Slashdot Mirror

The U.S. Department of Homeland Security has published today an "emergency directive" that contains guidance in regards to a recent report detailing a wave of DNS hijacking incidents perpetrated out of Iran. ZDNet reports: The emergency directive [1, 2] orders government agencies to audit DNS records for unauthorized edits, change passwords, and enable multi-factor authentication for all accounts through which DNS records can be managed. The DHS documents also urges government IT personnel to monitor Certificate Transparency (CT) logs for newly-issued TLS certificates that have been issued for government domains, but which have not been requested by government workers.

The emergency directive comes after last week, the DHS issued an alert about ongoing DNS hijacking attacks through its US-CERT division. The DHS US-CERT alert was based on a report published last week by U.S. cyber-security firm FireEye. The now infamous report detailed a coordinated hacking campaign during which a cyber-espionage group believed to operate out of Iran had manipulated DNS records for the domains of private companies and government agencies. The purpose of these DNS hijacks was to redirect web traffic meant for companies and agencies' internal email servers towards malicious clones, where the Iranian hackers would record login credentials.

The U.S. Department of Homeland Security has published today an "emergency directive" that contains guidance in regards to a recent report detailing a wave of DNS hijacking incidents perpetrated out of Iran. ZDNet reports: The emergency directive [1, 2] orders government agencies to audit DNS records for unauthorized edits, change passwords, and enable multi-factor authentication for all accounts through which DNS records can be managed. The DHS documents also urges government IT personnel to monitor Certificate Transparency (CT) logs for newly-issued TLS certificates that have been issued for government domains, but which have not been requested by government workers.

The emergency directive comes after last week, the DHS issued an alert about ongoing DNS hijacking attacks through its US-CERT division. The DHS US-CERT alert was based on a report published last week by U.S. cyber-security firm FireEye. The now infamous report detailed a coordinated hacking campaign during which a cyber-espionage group believed to operate out of Iran had manipulated DNS records for the domains of private companies and government agencies. The purpose of these DNS hijacks was to redirect web traffic meant for companies and agencies' internal email servers towards malicious clones, where the Iranian hackers would record login credentials.

The Department of Homeland Security's internal watchdog, known as the Office of the Inspector General (OIG) found that the majority of U.S. Customs and Border Protection (CBP) agents fail to delete the personal data they collect from travelers' devices. Last year alone, border agents searched through the electronic devices of more than 29,000 travelers coming into the country. "CBP officers sometimes upload personal data from those devices to Homeland Security servers by first transferring that data onto USB drives -- drives that are supposed to be deleted after every use," Gizmodo reports. From the report: Customs officials can conduct two kinds of electronic device searches at the border for anyone entering the country. The first is called a "basic" or "manual" search and involves the officer visually going through your phone, your computer or your tablet without transferring any data. The second is called an "advanced search" and allows the officer to transfer data from your device to DHS servers for inspection by running that data through its own software. Both searches are legal and don't require a warrant or even probable cause -- at least they don't according to DHS. It's that second kind of search, the "advanced" kind, where CBP has really been messing up and regularly leaving the personal data of travelers on USB drives.

According to the new report [PDF]: "[The Office of the Inspector General] physically inspected thumb drives at five ports of entry. At three of the five ports, we found thumb drives that contained information copied from past advanced searches, meaning the information had not been deleted after the searches were completed. Based on our physical inspection, as well as the lack of a written policy, it appears [Office of Field Operations] has not universally implemented the requirement to delete copied information, increasing the risk of unauthorized disclosure of travelers' data should thumb drives be lost or stolen." The report also found that Customs officers "regularly failed to disconnect devices from the internet, potentially tainting any findings stored locally on the device." It also found that the officers had "inadequate supervision" to make sure they were following the rules. There's also a number of concerning redactions. For example, everything from what happens during an advanced search after someone crosses the border to the reason officials are allowed to conduct an advanced search at all has been redacted.

schwit1 shares an exclusive report via BuzzFeed: The fingerprint-analysis software used by the FBI and more than 18,000 other U.S. law enforcement agencies contains code created by a Russian firm with close ties to the Kremlin, according to documents and two whistleblowers. The allegations raise concerns that Russian hackers could gain backdoor access to sensitive biometric information on millions of Americans, or even compromise wider national security and law enforcement computer systems. The Russian code was inserted into the fingerprint-analysis software by a French company, said the two whistleblowers, who are former employees of that company. The firm -- then a subsidiary of the massive Paris-based conglomerate Safran -- deliberately concealed from the FBI the fact that it had purchased the Russian code in a secret deal, they said. The Russian company whose code ended up in the FBI's fingerprint-analysis software has Kremlin connections that should raise similar national security concerns, said the whistleblowers, both French nationals who worked in Russia. The Russian company, Papillon AO, boasts in its own publications about its close cooperation with various Russian ministries as well as the Federal Security Service -- the intelligence agency known as the FSB that is a successor of the Soviet-era KGB and has been implicated in other hacks of U.S. targets.

Cybersecurity experts said the danger of using the Russian-made code couldn't be assessed without examining the code itself. But "the fact that there were connections to the FSB would make me nervous to use this software," said Tim Evans, who worked as director of operational policy for the National Security Agency's elite cyberintelligence unit known as Tailored Access Operations and now helps run the cybersecurity firm Adlumin. The FBI's overhaul of its fingerprint-recognition technology, unveiled in 2011, was part of a larger initiative known as Next Generation Identification to expand the bureau's use of biometrics, including face- and iris-recognition technology. The TSA also relies on the FBI fingerprint database.

An anonymous reader quotes a report from Ars Technica: President Donald Trump has said he's going to set more limits on the H-1B visa program, which allows tens of thousands of technology workers into the U.S. each year. But yesterday, the Department of Homeland Security moved to expand another type of visa, the H-2B, which allows lower-skilled workers in on a seasonal basis. The Department of Homeland Security said yesterday it is going to allow an additional 15,000 workers to come in under the H-2B visa category, which is typically used by U.S. businesses in industries like tourism, construction, and seafood processing. The program normally allows for 66,000 visas, split between the two halves of the year. That means the DHS increase, announced yesterday, represents an increase of more than 40 percent for the second half of 2017. Businesses can begin applying for the additional visas right away, as long as they attest under penalty of perjury that their business will "suffer irreparable harm" if it can't employ additional H-2B workers in 2017. The expansion is a temporary one, and it only applies to the current year.

An anonymous reader quotes a report from Ars Technica: In new filings, prosecutors told a court in Washington, DC that within the coming weeks, they expect to extract all data from the seized cellphones of more than 100 allegedly violent protesters arrested during the inauguration of President Donald Trump. Prosecutors also said that this search is validated by recently issued warrants. The court filing, which was first reported Wednesday by BuzzFeed News, states that approximately half of the protestors prosecuted with rioting or inciting a riot had their phones taken by authorities. Prosecutors hope to uncover any evidence relevant to the case. Under normal judicial procedures, the feds have vowed to share such data with defense attorneys and to delete all irrelevant data. "All of the Rioter Cell Phones were locked, which requires more time-sensitive efforts to try to obtain the data," Jennifer Kerkhoff, an assistant United States attorney, wrote. Such phone extraction is common by law enforcement nationwide using hardware and software created by Cellebrite and other similar firms. Pulling data off phones is likely more difficult under fully updated iPhones and Android devices.

An anonymous reader quotes a report from The Verge: The U.S. Food and Drug Administration released its recommendations for how medical device manufacturers should maintain the security of internet-connected devices, even after they've entered hospitals, patient homes, or patient bodies. Unsecured devices can allow hackers to tamper with how much medication is delivered by the device -- with potentially deadly results. First issued in draft form last January, this guidance is more than a year in the making. The 30-page document (PDF) encourages manufacturers to monitor their medical devices and associated software for bugs, and patch any problems that occur. But the recommendations are not legally enforceable -- so they're largely without teeth. The FDA issued an earlier set of recommendations in October 2014 (PDF), which recommended ways for manufacturers to build cybersecurity protections into medical devices as they're being designed and developed. Today's guidance focuses on how to maintain medical device cybersecurity after devices have left the factory. The guidelines lay out steps for recognizing and addressing ongoing vulnerabilities. And they recommend that manufacturers join together in an Information Sharing and Analysis Organization (ISAO) to share details about security risks and responses as they occur. Most patches and updates intended to address security vulnerabilities will be considered routine enhancements, which means manufacturers don't have to alert the FDA every time they issue one. That is, unless someone dies or is seriously harmed because of a bug -- then the manufacturer needs to report it. Dangerous bugs identified before they harm or kill anyone won't have to be reported to the FDA as long as the manufacturer tells customers and device users about the bug within 30 days, fixes it within 60 days, and shares information about the vulnerability with an ISAO.

saizai writes: I just filed my reply to the TSA's opposition to an emergency motion for preliminary injunction and temporary restraining order (PI/TRO) against the TSA's new policy that arbitrarily mandates some people to go through electronic strip search ("AIT"). Case website here (will be kept updated). Court order expected soon, though impossible to know for sure.

I've also released 3 FOIA docs (see 2015-12-30 update), which I submitted as exhibits:

• MD 100.4 2012-01-25 Transportation Security Searches (11p, full) — showing TSA's expansion to "bus, train, [and] other public conveyance"
• SPOT validation study Vol 1 Ch 4 — Descriptive analyses — summary of sources for items (1p) — showing 90% of what they find is immigration and drug related, not weapons
• SPOT validation study Vol 3 App F — Supporting tables — prohibited items data (2p) — giving breakdown list of "prohibited items" they find

See previously:

• Motion Filed In 1st Circuit To Enjoin TSA's New Mandatory "AIT" Screening
• TSA Body Scanner Opt-out No Longer Guaranteed

codguy writes: Up to now, airline passengers have been able opt out of the TSA's Advanced Imaging Technologies (AIT) whole body scanners, and request a physical pat-down for their security check. But ProPublica journalist Julia Angwin points out that a rule change on December 18, 2015 now allows the TSA to compel some passengers to use these scanners instead of giving them a pat-down. The updated rule says, "While passengers may generally decline AIT screening in favor of physical screening, TSA may direct mandatory AIT screening for some passengers," (PDF source). Of course, the criteria for when this can happen is completely unspecified, and one can easily imagine them abusing this by deciding to compel anyone who requests a pat-down to go through the scanners for some reasonable cause from their perspective. Guilty until proven innocent?

schwit1 writes: Spoofing is far from the only problem facing Department of Homeland Security and the way it gets drones to the border. In addition to giving grants to law enforcement agencies to purchase UAVs, DHS also has many of its own. Last year, the department's own inspector general declared that DHS drone purchasing program, which had spent $360 million since 2005 — $62 million in 2013 alone — was largely a failure. DHS had taken delivery of 11 MQ-9 Reaper drones, unarmed but otherwise similar to the ones used by the military in Iraq and Afghanistan. DHS anticipated that the cost per flight hour would be $2,468, far lower than the actual $12,225. The agency was using accounting tricks to move the costs of pilots, equipment, and overhead off the books. Even the actual flights hours — 5,102 — were a fraction of the promised 23,296.

schwit1 writes: An audit of the TSA has found that the agency failed to uncover the terrorist connections of 73 aviation workers when it did background checks of them. According to a report released Monday, the people were employed by major airlines, airport vendors and other employers, and were not identified because the agency lacked access to terrorism-related information from within the government. The agency's "multi-layered process to vet aviation workers for potential links to terrorism was generally effective. In addition to initially vetting every application for new credentials, TSA recurrently vetted aviation workers with access to secured areas of commercial airports every time the Consolidated Terrorist Watchlist was updated," the report found. "However, our testing showed that TSA did not identify 73 individuals with terrorism-related category codes because TSA is not authorized to receive all terrorism-related information under current interagency watchlisting policy." This report comes on the heels of an internal TSA investigation that found 95% of agents testing airport checkpoints were able to bring weapons through.

An anonymous reader writes: Your devices should come with a government backdoor. That's according to the heads of the FBI, NSA, and DHS. There are many objections, especially that backdoors add massive security risks.

Would backdoors even be effective, though? In a new writeup, a prominent Stanford security researcher argues that crypto backdoors "will not work." Walking step-by-step through a hypothetical backdoored Android, he argues that "in order to make secure apps just slightly more difficult for criminals to obtain, and just slightly less worthwhile for developers, the government would have to go to extraordinary lengths. In an arms race between cryptographic backdoors and secure apps, the United States would inevitably lose."

schwit1 writes The Transportation Security Administration has been accused of spending a billion dollars on a passenger-screening program that's based on junk science. The claim arose in a lawsuit filed by the American Civil Liberties Union, which has tried unsuccessfully to get the TSA to release documents on its SPOT (Screening Passengers by Observation Techniques) program through the Freedom of Information Act. SPOT, whose techniques were first used in 2003 and formalized in 2007, uses "highly questionable" screening techniques, according to the ACLU complaint, while being "discriminatory, ineffective, pseudo-scientific, and wasteful of taxpayer money." TSA has spent at least $1 billion on SPOT. The Government Accountability Office (GAO) reported in 2010 that "TSA deployed SPOT nationwide before first determining whether there was a scientifically valid basis for using behavior detection and appearance indicators as a means for reliably identifying passengers as potential threats in airports," according to the ACLU. And in 2013, GAO recommended that the agency spend less money on the program, which uses 3,000 "behavior detection officers" whose jobs is to identify terrorists before they board jetliners.

sarahnaomi sends word of new biometric technologies coming to U.S. entry points. "The facial recognition pilot program launched last week by U.S. Customs and Border Protection, which civil liberties advocates say could lead to new potentially privacy-invading programs, is just the first of three biometric experiments that the feds are getting ready to launch. The three experiments involve new controversial technologies like iris and face scanner kiosks, which CBP plans to deploy at the Mexican border, and facial recognition software, according to a leaked document obtained by Motherboard. All three pilots are part of a broader Customs and Border Protection program to modernize screenings at American entry and exit ports, including at the highly politicized Mexican border, with the aid of new biometric technologies. The program is known as Apex Air Entry and Exit Re-Engineering Project, according to the leaked slides. These pilot programs have the goal of "identifying and implementing" biometric technologies that can be used at American borders to improve the immigration system as well as US national security, according to the slides."

cold fjord (826450) writes with an excerpt from ZDNet At OSCon, The Department of Homeland Security (DHS) ... quietly announced that they're now offering a service for checking out your open-source code for security holes and bugs: the Software Assurance Marketplace (SWAMP). ... Patrick Beyer, SWAMP's Project Manager at Morgridge Institute for Research, the project's prime contractor, explained, "With open source's popularity, more and more government branches are using open-source code. Some are grabbing code from here, there, and everywhere." Understandably, "there's more and more concern about the safety and quality of this code. We're the one place you can go to check into the code" ... funded by a $23.4 million grant from the Department of Homeland Security Science & Technology Directorate (DHS S&T), SWAMP is designed by researchers from the Morgridge Institute, the University of Illinois-Champaign/Urbana, Indiana University, and the University of Wisconsin-Madison. Each brings broad experience in software assurance, security, open source software development, national distributed facilities and identity management to the project. ... SWAMP opened its services to the community in February of 2014 offering five open-source static analysis tools that analyze source code for possible security defects without having to execute the program. ... In addition, SWAMP hosts almost 400 open source software packages to enable tool developers to add enhancements in both the precision and scope of their tools. On top of that the SWAMP provides developers with software packages from the National Institute for Standards and Technology's (NIST) Juliet Test Suite. I got a chance to talk with Beyer at OSCON, and he emphasized that anyone's code is eligible — and that there's no cost to participants, while the center is covered by a grant.

theodp writes "A week after President Obama stressed the importance of computer science to America, the Department of Homeland Security put out a call for 100+ of the nations' best-and-brightest college students to work for nothing on the nation's cyber security. The unpaid internship program, DHS notes, is the realization of recommendations (PDF) from the Homeland Security Advisory Council's Task Force on CyberSkills, which included execs from Facebook, Lockheed Martin, and Sony, and was advised by representatives from Cisco, JP Morgan Chase, Goldman Sachs, Northrop Grumman, the NSF, and the NSA. 'Do you desire to protect American interests and secure our Nation while building a meaningful and rewarding career?' reads the job posting for Secretary's Honors Program Cyber Student Volunteers (salary: $0.00-$0.00). 'If so, the Department of Homeland Security (DHS) is calling.' Student volunteers, DHS adds, will begin in spring 2014 and participate throughout the summer. Get your applications in by January 3, kids!"

theodp writes "A week after President Obama stressed the importance of computer science to America, the Department of Homeland Security put out a call for 100+ of the nations' best-and-brightest college students to work for nothing on the nation's cyber security. The unpaid internship program, DHS notes, is the realization of recommendations (PDF) from the Homeland Security Advisory Council's Task Force on CyberSkills, which included execs from Facebook, Lockheed Martin, and Sony, and was advised by representatives from Cisco, JP Morgan Chase, Goldman Sachs, Northrop Grumman, the NSF, and the NSA. 'Do you desire to protect American interests and secure our Nation while building a meaningful and rewarding career?' reads the job posting for Secretary's Honors Program Cyber Student Volunteers (salary: $0.00-$0.00). 'If so, the Department of Homeland Security (DHS) is calling.' Student volunteers, DHS adds, will begin in spring 2014 and participate throughout the summer. Get your applications in by January 3, kids!"

An anonymous reader writes "Major newspapers in Germany (FAZ, Die Welt, SZ, ...) and the Huffington Post report that the author Ilja Trojanow has been prevented from boarding a plane from Salvador da Bahia to the U.S. where he was invited to attend a conference. He had ESTA documents showing that his visit was approved as part of the Visa Waiver Program and was last year given a visa to teach at the university of Saint Louis. Trojanow was one of the initiators of an open letter (Google translation to English) urging Chancellor Merkel to take actions against NSA surveillance in Germany."

PolygamousRanchKid writes with news of a Senate report on just how ineffective those DHS "Fusion centers" have proven to be. From the article: "The lengthy, bipartisan report is a scathing evaluation of what the Department of Homeland Security has held up as a crown jewel of its security efforts. ... Because of a convoluted grants process set up by Congress, Homeland Security officials don't know how much they have spent in their decade-long effort to set up so-called fusion centers in every state. ... 'The subcommittee investigation could identify no reporting which uncovered a terrorist threat, nor could it identify a contribution such fusion center reporting made to disrupt an active terrorist plot,' the report said. When fusion centers did address terrorism, they sometimes did so in ways that infringed on civil liberties. The centers have made headlines for circulating information about Ron Paul supporters, the ACLU, activists on both sides of the abortion debate, war protesters, and advocates of gun rights."

theodp writes "In mid-May, the Department of Homeland Security quietly expanded a program that allows foreign science, technology, engineering and math grads to work in the U.S. for 29 months without a work visa. 'Attracting the best and brightest international talent to our colleges and universities and enabling them to contribute to their professional growth is an important part of our nation's economic, scientific and technological competitiveness,' explained DHS Chief Janet Napolitano. But last week, Senator Chuck Grassley called on the GAO to 'fully investigate' the student visa program, citing reports of abuse and other concerns in his letter. Now, Computerworld reports that the DHS STEM Visa Extension Program continues to be dominated by Stratford University and the University of Bridgeport (as it was in 2010), prompting some tongues to wag. It is 'obvious to any reasonable person that the schools producing most of the OPT students are not prestigious research universities,' quipped policy analyst Daniel Costa, 'which means that many of the OPT students across the country are not in fact the "best and brightest."' While conceding that top students can come from lesser-known schools, 'those will be the exception to the rule,' argued Costa, who suggested the government should include performance metrics in the OPT program, such as grades and university rankings."

Fluffeh writes "Although the DHS has spent around $90 million upgrading magnetometers to the new body scanners, federal investigators 'identified vulnerabilities in the screening process' at domestic airports using the new machines, according to a classified internal Department of Homeland Security report. Exactly how bad the body scanners are is not being divulged publicly, but the Inspector General's report (PDF) made eight separate recommendations on how to improve screening. To quiet privacy concerns, the authorities are also spending $7 million to 'remove the human factor from the image review process' and replace the passenger's image with an avatar."

coondoggie writes "Better algorithms to spot patterns and trends within the mass of information the Department of Homeland Security sees everyday are key to national security. That was but one of the talking points DHS chief Janet Napolitano focused on in a lecture on the role of science and technology at the Massachusetts Institute of Technology today. 'DHS is part of the nation's Intelligence Community, which receives more terabytes of data each day than the entire text holdings of the Library of Congress. The National Counterterrorism Center's 24-hour Operations Center receives 8,000 to 10,000 pieces of counterterrorist information every day. We receive data about all of this, and it is clearly too much to suggest that the simplistic "connect the dots" analogy accurately represents what an analyst must do. Very quickly, you can see that "Big Data" – more so than the lack of data – becomes the most pressing problem. At the same time, the threats implicated by the data are not static.'"

An anonymous reader writes "For the past 40 years, a miniature model environment called 'Tiny Town' has been one of the methods used to teach Secret Service agents and officers how to prepare a site security plan. The model includes different sites — an airport, outdoor stadium, urban rally site and a hotel interior — and uses scaled models of buildings, cars and security assets. With help from the Department of Homeland Security's Science & Technology Directorate, the Secret Service is giving training scenarios a high-tech edge: moving from static tabletop models to virtual kiosks with gaming technology and 3D modeling."

Grond writes "The US has banned toner and ink cartridges from passenger aircraft in the wake of last month's bomb plot. 'The printer cartridge ban affects cartridges over 16 ounces.' No word yet on whether that's a weight or volume measurement or whether it's a per-cartridge or per-passenger limit." The ban comes alongside a prohibition on air cargo originating from Yemen and Somalia. Bruce Schneier's blog points out another potential consequence from the recent bomb plot: the end of in-flight Wi-Fi.

Presto Vivace writes with news that the Obama administration's cyber-security coordinater, Howard Schmidt, yesterday unveiled a national plan for "trusted" online identities. Schmidt wrote, "The NSTIC, which is in response to one of the near term action items in the President’s Cyberspace Policy Review, calls for the creation of an online environment, or an Identity Ecosystem as we refer to it in the strategy, where individuals and organizations can complete online transactions with confidence, trusting the identities of each other and the identities of the infrastructure that the transaction runs on. For example, no longer should individuals have to remember an ever-expanding and potentially insecure list of usernames and passwords to login into various online services. Through the strategy we seek to enable a future where individuals can voluntarily choose to obtain a secure, interoperable, and privacy-enhancing credential (e.g., a smart identity card, a digital certificate on their cell phone, etc.) from a variety of service providers — both public and private — to authenticate themselves online for different types of transactions (e.g., online banking, accessing electronic health records, sending email, etc.)." You can read the full draft of the plan (PDF), and the White House is seeking public comments on it as well.

Hugh Pickens writes "Bob Brewin writes on NextGov that the National Security Agency has developed a software tool that detects thumb drives or other flash media connected to a network. The NSA says the tool, called the USBDetect 3.0 Computer Network Defense Tool, provides 'network administrators and system security officials with an automated capability to detect the introduction of USB storage devices into their networks. This tool closes potential security vulnerabilities; a definite success story in the pursuit of the [Defense Department] and NSA protect information technology system strategic goals.' The tool gathers data from the registry on Microsoft Windows machines (PDF) and reports whether storage devices, such as portable music or video players, external hard drives, flash drives, jump drives, or thumb drives have been connected to the USB port. 'I have a hunch that a bunch of other agencies use the detection software,' writes Brewin."

Hugh Pickens writes "The Washington Post reports that Department of Homeland Security is relying on a rushed, flawed study to justify its decision to locate the $700 million National Bio and Agro-Defense Facility for highly infectious pathogens in a tornado-prone section of Kansas. A GAO report says that it is not 'scientifically defensible' to conclude that lab can safely handle dangerous animal diseases in Kansas. Such research has been conducted up to now on a remote island on the northern tip of Long Island, NY. 'Drawing conclusions about relocating research with highly infectious exotic animal pathogens from questionable methodology could result in regrettable consequences,' the GAO warned in its draft report. Critics of moving the operation to the mainland argue that a release could lead to widespread contamination that could kill livestock, devastate a farm economy, and endanger humans. Along with the highly contagious foot-and-mouth disease, NBAF researchers plan to study African swine fever, Japanese encephalitis, Rift Valley fever, and other viruses in the Biosafety Level (BSL) 3 and BSL-4 livestock laboratory capable of developing countermeasures for foreign animal diseases. According to the article, DHS lobbied a Congressional committee to try and convince them that the GAO report was flawed, and to head off any hearings on the controversy. Despite this, the House Energy and Commerce Committee's oversight and investigations subcommittee plans to hold a hearing Thursday on the risk analysis."

Wolfgang Kandek writes "Hacker Jeff Moss, founder of computer security conferences DEFCON and Black Hat, has been sworn in as one of the new members of the Homeland Security Advisory Council (HSAC) of the DHS. Moss, who goes by the handle 'the Dark Tangent' says he was surprised to be asked to join the council and that he was nominated to bring an 'outside perspective' to its meetings. He said, 'I know there is a new-found emphasis on cybersecurity, and they're looking to diversify the members and to have alternative viewpoints. I think they needed a skeptical outsider's view because that has been missing.'"

theodp writes "PC World reports that DHS has extended the time foreign graduates of US colleges can stay in the country and work to almost two-and-a-half years, an 'emergency' change that drew kudos from Microsoft and other H-1B visa stakeholders. Looks like when Bill Gates says 'Jump,' the government asks 'How high?' Bill Gates's Congressional Testimony, March 12, 2008: 'Extending OPT from 12 to 29 months would help to alleviate the crisis employers are facing due to the current H-1B visa shortage. This only requires action by the Executive Branch, and Congress and this Committee should strongly urge the Department of Homeland Security to take such action immediately.' DHS Press Release, April 4, 2008: 'The US Department of Homeland Security released today an interim final rule extending the period of Optional Practical Training (OPT) from 12 to 29 months for qualified F-1 non-immigrant students.'"

cnet-declan writes "If you don't like the idea of a federalized ID card, you have only have an hour left to let Homeland Security know your thoughts: the deadline to file comments on the Real ID Act is 5:00 pm EDT on Tuesday. Probably the best place to do that is a Web site created by an ad hoc alliance called the Privacy Coalition (they oppose the idea, but if you're a big Real ID fan you can use their site to send adoring comments too). Alternatively, Homeland Security has finally seen fit to give us an email address that you can use to submit comments on the Real ID Act. Send email to oscomments@dhs.gov with 'Docket No. DHS-2006-0030' in the Subject: line. Here's some background on what the Feds are planning."

pr0nqu33n writes "C|Net is running an article on the DHS's requirements for the Real ID system. Thursday members of the Bush administration finally unveiled details of the anticipated national identification program. Millions of Americans will have until 2013 to register for the system, which will (some would argue) constitute a national ID. RFID trackers for the cards are under consideration, as is a cohesive nation-wide design for the card. States must submit a proposal for how they'll adopt the system by early October of this year. If they don't, come May of next year their residents will see their licenses unable to gain them access to federal buildings and airplanes. The full regulations for the system are available online in PDF format. Likewise, the DHS has a Questions and Answers style FAQ available to explain the program to the curious."

pr0nqu33n writes "C|Net is running an article on the DHS's requirements for the Real ID system. Thursday members of the Bush administration finally unveiled details of the anticipated national identification program. Millions of Americans will have until 2013 to register for the system, which will (some would argue) constitute a national ID. RFID trackers for the cards are under consideration, as is a cohesive nation-wide design for the card. States must submit a proposal for how they'll adopt the system by early October of this year. If they don't, come May of next year their residents will see their licenses unable to gain them access to federal buildings and airplanes. The full regulations for the system are available online in PDF format. Likewise, the DHS has a Questions and Answers style FAQ available to explain the program to the curious."

tonk writes, "European expert researchers on identity and identity management summarize their findings from an analysis of passports with RFID and biometrics — Machine Readable Travel Documents or MRTDs — and recommend corrective measures that 'need to be adopted by stakeholders in governments and industry to ameliorate outstanding issues... By failing to implement an appropriate security architecture, European governments have effectively forced citizens to adopt new international MTRDs which dramatically decrease their security and privacy and increases risk of identity theft. Simply put, the current implementation of the European passport utilizes technologies and standards that are poorly conceived for its purpose.' The European experts therefore come to similar conclusions as the Data Privacy and Integrity Advisory Committee of the US Department of Homeland Security in a draft report, which seems to be delayed."

RFID! writes, "The Department of Homeland Security's Data Privacy and Integrity Advisory Committee published a draft report that poured cold water on using RFID in government-mandated identity cards and documents (PDF link). But this met with some consternation among the DHS bureaus that plan to use RFID in this way and the businesses eager to sell the technology to the government, and now a vote on the report has been delayed until December."

gregger writes "Wow, so the Department of Homeland Security is really concerned with Microsoft patches now... enough to come out and tell us to patch our machines. This warning, chronicled in eWeek, was issued less than a day after the release of 23 patches from Redmond. So, if you don't apply the patches, then what?"

wk633 writes "A report by Homeland Security Department Acting Inspector General Richard Skinner, said the agency misinformed individuals, the press and Congress in 2003 and 2004. It stopped short of saying TSA lied. Bruce Schneier does say 'the TSA lied' on his blog." Scary stuff, and yet it's even scarier how little the general public has caught on.

An anonymous submitter writes "Osama bin Laden delivered a new videotaped message in which he told Americans their security does not depend on the president they elect, but on U.S. policy. 'Your security is not in the hands of Kerry or Bush or al Qaeda.'"

SteamyMobile writes "Privacy International announced its Sixth Annual Big Brother awards today. These are awards given to the governments, business and individuals who are doing the most to bring us closer to Orwell's world of 1984. Normally this award is reserved for the British, but there are so many great candidates from other countries this year that they had to acknowledge that. So, who won, and who shall we nominate for next year? This certainly is an area with some tough competition lately."

crem_d_genes writes "American Airlines has become the third U.S. airline to admit sharing passenger records with the government. They were proceeded in admissions by Northwest Airlines and JetBlue Airways. At the heart of the matter is the implementation of the of U.S. Transportation Security Administration's (TSA) use of the provisions known as CAPPS II. Some privacy advocates have expressed strong dissent with this plan. Some concerns have even been brought up in Congress, though for different reasons. The Department of Homeland Security has a site entitled CAPPS II: Myths and Facts."

unassimilatible writes "The Washington Times reports that the FBI and the Department of Homeland Security are developing a database that will allow private companies to submit lists of individuals to be screened for a connection to terrorism. The database will eventually allow private-sector entities, such as operators of critical infrastructure facilities or organizers of large events, to submit a list of persons associated with those events to the U.S. government to be screened for any nexus to terrorism. All of this won't be cheap either; total terror-related IT spending by US federal and state governments will run past $100 billion in 2004. But don't feel left out Europeans, since the EU is considering a terror database as well, although France and UK are reluctant to share intel."

Ryan Barrett writes "Groove Networks has announced that their P2P infrastructure will power the Homeland Security Information Network, an initiative to increase information sharing between federal, state, and local intelligence agencies. (The initiative doesn't give the govt. more information, it just helps agencies better share the information they already have.) Groove Workspace has also been certified with two govt. security standards, FIPS 140-2 level 1 and NIAP CCITSE. In related news, Groove's developers have been diagnosed with acronym whiplash."

W33dz writes "Retailers and manufacturers around the world are enamored with the new radio frequency identification, or RFID, devices. The problem? What about when a thief or the police want to find out what you have in your house? Oddly enough, according to a Wired magazine article, the United States' largest food companies and retailers will try to win Dept of Homeland Security approval for radio identification devices by portraying the technology as an essential tool for keeping the nation's food supply safe from terrorists. This will give them blanket immunity from all law suits related to the product."

W33dz writes "WIRED magazine has released an article detailing the Transportation Safety Administration's latest guidelines for the second-generation Computer Assisted Passenger Prescreening System, or CAPPS II. As outlined in a notice to be published Friday in the Federal Register, CAPPS II will rate every passenger by checking dates of birth, home addresses and phone numbers against commercial databases and the government's terrorist watch lists. This is a pullback from the original plan which called for wide dissemination of data including financial and medical history."