Slashdot Mirror

Not in the US myself, but I have also heard that a starter pistol works.

Well, I suppose it could happen in the 22nd century or later after most of the people alive on Sept. 11, 2001 are dead or incapacitated, but I think it's safe to say that that type of attack won't be successful again in the next 50 years. Yeah OK, somebody may be stupid enough to try it again. Maybe the hijackers will think it's smart to hold back a couple of sleepers to identify and gruesomely kill the emerging leaders of a passenger counter-attack to try to cower the rest in spite of the 9/11 effect. Come to think of it, if the average USA passenger has your level of imagination, it just might work. However the odds are some passenger on a targeted plane would have enough brains to think of that too.

Frankly I expect that after that time frame, we'd better have a good handle on how to prevent the root causes of terrorism because biological/nanotech attacks will have become easy enough to make it more worthwhile (i.e. for psychological impact) than plane hijackings. Seriously, this TSA security theatre is a Maginot Line defense,... and it's sad that's it's a Frenchman having to point that out.

Bruce's latest Crypto-gram goes into a little more detail on why you are wrong. Also please keep in mind that you can purchase an airplane ticket over the internet with a credit card number bought from a Russian (or local) mobster a lot more easily than you can get a good fake driver's licence, the latter being physical and having pictures and copy-protection mechanisms, that will stand up to scrutiny. Although there is also an underground market for the latter, it's probably not as widespread as the stolen credit card market since the clientele is much narrower (mainly a small subset of illegal immigrants and underage teenagers trying to buy alcohol) and doesn't necessarily require high-quality forgeries.

They're not interested in catching terrorists Bruce!

He rocks the boat, but he never connects the dots.

Yeah, sure he doesn't.
That's why he says things like these:
much of our country's counterterrorism security spending is not designed to protect us from the terrorists, but instead to protect our public officials from criticism when another attack occurs.

what I've come to call security theater: security primarily designed to make you feel more secure.

They're not interested in catching terrorists Bruce!

He rocks the boat, but he never connects the dots.

Yeah, sure he doesn't.
That's why he says things like these:
much of our country's counterterrorism security spending is not designed to protect us from the terrorists, but instead to protect our public officials from criticism when another attack occurs.

what I've come to call security theater: security primarily designed to make you feel more secure.

That's the theory. In practice, Bruce Schneier and a University of Washington team have found that once the native OS can see the formerly hidden data, copies get scattered all over:
http://www.schneier.com/blog/archives/2008/07/truecrypts_deni.html

The US doesn't, not really. I thought that there was protection for mail entering the US, but then I found that they are allowed to search basically any "Mail Believed to Contain Dutiable or Prohibited Articles", for example, personal letters. At least domestic first class mail is still safe.

Many did not even have passports, which given the efficiency of the UK Passport Agency would mean they couldn't be a plane bomber for quite some time

There is little reason to wait for a 'real' passport when thousands are stolen and forged annually: 3,000 Blank British Passports Stolen

But I agree, the 'liquid bomb' hysteria was ridiculous.

If you have nothing to hide you can revel in the fact you are safe

Perhaps not.

But uh, mind if I ask: exactly what kind of pictures are you planning on taking on your vacation? ;-)

Most keen photographers - myself included - have a story or two about being hassled by security guards or police for photographing public buildings. Check out this article for examples. It's for security reasons, you see. I might be planning a terrorist attack.

You wouldn't want the TSA goons to decide that your photographs seem odd and to give you a full-body cavity search "just in case".

We went on vacation to Canada last summer.
I took a laptop.
When we reentered the US (by car, with the laptop),
the border agent asked about things we had acquired in Canada.
They didn't ask about laptops, I didn't mention it, and they admitted us.
The whole thing took 30 or 60 seconds.
Maybe you get different questions if you are traveling on business.

The agent kept us talking longer than strictly necessary to get the answers to his questions.
I think they are doing behavioral profiling. At

        http://www.schneier.com/blog/archives/2005/07/profiling.html

Schneier describes behavioral profiling:

        Ressam was approached by U.S. customs agent Diana Dean, who asked some routine
        questions and then decided that he looked suspicious. He was fidgeting,
        sweaty, and jittery. He avoided eye contact. In Dean's own words, he was
        acting "hinky".

Diebold donated atleast $195,000 to Republican Party in 2000-2002.

http://www.schneier.com/blog/archives/2008/08/diebold_finally.html/
http://www.scoop.co.nz/stories/HL0211/S00081.htm/
Senator Hagel: http://www.scoop.co.nz/stories/HL0301/S00166.htm/
http://www.jonesreport.com/articles/011106_diebold_hbo.html/
http://www.jonesreport.com/articles/061106_hacking_democracy.html/

Understandable, exusable but bad nonetheless.

http://www.schneier.com/images/book-sos-175w.jpg "The closest the security industry has to a rock star" Well, if that's the case, I'll believe anything he says then. I love rock and roll.

"This is accomplished by growing the solar cell on a gallium arsenide wafer, flipping it over, then removing the wafer."

Reminded me of this for some reason.
http://xkcd.com/153/

as cited in
http://www.schneier.com/blog/archives/2006/09/cryptography_ca.html.
  I don't know how well slashdot knows xkcd;
can i just call out "/153/" and get a laugh?

http://www.schneier.com/crypto-gram-0008.html

"I came to security from cryptography, and framed the problem with classical cryptography thinking. Most writings about security come from this perspective, and it can be summed up pretty easily: Security threats are to be avoided using preventive countermeasures.

For decades we have used this approach to computer security. We draw boxes around the different players and lines between them. We define different attackers -- eavesdroppers, impersonators, thieves -- and their capabilities. We use preventive countermeasures like encryption and access control to avoid different threats. If we can avoid the threats, we've won. If we can't, we've lost.

Imagine my surprise when I learned that the world doesn't work this way."

Imagine how unsurprised the rest of us were.

I'm trying to think of the ways this could be used to cause harm, so far the biggest threat I see is to the pay-per-click ad model [..]

If you really have trouble thinking of ways in which this can cause harm more serious than pay-per-click fraud, I really hope your job does not involve making many security-related decisions.

OK, to be a bit more constructive about it, have you read Bruce Schneiers' article The Security Mindset? If none if his examples make you think "well, I would have thought of that, given a minute", you are a very trusting person ;) Your life will probably be the better for it -- except in those cases where you get screwed by misplaced trust.

So kinda like the FBI and every terror suspect arrested post 9/11?

Hm, maybe you should read up a bit :)

http://www.schneier.com/crypto-gram-0104.html#7

It happened in 2001... doesn't mean it can't happen again -- the attack was purely social engineering.

I can't wait for Schneier http://www.schneier.com/ to rip this one apart. Security theater and more waste of tax payer money.

Depends on your definition of "best."

If best means "in theory, the technology is extremely difficult to break when human beings know how to use it correctly and do so" then yeah.

If best means "in practice, it is likely to work effectively when used by ordinary actual human beings in the real world" then um, no.

Human beings are part of the security equation. Gnupg is a great piece of technology, but unless it is wrapped in an interface and set of procedures in such a way that Nina from accounting is able and willing to use it correctly every time, it will not improve security.

It wasn't the password, it was one of several questions on Yahoo's password recovery questionnaire.

ob. Schneier:

http://www.schneier.com/essay-214.html

The IR-emitting diodes (LEDs) used for Sunglasses that hide your face from cameras (as blogged by Bruce Schneier in July) could easily be applied to your license plates for the same effect.

The legality of such things is another question altogether; it could be a circumvention device for traffic/toll cameras, possibly falling into DMCA territory, but to my knowledge, only blue lights and blinking lights are at all regulated ... in fact, you're required to have your plates lit up - why not make it a light that is more intense to the infrared spectrum?.

When can you consider a compiler "clean"?

Countering "Trusting Trust"

If you have any concerns with that, they should be answered in: David A. Wheeler's Page on Countering Trusting Trust through Diverse Double-Compiling (Trojan Horse attacks on Compilers)

If you find any holes in the theory that were not discussed, then consider writing up your findings for publication.

First: The cause of this parania about multiple overwrtes is also caused by the spam of Evidence erasor (Note free and better software is available,e.g. google for washer). However these kind of program might fail when paired with advanced FS like NTFS & flash media.

Second:
A challange proves nothing. Bruce Schneider wrote about this 10 years ago.

And last: where does any data recovery company say that they can recover data from a whiped disk? Especially a establised company? Anyway, No way I am going to put some hours from a "High-Resolution Scanning Magnetic Microscope" to recover 500$. Beside that, any recovery company will quickly spend more than 500$ for any recovery.

The UK has the most camera's per capita, I think. Are there any numbers available on how much crime has decreased in those areas where the camera's are? Also how much have they incread in surrounding areas where they are not.

Crime doesn't move away when cctv's are installed. They simply have pretty much no consistent effects on crime rates at all. And they generally don't help with solving crimes either.

Many countries already have such agreements with the USA, and it has been like that for a long time (i.e. ECHELON), not to mention the backdoors inserted into various products (Schneier mentioned that up a few years ago).

The point is, they are already able to monitor most stuff. Routing through different countries is probably not enough.

If one were spending a lot of time on Digg last year, they were probably surprised by how poorly Ron Paul did.

Heck, not just digg. If you were paying any attention to the fundraising numbers you were probably surprised by how poorly he did.

Or, for that matter, if you saw the crowds he drew whenever he spoke, you were probably surprised by how poorly he did.

Heck, even if you counted yard signs or just talked to your local Republican-on-the-street, you were probably surprised by how poorly he did.

In fact, I'd bet only the people who get most of their news from corporate media knew how badly he would do at the polls, but most of them probably don't know why*.

--MarkusQ

* Diebold / Premiere finally admitted that their machines drop some votes. And they've previously admitted that they also add votes. And they've famously expressed strong preferences over who should when an election.

I wonder whether "identity theft" is not just an utterly brilliant public relations tactic used by the credit card companies to deflect responsibility away from themselves.

The artificial distinction of allowing trusted people (banks, the phone company) access to your identity, while keeping it a secret for the general public (that includes identity thieves) is childish. As it is the attempt to criminalize the act of compiling a list of people's identity using public data - all identity data is public to some extent, by definition; if it's not public, it does not identify you. Compiling lists of public information is a clear example of free speech.

The term of "identity theft" is a copious misnomer perpetrated on the public by the credit industry. The identity of a person cannot be stolen, only duplicated or impersonated. The real crime here is identity fraud. The distinction might not seem much, but it's of key importance: it shifts the victimization from the impersonated person to the banker/stock agent/realtor/whatever that accepts the fake identity.

After all, why should *I* pay for the fact that some bank lends money to someone who says it's me ? The bank has little incentive to properly authenticate the guy: they want as much customers as possible, and be competitive: they reduce fraud to acceptable levels, until fighting against it is more costly than the actual money saved. The devastating consequences that "ID theft" has over an individual's live becomes an externality for banks. Meanwhile, I can do nothing to protect myself: my identity is in hundreds of public and private databases, out of my control: it's how I register to vote, how I get medical care, and how I install an Internet connection. I cannot function in this society without making my identity public, so It's unreasonable to require me to protect my identity from "theft".

You can find an excellent written article about the distinction between identity theft and fraud here, by noted security expert Bruce Schneier:
http://www.schneier.com/blog/archives/2005/04/mitigating_iden.html

The solution against identity fraud is making the enablers pay for it, breaking the externality. For example, a maximal 15-day clearing period of any wrong information on your credit report, after which the bank can be charged with libel.
Devising more intricate ways to keep our identity data "secret" is just band-aid.

(I fully agree there are other reasons to wanting to have your data private, such as, well... privacy; ID "theft" should not be one of them)

This is not a good measure of how good or bad a database is. Its good to have a table for every type of data and every data type. Read about normalization. You can go overboard, but as long as your database is designed well, having 463 tables might be just fine.

From various reports we know that the only thing in the database are names - no ages, no addresses, no physical descriptions. We also know that roughly 400,000 individuals (comprising over 1 million name variations) are on the list. I would not be surprised at all if it turns out that each table is just a piece of the list with up to 1,000 entries.

Non-free software is able to take people's freedom away when compared with free software. For instance, you can't (necessarily) edit and redistribute non-free software. This is clearly true and if you don't think so, please do explain why.

Less functional software is able to take people's freedom away when compared with more functional software. For instance, you can't use the missing functionality in the less functional software. Now if the less functional software happens to also be Free software, you can make a sacrifice of your time/money to add that functionality, but this just takes away your freedom to do other, more productive, things with your time.

Why is the "user-modifiable and redistributable" feature elevated to the point of it being wrong to not demand that feature over all other features?

And in all these ways, free software is directly comprable to free time, and my point was about the semantics of "free" in "free software".

Huh, it took me three or four times to get this. Not sure if it's unclear/confusing, or if I'm just being slow today.

This is also much the same logic as American libertarians who quote one of their founding fathers who said "someone who would exchange a little freedom to obtain a security deserve neither freedom nor security" or words to that effect. I find it one of the most abhorrent quotes ever uttered in support of a generally good aim, and I definitely disagree with it.

I thought it was "essential liberty" and "temporary safety", which I would paraphrase roughly as "DON'T PANIC (or you'll regret it).". It could also be taken to mean that increased control doesn't actually improve safety, so that exchange doesn't actually work.

If I happened to have a database of people's information, and I want to freely publish it, I don't actually think there is a statute against me doing that.

No there's not - this the "problem" the original submitter want's to solve. I personally have huge issues about criminalizing any form of free-speech.
The identity of a person is not a secret, or a thing that can be stolen. The very way that identity works is by making it public:
"Hello, I'm John / Oh Hi John, I'm Susan"
Now if John is coy about revealing his identity for fear that Susan might open up a bank account in his name, the whole use of identity crumbles. I have nothing against anonymity, John can remain anonymous if he so desires. But the notion that you must somehow "protect" identity by keeping it a secret is a stupid trick that harms the usefulness of identity and our society as whole. The artificial distinction of allowing trusted people (banks, the phone company) access to it, while keeping it a secret for the general public (that includes identity thieves) is childish. As it is the proposal above, of criminalizing the act of compiling a list of people's identity using public data - as explained above, all identity data is public to some extent, by definition; if it's not public, it does not identify you.
Far for me to claim that it's safe to post your personal data on Slashdot. In this warped world we are living in, there is the danger of so called "identity theft".
The term of "identity theft" is a copious misnomer perpetrated on the public by the banking industry. The identity of a person cannot be stolen, only duplicated or impersonated. The real crime here is identity fraud. The distinction might not seem much, but it's of key importance: it shifts the victimization from the impersonated person to the banker/stock agent/realtor/whatever that accepts the fake identity.
After all, why should *I* pay for the fact that some bank lends money to someone who says it's me ? The bank has little incentive to properly authenticate the guy: they want as much customers as possible; the problem of "ID theft" is an externality. Meanwhile, I can do nothing to protect myself: my identity is in hundreds of public and private databases, out of my control: it's how I register to vote, how I get medical care, and how I install an Internet connection. I cannot function in this society without making my identity public, so It's unreasonable to require me to protect my identity from "theft".
You can find an excellent written article about the distinction between identity theft and fraud here, by noted security expert Bruce Schneier:
http://www.schneier.com/blog/archives/2005/04/mitigating_iden.html
The solution against identity fraud is making the enablers pay for it, breaking the externality. For example, a maximal 15-day clearing period of any wrong information on your credit report, after which the bank can be charged with libel.
Devising more intricate ways to keep our identity data "secret" is just band-aid.

(I have only approached the problem from the identity fraud perspective; I fully agree there are other reasons to wanting to have your data private, such as, well... privacy)

I agree 100%, except that I'm with Bruce on the question of writing down passwords.

As an auditor I search for errors that others have made and document them, explain the impact, and provide suggested remediation.
As a penetration tester I break systems that system engineers and administrators have laboriously built, and work with them to find and integrate compensating controls.
I am watchful for inside threats and helped implement solutions that can help detect them rather then spending all me time being professionally suspicious.

There, fixed that for you.

Driving to lunch one day with a car load of people, someone asked me if I am constantly frustrated because when it comes to security, no one ever listens, or gets it. I said: not really, because (as Schneier says) humans make terrible risk decisions. For example, there is an overwhelming amount of evidence which says seat belts save lives, yet how many people fail to put on their seat belts every single day?

Shortly thereafter I heard several clicks as some very smart, very rational people surreptitiously put on their seatbelts.

So you think that Ellison, Schneier, Gutmann and Seifried are uninformed morons who are completely clueless about crypto and are making wild claims?

Cause that's what they need...cell phones. Nevermind the maniacs running those countries...

The fact that cells are routinely disabled in areas where heads of state make public appearances is evidence that enabling communication between regular people is a threat to the people who run/own a country.

Bruce disagrees

Plug for TrueCrypt 6.0's Hidden OS feature. This allow one to give a password (not the "real" password) and have the system boot to a hidden OS which is not your real installation. Moreover, there is no way to prove the "real" OS exists. http://www.truecrypt.org/docs/?s=hidden-operating-system

Bruce Schneier says otherwise: http://www.schneier.com/blog/archives/2008/07/truecrypts_deni.html

There are a variety of attacks that might allow authorities to conclude that you had a hidden partition.

Recall, Bruce Schneier calls this "The War on the Unexepcted".

http://www.schneier.com/blog/archives/2007/11/the_war_on_the.html

Americans weren't previously this bad, but 9/11 and the government's call to report anything out of the ordinary caused us to lose rationality. The fact that this continues to happen isn't really a surprise.

Schneier did a piece on this not too long ago. He included this handy link to a PDF with a good rundown of your legal rights when it comes to taking photographs (hint: you have more than you might think).

Bruce Schneier already covered this, first in a 2005-02-11 entry in his blog, and again in a 2008-04-04 essay for ComputerWeekly.

I am absolutely not trying to compare myself to Bruce, but I recognized the weakness of security questions prior to his writings, when I was using his freeware PasswordSafe in 1997. (I've since moved to Keypass... not fucking plaintext Post-it Notes, FFS).

Like Bruce, I've always filled these Q&A fields with 64+ printable ASCII characters via PasswordSafe's/KeyPass's integrated CS-PRNG, which I do not record. When I can provide the question, even better. Two crazy-ass-long fields for an attacker to guess.

It should be obvious, no? A constrained set of questions (2-4 bits of entropy), each with a correspondingly constrained set of answers... ("First make of CAR???" You gotta be fucking kidding me... Why not be done with it, and offer 2kB dictionary downloads for brute-force attackers right on the Lost Password form?) Compare these constraints to a proper, lengthy CS-PRNG alphanumeric pass[word|phrase]... No contest.

Bruce Schneier already covered this, first in a 2005-02-11 entry in his blog, and again in a 2008-04-04 essay for ComputerWeekly.

I am absolutely not trying to compare myself to Bruce, but I recognized the weakness of security questions prior to his writings, when I was using his freeware PasswordSafe in 1997. (I've since moved to Keypass... not fucking plaintext Post-it Notes, FFS).

Like Bruce, I've always filled these Q&A fields with 64+ printable ASCII characters via PasswordSafe's/KeyPass's integrated CS-PRNG, which I do not record. When I can provide the question, even better. Two crazy-ass-long fields for an attacker to guess.

It should be obvious, no? A constrained set of questions (2-4 bits of entropy), each with a correspondingly constrained set of answers... ("First make of CAR???" You gotta be fucking kidding me... Why not be done with it, and offer 2kB dictionary downloads for brute-force attackers right on the Lost Password form?) Compare these constraints to a proper, lengthy CS-PRNG alphanumeric pass[word|phrase]... No contest.

Bruce Schneier already covered this, first in a 2005-02-11 entry in his blog, and again in a 2008-04-04 essay for ComputerWeekly.

I am absolutely not trying to compare myself to Bruce, but I recognized the weakness of security questions prior to his writings, when I was using his freeware PasswordSafe in 1997. (I've since moved to Keypass... not fucking plaintext Post-it Notes, FFS).

Like Bruce, I've always filled these Q&A fields with 64+ printable ASCII characters via PasswordSafe's/KeyPass's integrated CS-PRNG, which I do not record. When I can provide the question, even better. Two crazy-ass-long fields for an attacker to guess.

It should be obvious, no? A constrained set of questions (2-4 bits of entropy), each with a correspondingly constrained set of answers... ("First make of CAR???" You gotta be fucking kidding me... Why not be done with it, and offer 2kB dictionary downloads for brute-force attackers right on the Lost Password form?) Compare these constraints to a proper, lengthy CS-PRNG alphanumeric pass[word|phrase]... No contest.

Do the police require a warrant if they want to follow me around for the day? If yes then I believe this should require a warrant. Else, what's the diff except it costs much less and is more discrete.

No, they don't need a warrant to tail you, your whereabouts in public places isn't considered a search, but public information. However...

The Sixth Circuit held in the Baily case, of attaching a beeper (rather than GPS, c.1980), that merely analogizing with tailing isn't sufficient to decide the issue, it's one of reasonable expectation of privacy.

The judge in the 7th circuit Garcia case wrote :

One can imagine the police affixing GPS tracking devices to thousands of cars at random, recovering the devices, and using digital search techniques to identify suspicious driving patterns. One can even imagine a law requiring all new cars to come equipped with the device so that the government can keep track of all vehicular movement in the United States.

Personally, I read that as a warning, not a suggestion, but it's what he feels the law allows for. I'm slowly being persuaded by Moore's Law that perhaps a Constitutional Amendment clarifying the right to privacy (which many of us feels already exists in the 4th amendment) would be an OK thing. Now, to get Congress to pass that (ha!).

Bruce Schneier argues for the requirements of warrants for these kinds of tracking, to prevent rampant growth and abuse of the police state.

Fortunately for the police state, citizens are voluntarily loading up their cars with tracking devices (EZ Pass, Tire Pressure Monitors, OnStar), so they don't have to even bother installing a GPS device in some cases. Sure, everybody knows that cell phones can be tracked, but how many people know that federally-mandated tire pressure monitoring systems send out a unique 'MAC' for every wheel?

What's gotten people burned in several cases I've read about is that they were driving vehicles they didn't own, and the courts make a distinction there. Does the car you regularly drive have your name on the title or your wife's? That's exactly what got one guy's 4th amendment defense thrown out - his wife 'owned' the car he used, so they weren't tracking his property and he didn't have standing.

Best to not say anything to the cop.

Fixed that for you.

Source 1: http://www.schneier.com/blog/archives/2008/07/why_you_should.html
Source 2: http://www.flexyourrights.org/

How can you reference Ken Thompson's "Reflections on Trusting Trust" (HTML/non-PDF version) without also mentioning David A. Wheeler's "Countering Trusting Trust" (as found via Bruce Schneier's blog)? So to answer your question:

What if you can't even trust your compiler?

Well so long as I have another set of compilers AND at least one is trustworthy then there is process I can follow to build a compiler I can trust. After spotting differences in the resulting binary I would also need to (ah-ha) examine the source code of the used compilers and find out which one is mis-generating the binary and fix it.

At some point I need to be able to understand binary and read the source of the compiler that generated that binary to ensure that someone else is not jacking me.

Your quotation attributed to djb doesn't seem to make much sense, and you don't indicate where you found it.

The latest "NSEC3" adds even more complications but does essentially nothing to repair the privacy leaks; NSEC3 might be successful at its marketing goal of stopping European privacy regulators but it will almost never be successful at the security goal of stopping attackers.

With DNSSEC3, every request and response packet has high-security encryption and authentication. Both DNSSEC2 and DNSSEC3 completely avoid the "NSEC" privacy leaks.

These statements appear mutually contradictory. Presumably the "privacy leaks" are the enumeration via NSEC of zone data, which some people think should be private (one wonders how much security they think they get out of that tactic, or why they put "private" information in a publicly accessible system). Yes, NSEC3 solves this problem. The FUD that it will "almost never be successful", like most FUD, comes without any example of a weakness in NSEC3.

* Although the DNSSEC protocol allows some conservative cryptographic options that won't be broken in the near future, what DNSSEC users are actually being told to deploy---to partially compensate for serious speed problems in DNSSEC---is something that big companies and botnet operators can _already_ break, namely 1024-bit RSA.

Really? That's news to me. You can see how plausible that claim is to Schneier here.

Certainly I wouldn't rely on 1024-bit RSA for the long haul, but of course, regular key rotation is part of the DNSSEC operational guidelines—months for zone signing keys, and 1-2 years for key signing keys. So if 1024-bit keys do become factorable, one simply switches to 2048-bit keys on the next rotation.

The "serious speed problems" claim is exactly the sort of FUD that keeps coming up. Yet no one ever cites any recent research, or quotes any actual numbers. I wonder why that is.

http://www.schneier.com/blog/archives/2008/01/my_open_wireles.html

If I tell you how to hack the DC transit system right here in this post, will DC issue an injunction to have slashdot remove the post? Let's find out!

In the DC system, you have to scan your card to get into and out of every station. Rather than having standard boarding fares like NY, it actually takes into account where you scanned in and where you scanned out and then deducts the appropriate amount for the fare between those two points at the time you scan out.

But say you leave the same station you entered. Maybe you missed your train and decided to take a cab, or forgot something, or got a call and changed your plans, or just want to rip off the DC transit system. Whatever. You always have to scan a card to get out, and if you scan the same card, it doesn't let you out for free, but charges you a minor fee. I think it was $0.25.

So, say you have a standard commute to work and back every day on the DC transit system:
Go into your point of departure and buy two cards, one with the appropriate fare to your destination. Swipe both of them in.
Ride to your point of departure. Swipe the exact fare card out and throw it away.
Go about your business at your destination. When you return:
Buy a new card and swipe it in.
Ride to your point of origin and Swipe OUT the card you only swiped IN at the same point earlier. You just rode there for $0.25.
The next day, swipe that same card in at the same station. Ride to your point of departure, and swipe out with the card you bought at that point yesterday. Another $0.25 trip.
Always continue to scan in and out at the same station using the same card. Every trip between those stations will be $0.25.

There is no expiration on how much time may pass between swiping in and out of the same station for the minimum fee. There is nothing set up to catch that one card is swiped in and out of the same station every day about 9 hours apart, while another card is swept in and out of another station about 15 hours apart. At least, not unless they've fixed it in the past few years.

Obviously, buy the cards you use for this with cash, not a credit card.

If you really want to be a cheap skate, quadruple your money also. Then all repeat rides in the system will be priced at approximately $0.07 each.

Mine says not to leave *on top of* the microwave, or even the TV. So I do. It also says not to bend etc., I do that too.

Actually though, five seconds in the microwave should be enough to disable the chip.

There have been lots of discussions on the very point, see for example:
http://www.schneier.com/blog/archives/2006/09/renew_your_pass.html
http://www.davidicke.com/forum/showthread.php?t=20832&page=2
http://gizmodo.com/gadgets/wireless/how-to-disable-the-rfid-chip-in-us-passports-224321.php
http://www.engadget.com/2006/12/26/how-to-disable-your-e-passports-rfid-chip/

Or you could do a search for disabling passport RFID or something like that.
(What I got out briefly reading those discussions is either a magnet (CRT computer monitor or TV I guess would be easiest), or else a hammer.