trained to watch travelers for suspicious movements.
Awesome, so in addition to serving up vanilla latte’s, your local barrista also has law-enforcement in their scope of responsibility. Remember that when you get tempted not to tip them. So what are the suspicious activities? Apparently, they include:
…someone rifling through a trash can, an unattended bag, a young man sitting on the floor alone, or a seemingly unhappy face.
An unhappy face? Sitting on the floor alone? These are behavioral traits I exhibit on almost every business-trip I make: I’m unhappy because traveling sux and I sit on the floor alone quite a bit: usually with a laptop next to one of the jealously-guarded and carefully hidden power outlets.
This, like most of the other anti-terror measures at airports is likely to be less than effective. But will it go away? I doubt it; people just feel too good about these measures – it gives them that warm and fuzzy illusion of safety. Check out the statistics:
Among the findings of the poll of U.S. adults, taken Aug. 18-20:
Airplane Hijinx
August 30th, 2006
So, worth reading for the humor is the AxisofLogic take on airport security. I’m glad I’m dieting, since according to them, the “stripper-o-matic” nudity cam could be coming to an airport nearby.
“Behavior Screeners”. Sure.
August 22nd, 2006
Are you kidding me? In case you didn’t see last week’s NYTimes article, Faces, Too, Are Searched at U.S. Airports, I highly advise you to check it out. Now, normally I don’t blog about the jackassery that goes on in airports – after all, most security experts that I talk to are all in agreement that the airline security measures are bogus, but this one is over the top! Here’s the synopsis: when you’re waiting in line to go through the insanely long security line, there are (apparently) individuals whose job it is to look for “agitated” or “nervous” individuals and give them the extra-close “latex glove” kind of scrutiny.
According to the manager of the teams,
DHS continues to not get it done
April 19th, 2006
Remember back in October when we wrote about how the DHS wasn’t getting it done in terms of critical infrastructure protection? Well, the other day GCN put out an article about Andy Purdy’s discussion at the 2006 International Conference on Network Security where he indicated that… well, things still aren’t getting done. He indicated that there’s a lack of coordination at the highest levels, a lack of information sharing between the federal and the private sector, and that cybersecurity is too low on the White House priority list. At least they have a reality-based picture of the situation over there.
In apparent answer to this, the National Science and Technology Council issued a 121 page report that basically says the same thing, but at significantly more taxpayer expense. Seems like we really need to start getting things done over there.
By the way the picture is from the Homeland Security On a Roll entry from the “Duct Tape Guys”. Yeah, it’s that funny.
DHS Flunks Yet Again
March 17th, 2006
Once again, the DHS has brought home their cybersecurity report card, and for the third straight year they’ve flunked across the board. The government reform committee, in this year’s FISMA report card once again deemed that DHS maintains a security posture that is “unacceptably low.” Said chairman Tom Davis,
DHS must have its house in order and should become a security leader among agencies. What’s holding them up?
Business Week has picked this up and ran with it in their “Department of Homeland Insecurity” coverage, saying:
Flaws in the government’s systems come in spite of a big and growing IT budget. The federal government’s IT budget rose to $62.2 billion in the year ended September, 2005, from $50.4 billion in 2002. Of that, $4.8 billion was for IT at the DHS, including $2.35 billion specifically for IT security, according to the OMB. The entire DHS IT budget was $1.8 billion in 2002, the year it was created.
62.2 billion dollars and they can’t get it done… Perhaps some after-school activities (glee club?) might help them stay focused on their studies; or maybe we can refer the DHS to the SchoolMatters website hosted by the Department of Education… After all, the DoE scored a “C” this year (up from last year’s “C-”) – thereby proving that “no agency left behind” really is working.
Government Roundup
January 16th, 2006
It’s been quite a week for government information security. For the fellow connoisseurs of human folly, here’s the recap.
First and foremost, the NSA’s website was down for reasons unspecified. Since officials at the NSA would not comment on whether or not it was the work of attackers, we’re left to assume that it probably was.
Next, the GSA has shut down a web page used by contractors due to application security issues – basically, there wasn’t any authentication on the site; sure, you had to type a username and password in, but the website had two states: authenticated and not-authenticated. By manipulating the URL parameters, one could call up documents belonging to other companies or submit document on their behalf. Ouch.
The IG (Inspector General) continues to get it done; he’s continued the tradition of past reports and said that the DoD’s security posture continues to be below par. From the report:
No DHS Left Behind?
December 7th, 2005
According to CNET, the DHS takes another one on the head. This time, it’s from former members of the 9/11 commission who say, ” The federal government is not making enough progress in protecting critical infrastructures… Progress also is lacking in airline security and providing radio spectrum to first responders…” Sweet.
It’s in “report card” format, which makes the DHS security posture seem kind of like a submarine: below “C” level. Noteable flunkage is in the areas of airline pre-screening, allocation of funds based on risk, and declassification of the budget. There are “D”s in “Critical Infrastructure Protection”, “Internal Collaberation”, and “Information Sharing.” I think maybe it’s time we start applying some of the rules from the “No Child Left Behind” initiative to the DHS – like by turning over control of the underperforming DHS to the Department of Education.
“There are far too many C’s, D’s and F’s in the report card we will issue today. Many obvious steps that the American people assume have been completed have not been. Our leadership is distracted… All key decisions are at least a year away. It is time that we stop talking about setting priorities, and actually set some.”
The DHS response has apparently been to step up security by throwing random people on the “terrorist watch list. Nothing says “we’re getting it done” like strip searches all around.
Scott Borg Newly Appointed DHS “Debbie Downer”
December 1st, 2005
The cyber attacks of recent years have been relatively unsophisticated and inexpensive compared to the potential of organized attacks… Organized attacks by teams of hackers… could have a huge impact on a nation’s economy… We will probably see terrorist groups, criminal organizations putting together combinations of talent…
Wow. Does anybody have a straight razor or some sleeping pills? What a bummer. What kills me about this is that he’s not wrong; I hate FUD (Fear, Uncertainty, Doubt) and I particularly hate FUD in the media. However, Scott has a point, and thinking it over, I think it’s good “due diligence” for the DHS to listen to what he has to say. Not that I’d want to share a cab ride with the guy.
Any security practitioner worth his/her salt knows the traditional wisdom that most threats come from the inside. I’ve worked in financial services, so I’m pretty well versed in how security in that sector goes down (i.e. it’s just like everywhere else.) So, I think it’s not out of line for someone like Scott “resistance is futile” Borg to point out that if baddies could coordinate an attack with collusion from the inside – that they could do some serious damage. It’s not necessarily a new idea (it was, after all, a plot point in the movie “Fight Club”), but somehow Scott puts some super-depressing English on it that really makes it slam home.
Festive Week for the DHS
November 8th, 2005
Last week marked the release of the preliminary NIPP (National Infrastructure Protection Plan) from the DHS; all 175 vague pages of it. It also marked the release of an audit of FEMA’s database security, basically telling us what we already know – that FEMA’s database security is in line with the rest of IT security in the DHS (i.e. minimal and poorly implemented.)
Never being one to remove the splinter from their own eye before recommending a “vigilant foreign-body exploration posture” to others, the DHS includes a “honey-do” list in the NIPP for the world at large. There’s a laundry list of task items for the private sector, additional specific recommendations broken down by sector, and to-do’s for academia (unfunded, of course.)
In general, I’m thinking that the recommendations will probably fly better with those folks who are out of the loop on the DHS security track record… On the upside, if you choose to ignore the recommendations by infrequently auditing, taking years to develop a security plan, not conducting training exercises, and having lax technical controls – you can honestly say that you’ve modeled your security program on how the DHS does business. If you decide to go that route, just remember that what works for the DHS may not work for you – after all, in the private sector, you’re accountable to your customers.