Slashdot Mirror

There are numerous refutations to your "never suggested that publishing their design or secrets would lead to better security". Many experts have said precisely that.

An IT Security article on full disclosure states that as early as the middle of the 19th century locksmith Alfred C. Hobbes thought full disclosure was important to clear up the rash of lock picking people were experiencing. It goes on to discuss exactly why full disclosure works so well.

David Wagner says in an article on security: "Today, many security companies are strongly resisting this, and I think they will need to learn to accept and embrace public scrutiny as a natural and necessary part of security systems." -- David Wagner and Ian Goldberg are the ones who cracked the security of the SSL layer in Netscape 4.

IEEE article abstract stating that full source code access can have "real benefits for security", although that's not automatic and it has to be done correctly.

Bruce Schneier -- yes, THAT Bruce Schneier -- has an article on his blog that starts "Full disclosure -- the practice of making the details of security vulnerabilities public -- is a damned good idea. Public scrutiny is the only reliable way to improve security, while secrecy only makes us less secure."

Is that enough or do I need to go to the second page of this Google search?

BTW, DJB thinks that both full disclosure and isolation of trusted components are absolutely vital. He's the guy who won the right for Americans to export cryptography technology in court against the Department of Justice. He also found a timing attack against OpenSSL's AES cipher and his Unix Security Holes class of 16 students turned up 91 previously unknown holes in one semester.

As for "Security by design", that helps. However, with many programs being written in languages which allow null pointers, stack overflow, buffer overflow, and array overflow the design can be as secure as you want and the program can still be crashed. In some cases arbitrary code can still be executed. Address randomization, NX bits, run-time bounds checking, and automatic memory management can go a long way. Sanitation of inputs, static analysis, time padding, and more still have to be considered in some cases.

The tests Coverity is running are an example of static analysis. If there's a C routine that can be coerced into smashing the stack or overflowing a buffer in the heap, that can often be automatically caught and reported. Memory leaks often can be, too. They're probably also able to do at least rudimentary checks for sanitizing input values.

I think the answer is: no, that's not allowed. They are allowed to search in order to satisfy themselves that it is a book/document and not something nefarious (bomb, contraband, etc.)... but beyond that they cannot go rummaging through any data you happen to be carrying on your person.

That sounds suspicious (for instance I doubt they can do it for mail). Care to back up that statement?

Even better, things like The Digital Art Auction and Street Performer Protocol explicitly outline steps that one can take to both make money, and release their works into the public domain (thus allowing unlimited copying).

Recording companies et al simply don't like it because they'd have to overhaul their entire business, and would likely simply be realized as useless by the artists themselves.

Hessen, and the rest of the Germany too, listen up! Pardon my German, but... DAS ELEKTRONISCHE WAHLEN IST SCHLECT!! Did you get that? Electronic voting is bad! I don't know how many discussions, lawsuits, and protests that blast e-voting's many shortcomings it is going to take before they become what they should be, landfill fodder.

Seriously, at best they are a waste of money. At worst, and probably most likely, they add all sorts of new vectors for corruption in a process that is inherently corrupt. Listen, most sane people realize that instant election results are not worth the dangers involved with excessive automation of the process. Keep to Occam's razor. The simpler the system the better. Pen and paper are ideal, but a punch card system is a fair choice as well.

All the arguments are hashed and tired. There's no sensible reason to move to electronic voting. It doesn't magically increase turn-out. It's expensive. I needn't go on. However, if anyone on the elections board or whatever decisional authority over elections is reading this, this is a good starting point for comprehending the e-voting situation as it stands as a piece of the larger issue of elections in general.

SAGEN SIE NICHT ZUM ELEKTRONISCHEN WÄHLEN!!

It's a common fallacy in humans to assume that just because a thing has never happened, it's unlikely to happen. At this point in history it's easy to see that such attacks can happen, the only thing we don't know is whether they will happen. Given that, I think it's wise to at least research and test appropriate countermeasures, so that if (at some point in the future) this sort of attack does become common, we'll at least have a response ready to deploy on short notice. Actually spending $40 billion attaching this system to every airliner would definitely be premature at this point.

Hi!

Sorry, but you also fell into the same trap. Let's pretend that there is a 100% guarantee that say, 4 jetliners will get blown out of the sky,with 300 people on each. OK. And let's assume it's done over an inhabited area, so there's a 25% boost in casualties. So, we're looking at 1500 total dead. OK. Fine. And let's say this happens, oh, I dunno. A year from today.

If things hold, about 43,000 people will die from traffic accidents in the year passing, which is about 118 people EVERY DAY. So, every 13 days or so, enough people die in car accidents as did in the terror squad action against the airliners. Deaths in cars are preventable: ban vehicles. Barring that, you then have to "make a deal with the devil" that YOU'RE not going to be the next highway statistic, and lord knows the USgov isn't going to spend 40 BILLION dollars on preventing traffic fatalities. Given that aircraft miles are an order or two of magnitude greater per person, you stand a better chance of dying on the highway the day of the terrorist action than you do in the planes that were shot down.

I'm not talking about unlikely to happen, either - I'm assuming 100% guarantee that they blow up airliners. The SIMPLE FACTS are that you stand a much better chance of getting killed in a car than in a plane, and that includes a plane flying on a day of a terrorist action.

I highly recoomend you read this article on Risk Perception. It's very good and gives you an idea of where I'm coming from.

cheers,

RS

There are some security issues with Unicode URLs. See this article. There's been an attempt to define a matching process for Unicode domain names such that homoglyphs compare equal. This deters spoofing by using similar-looking Unicode characters, and makes it possible to type in domains.

I say this is a GOOD thing. In my opinion we should've started doing this from the very beginning. I'd much rather talk to a TSA agent trained in recognizing microfacial expressions, than go through the useless and annoying process of removing my shoes and throwing away my bottle of water. Unfortunately they're not likely to do away with the silly stuff, at least just yet. I still think this is progress towards effective security. The issue with TSA oversight is an entirely different matter.

Bruce Schneier has written about this before:
http://www.schneier.com/essay-076.html

It avoids racial profiling but creates a new form of profiling, which basically means some new class of legitimate travelers will suffer the pain of false positives. I really worry about this kind of "expression reading" because:

1. It targets members of society who have above-average social anxiety, or "deviate from the norm" in some other way. Geeks and Nerds could end up being "more suspicious" simply because they either have mild social anxiety, or because they are "aware" of the facial profiling, hence they appear nervous (because they're thinking "oh crap they're analyzing my face... try to look natural and calm... but don't look like you're trying too hard!" and thus appear to be hiding something).

2. Overall, as soon as you create rules for deciding who gets greater scrutiny, you create a weakness that the enemy can exploit. The enemy knows what they have to train to avoid/circumvent, thus enabling them to suffer detailed searches less often than average, instead of more often (which was the intention). It has been shown many times that the optimal security strategy is often the one that uses perfect randomness, since there is no defense against it (see Schneier's analysis and this paper).

So, really, coming up with new and fancy ways to profile people isn't all that helpful. (Of course, there's the dim possibility that they are publicly claiming to profile, but are secretly using a random strategy, hoping that the enemy wastes effort in trying to circumvent a non-existent analysis system, thereby making them easier to catch... but somehow I doubt it.)

Oddly enough, we aren't the first country to do this, and those who have aren't totalitarian regimes. And as strange as it sounds, when done properly (admittedly, not likely given the "lowest pay and least training wins the contract" system used for American airport security) behavioral profiling is actually an effective security measure; even Bruce Schneier, a Slashdot favorite for debunking silly security theater, is in favor of behavioral profiling when done correctly.

• Individual chips can be identified by the characteristics of the radio transmissions.
• Chips can be cloned. In England, Biometric passports were already cloned.
• The shielding is not well enough if the passport is closed. So companies start selling stronghold bags.
• Its possible to track people. Tags can possibly be read in distances of meters.
• Forgery of digital passports could become a lot easier.
• The worst case scenarios of a data breach are a nightmare.

• Schneider
• Dutch RFID epassport cracked
• How to clone a biometric passport

Frankly, in agreement with the post I replied to, I think any kind of activity within the framework of that game would in the end be counterproductive. What we need to develop is ways to "persuade" the game architects to prevent link-spamming from being profitable for the players of the game, or make games which encourage link-spamming not profitable.

Bruce Schneier often comments on the problem of these kinds of externalities.

Bruce Schneier has run two; the latest one can be found at http://www.schneier.com/blog/archives/2007/04/announcing_seco.html

"Your goal: invent a terrorist plot to hijack or blow up an airplane with a commonly carried item as a key component. The component should be so critical to the plot that the TSA will have no choice but to ban the item once the plot is uncovered. I want to see a plot horrific and ridiculous, but just plausible enough to take seriously.

Make the TSA ban wristwatches. Or laptop computers. Or polyester. Or zippers over three inches long. You get the idea."

Sometimes they are both. The automatic number plate recognition (ANPR) network uses CCTV cameras to (a) enforce special road taxes like the "congestion charge", (b) make a timestamped record of every number plate that passes each camera, and (c) enforce speed limits.

This is arguably worse than non-automated CCTV systems even though a human operator may never see the pictures that are recorded. The number plate information goes into a database, where it may be stored indefinitely for "crime prevention purposes". Bruce Schneier wrote that 'It's not "follow that car," it's "follow every car."' So there are certainly valid political reasons to object to this type of surveillance beyond simply objecting to a speed limit. It is nice to see people who actually give a shit about this stuff, even if I do not agree with their methods, since most Brits couldn't give a fuck about anything the Government does.

This will just cause people to write down their passwords.

And what, exactly, is wrong with this? Bruce Schneier offers the following wisdom:

I write my passwords down. There's this rampant myth that you shouldn't write your passwords down. My advice is exactly the opposite. We already know how to secure small bits of paper. Write your passwords down on a small bit of paper, and put it with all of your other valuable small bits of paper: in your wallet.

The answer to your question is no. Seems like most everyone here agrees they behaved like idiots, and that messing with a pilot's vision is life-threatening, and if the story is all true they probably deserve to be charged and hauled before a judge. But I can't buy your second reason the way you said it:

The second reason is similar: because lasers are damn straight sighting mechanisms . . . and a missle can be targeted on the aircraft . . . .

Whether or not you meant that, the very same kind of silly reasoning is rampant these days: "This technology can be used for bad things, so the technology itself is bad! Let's suppress the technology, make its name synonymous with its misuse, and assume the worst about anyone who is using it." Hence, "Don't just punish these idiots for their crime, also punish them because they were brandishing the laser half of a laser-guided missle!" In general, since technology X can be used for $VERY_BAD, any offense with technology X deserves extra punishment. Certain analogies are unavoidable.

The same thing happened in Boston when Adult Swim advertised Aqua Teen Hunger Force and the police went berserk over some illegally placed glowing lights -- which I assume is something like a littering offense. Their explanation was that they thought the glowing lights and the visible batteries might have been a bomb -- since, from movies, we know bombs have glowing LEDs on them. So let's prosecute the perps for a hoax bomb on top of littering.

This kind of delusion if taken to its logical conclusion would involve attempted murder charges for, say, a larceny where the robbers tied up the victims with rope. (Rope can be used for hanging someone.) A peeping tom who uses a telescope would be charged the same as a sniper. Sharing mp3s = commercial piracy. And so on.

I daresay that we, the proud members of the Nation of /., oppose this kind of perverse justice. We don't excuse wrongdoing, but we do try to put the wrongdoing in the proper perspective.

check my MD5 signatures

What's the point, indeed. We should have moved away from MD5 signatures years ago. It's only a matter of time before some maliciously inclined asshat starts forging MD5 signatures on FLOSS packages, just to prove a point.

MD5 is broken and should not be used. It's time the FLOSS world went to at least SHA-224, if not SHA-512 (for future proofing, lots of bits). And just for reference, there is an open call for a new secure hash.

check my MD5 signatures

What's the point, indeed. We should have moved away from MD5 signatures years ago. It's only a matter of time before some maliciously inclined asshat starts forging MD5 signatures on FLOSS packages, just to prove a point.

MD5 is broken and should not be used. It's time the FLOSS world went to at least SHA-224, if not SHA-512 (for future proofing, lots of bits). And just for reference, there is an open call for a new secure hash.

The talk referenced by Schneier in his essay as being the one that publicly disclosed the backdoor was given by two Microsoft researchers. So all the "OMG micro$oft iz so stoopid" posts might be a bit .... misdirected.

Supporting Information from Original Author:

|Cryptanalytic Attacks on Pseudorandom Number Generators

J. Kelsey, B. Schneier, D. Wagner, and C. Hall

Fast Software Encryption, Fifth International Workshop Proceedings (March 1998), Springer-Verlag, 1998, pp. 168-188.

ABSTRACT: In this paper we discuss PRNGs: the mechanisms used by real-world secure systems to generate cryptographic keys, initialization vectors, "random" nonces, and other values assumed to be random. We argue that PRNGs are their own unique type of cryptographic primitive, and should be analyzed as such. We propose a model for PRNGs, discuss possible attacks against this model, and demonstrate the applicability of this model (and our attacks) to four real-world PRNGs. We close with a discussion of lessons learned about PRNG design and use, and a few open questions. | http://www.schneier.com/paper-prngs.html

If you have been keeping up with computer security, everyone should be aware of the weakness of Random Number generators and it's vast effects over large sections of the computer world. This is not trivial...

Open source hackers create programs to take over your computer, how can you trust them?"

That answer is so bad it almost sounds like sarcasm. Given how easy it is to sniff sensitive data from an unencrypted wireless network, I can't imagine Bruce would allow it unless he segments his network or wires up his own PC.

I need a record of my passwords outside my brain. Where should that record exist?

For backup, on a piece of paper, maybe in your wallet. For quick access from your computer, get a password manager. PasswordSafe works great for me. Make sure you get a newer version, because some attacks have been found against older ones (but that's true about almost any security software).

Bluetooth has been beyond its last legs for years now; here's a 2005 attack that forces devices to pair then uses the captured pairing packets in an *offline* attack on the PIN. I'd be very wary of trusting confidential data to even bluetooth keyboards. Maybe for an HTPC or something it's ok...

http://www.schneier.com/blog/archives/2005/06/attack_on_the_b_1.html

Basically everyone I've known who has died, has died of cancer. It drives me crazy that we're spending hundreds of billions of dollars to avenge the deaths of 3,000 people, while under four billion is spent on fighting cancer, which kills half a million people each year. It reminds me again how terrible people are at estimating risk.

References:
NCI budget
Cost of Iraq war
cancer deaths

Bruce Schneier is brilliant, no question about it, but the man has terrorists on his brain, and ever since 9/11 they have been the perpetual example in Crypto-Gram.

Are there two Bruce Schneiers? The man you are describing is nothing like the one I read (other than being pretty smart, I guess). This is a typical recent example. His main message about terrorists has been to put the terrorist threat in perspective and not to overreact to it. (He was mentioned in the summary because another theme he pursues is cryptography.)

Countering "Trusting Trust":

"It's interesting: the "trusting trust" attack has actually gotten easier over time, because compilers have gotten increasingly complex, giving attackers more places to hide their attacks."
January 23, 2006

http://www.schneier.com/blog/archives/2006/01/countering_trus.html

Ref.

Reflections on Trusting Trust:

http://cm.bell-labs.com/who/ken/trust.html

Truly, ALL your base is belonging, not just a little.
[firmware]

Give me Marcus, Bruce, or these guys any day. When is the security industry going to move on from this FUD?

Next! AG.

Have you seen Bruce Schneier's opinion on your plugin?

If your plugin still works as described, then I'd say it's very imperfect. I don't think the approach is completely wrong though, but it could use improvements.

This reminds me of the old idea of randomly embedding key words like "president", "nuke", etc in mail and usenet posts, to mess with with Echelon/Carnivore. A mail with random key words inserted in places would work for triggering the data gathering, but look obviously unrelated to a human who reads the message, as the extra stuff would be inserted in nonsensical places.

Now if your plugin happens to google for "raping virgins" how will you prove this wasn't a real search you tried to hide among a heap of a lot of grammatically incorrect ones? Searches that make grammatical sense will be a minority, and with a list like that there's a high chance that they won't be things normal people google about.

Then there's that it doesn't seem it actually follows any links from the searches, so if the ISP is doing logging it's easy enough to tell what is being actually used.

This seems to me like going to a library, and borrowing 20 books at once, including the Anarchist Cookbook and Mein Kampf, to try hide your actual and much more harmless interest in reading a book on say, Neopaganism. If your history is checked, all that extra stuff you didn't read isn't going to help you any, because there's no way to tell that most of your history was intended to be padding and you haven't even opened it.

Would slashdot post a counter-terror expert talking about computer security if he had no experience whatsoever in that field?

If that counter terror expert offered cogent arguments, sure, why not? If the arguments are wrong, refute them, don't engage in the logical fallacies of ad hominem attacks and appeals to authority. Security isn't some magical concern that only a few high priests can speak on. Security is a day-to-day issue that everyone needs to consider. Security is a matter of government a politics, an area that every interested citizen can debate and try to influence our government.

"It Just Don't Look Right" is a time-tested law enforcement mantra.

Indeed, it is. And Schneier agrees (although he calls it acting "hinky," a word a custom's agent used to describe someone's behavior that led to their arrest). But you're suggesting a false dichotomy between ignoring everything and calling in the most minor of suspicions. Schneier's proposal is pretty clear: you need knowledge to be able to accurately identify hinky.

Would slashdot post a counter-terror expert talking about computer security if he had no experience whatsoever in that field?

If that counter terror expert offered cogent arguments, sure, why not? If the arguments are wrong, refute them, don't engage in the logical fallacies of ad hominem attacks and appeals to authority. Security isn't some magical concern that only a few high priests can speak on. Security is a day-to-day issue that everyone needs to consider. Security is a matter of government a politics, an area that every interested citizen can debate and try to influence our government.

"It Just Don't Look Right" is a time-tested law enforcement mantra.

Indeed, it is. And Schneier agrees (although he calls it acting "hinky," a word a custom's agent used to describe someone's behavior that led to their arrest). But you're suggesting a false dichotomy between ignoring everything and calling in the most minor of suspicions. Schneier's proposal is pretty clear: you need knowledge to be able to accurately identify hinky.

So why couldn't that "positive" information be brought together into some sort of format that would quickly and simply provide positive evidence that we should be granted admittance to wherever we wanted to go?

I highly recommend "An Easy Path for Terrorists," written by security expert Bruce Schneier. He's talking about the "Trusted Traveler" and "Registered Traveler" programs designed to speed up the airport security lines, but it's the same problem, the same proposed solution, and has the same flaws in the solution. In short: if you create a low security route ("I've got a card that says I'm safe, so don't search me"), some terrorists will manage to get into the low security route. You've created a more complex system with more possibilities for attack.

Guess what, in a Lemon market, all the Lemons get sold and only a few of the good products, the IT market most often is a "Lemon market", and that explains why the best products don't always come out on top.

1. You don't have to have a qualification in something to know enough to make an enlightened statement about a particular subject. If we were to restrict talking about the weather only to meteorologists, small talk would vanish overnight. In a more serious vein, interdisciplinary research would be even more difficult than it is now. Imagine having to have a qualification in both psychology and security to be able to publish research into this?

2. A qualification is simply a piece of paper that has been accredited by some educational body, presumably recognising a standard of education in a particular field. Just because you don't have the piece of paper doesn't mean you don't have the knowledge. How do you know that Bruce Schneier doesn't, in fact, know as much (or possibly more) about evolutionary biology or behavioural psychology than yourself? Does the fact that I haven't studied engineering preclude me from having insightful discussions with an engineer? Do my opinions matter less because I don't have the degree? Does the fact that I have a PhD in computer security (and you presumably don't) mean that any opinion I state on the subject is somehow more valid because I hold the qualification and you don't?

3. Bruce Schneier is eminently qualified to make statements about security (which is afterall a central aspect of his thesis). He has been conducting extensive research into psychological aspects of IT security (you can see a draft essay on the topic at http://www.schneier.com/essay-155.pdf). This research has included long discussions with psychologists and serious reviews of the literature. I would content that there are very few people on this planet that are truly as knowledgeable in both security and the psychology of security as Bruce Schneier is now. I would be equally interested in the views of a psychologist who undertook research into security -- I know only of a handful that have done so, and none have the particular angle that Schneier has adopted.

4. That is not to say that everything the Schneier is saying on the topic is faultless, or that I agree with everything he says, but I'll debate the ideas, not the man. I personally find it objectionable to anthropomorphise an evolutionary process, or talk about the intent of evolution. But what do I know, I don't have a degree in evolutionary biology...

How in the hell does this relate to IT security?

If you read Schneier's regular blog, you'll see that he regularly talks about security topics in general, not just IT security. The tagging of this talk as being narrowly related to that may be a case of inaccurate reporting; given what Schneier regularly talks about, I'd have been surprised if his talk hadn't covered non-IT security topics.

Bruce Schneier wrote that the worm was starting to retaliate. It was linked to by a poster on this Slashdot story. The guy who posted the analysis you refer to seems to be a lowly sysadmin (He's affiliated with Network Operations at the UCSD - so not a researcher) - I would tend to believe Bruce more, and viewed that analysis with some skepticism, which now appears to have been justified.

So it seems that bt clients now need a "Comcast switch" to ignore RSTs, like you suggest. I seem to recall that the Great Firewall of China is using the same RST approach to block a lot of content.

Thanks, guys, for encouraging us to ignore RSTs. Seems like a *great* idea for your network's long-term health. Why don't you just assign bt traffic an evil bit and let our RFC standards process do the rest?

Here is Schneier's Blog on the Storm Worm with more information: http://www.schneier.com/blog/archives/2007/10/the_storm_worm.html
also
Computer Science Laboratory, SRI International, has a report Dated 10-10-07 on the Storm Worm with good detail: http://www.cyber-ta.org/pubs/StormWorm/report/
PDF of the same report: http://www.cyber-ta.org/pubs/StormWorm/SRITechnical-Report-10-01-Storm-Analysis.pdf

http://www.schneier.com/crypto-gram-0710.html#1
A good essay on the Storm Worm and how it works and how it can be prevented (or rather why it CAN'T be prevented in many cases).

Surprise, surprise.

As Bruce Schneier points out, the problem is not that Microsoft can install updates on your computer without asking, but as soon as it gets cracked, then soon every script kiddy on the planet will also be able to do so.

Then you're really going to be screwed.

-mike

Or perhaps the police would abuse the system. For ... for what exactly?

Similarly with this stop button. Instead of a driver speeding away from the police, potentially killing himself or a family in the opposite lane, the chase can come to a quick and safe (for everyone) halt.

Of course with PDF even if it appears to be completely blacked out, it might be still readable by copying and pasting the text.

It's a well know fact that sony sucks, but if you really need a citation, there's this

Q.E.D.

Click the link at the bottom for all the links that were in Bruce Schneiers original text.

September 25, 2007
Chlorine and Cholera in Iraq

Excellent blog post:

        So cholera has now reached Baghdad. That's not much of a surprise given the utter breakdown of infrastructure. But there's a reason the cholera is picking up speed now. From the NYT:

                "We are suffering from a shortage of chlorine, which is sometimes zero," Dr. Ameer said in an interview on Al Hurra, an American-financed television network in the Middle East. "Chlorine is essential to disinfect the water."

        So why is there is a shortage? Because insurgents have laced a few bombs with chlorine and the U.S. and Iraq have responded by making it darn hard to import the stuff. From the AP:

                [A World Health Organization representative in Iraq] also said some 100,000 tons of chlorine were being held up at Iraq's border with Jordan, apparently because of fears the chemical could be used in explosives. She urged authorities to release it for use in decontaminating water supplies.

        I understand why Iraq would put restrictions on dangerous chemicals. And I'm sure nobody intended for the restrictions to be so burdensome that they'd effectively cut off Iraq's clean water supply. But that's what looks to have happened. What makes it all the more tragic is that chlorine -- for all the hype and worry -- is actually a very ineffective booster for bombs. Of the roughly dozen chlorine-laced bombings in Iraq, it appears the chlorine has killed exactly nobody.

        In other words, the biggest damage from chlorine bombs -- as with so many terrorist attacks -- has come from overreaction to it. Fear operates as a "force multiplier" for terrorists, and in this case has helped them cut off Iraq's clean water. Pretty impressive feat for some bombs that turned out to be close to duds.

I couldn't have said it better. In this case, the security countermeasure is worse than the threat. Same thing could be said about a lot of the terrorism countermeasures in the U.S.

http://www.schneier.com/blog/archives/2007/09/chlorine_and_ch.html

The point of terrorism is to cause terror, sometimes to further a political goal and sometimes out of sheer hatred. The people terrorists kill are not the targets; they are collateral damage. And blowing up planes, trains, markets or buses is not the goal; those are just tactics.

The real targets of terrorism are the rest of us: the billions of us who are not killed but are terrorized because of the killing. The real point of terrorism is not the act itself, but our reaction to the act.

And we're doing exactly what the terrorists want.

The United States of America came to be so highly regarded because it was the intellectual center of the world, a place for all to be free and listened to; now the forward-thinkers are more distributed, the US educational system is in horrible condition, and free speech is trodden upon regularly. The nation's leaders continue to extend American interests into places they do not belong, and they compromise the downsides by limiting freedoms at home. This hardly seems fair.

"Will the future be more secure? It'll be just as insecure as it possibly can, while still continuing to function. Just like it is, today."

Somewhat off-topic

Couldn't find the video link using Google, but I did stumble upon this:

http://www.schneier.com/blog/archives/2007/06/headmounted_pol.html

I recently read that some SF Muni buses will have cameras installed on them to video assist in the ticketing of vehicles that are in the bus/commuter street lanes impeding the buses from keeping schedule.
===

I wonder if she arrived to the airport with an outer jacket (say, on public transit or in a taxi), or if she drover herself in. Still, if she wore NO outer jacket, then how and why did it take HER OWN walking AWAY from the ticket agent before she was approached and surrounded?

It's lame if NOBODY in the airport (isn't Logan busy, with THOUSANDS eyeballs?) said anything despite seeing her, until the employee with direct contact of her "art" did the right thing and reported the encounter.

I know first-hand how X-Ray machine operators will lie to you to detain you without arousing your suspicion while airport/local police will approach and surround you, ready to fire at your first wrong move.

In about Dec 1984 (I was barely 19), on return from leave, I decided I was going to take back to my ship (for security alerts) a semi-metallic, mostly concrete-like .45 caliber-pistol-looking thing I'd been playing with since childhood. I stupidly didn't pack it in my check-in, and stuck it in the top of my duffel bag. I'd forgotten (stupidly) that X-RAY machines would pick it up and unnecessarily make a scene. (Hey, don't beat me up TOO badly, here. Experienced law enforcement officers before 9/11 would forget to declare weapons, handcuffs.... etc...)

The machine operator saw the silhouette, held up the conveyor, and after about 30 seconds when I asked if I were going to make my flight (I was arriving too close to departure time) she apologized and said, "There's something wrong with the machine." About 20 seconds after that, I happened to look around and lo and behold more than 13 or 15 HPD (Houston Police Department) or Houston Intercontinental (IIRC, I don't think I was flying out of Hobby that day) were poised, at the ready, (in head-shot firing position) WAITING for me to make a wrong move.

This shit's deadly serious, and that dumb-assed MIT girl is lucky she didn't wear more realistic stuff or get shot from behind if seen any earlier. That she kept her wits and DIDN'T get shot, and that she premeditated this, is an indication she was just as aware as I was that her plan and my forgetfulness/laziness/procrastination at getting to the airport is NOT something to screw around with.

I suppose recounting this fact means that I'll be further scrutinized the next time I book a flight. Of course, my incident was before mass databasing of things. Maybe my active duty military ID & duffel and uniforms and such, non-prior-contacts, etc, and my mom's presence saved my ass that day.

Interestingly tho, in Summer 2001 (read: MAY/JUNE) I was not allowed to take in my hand-carried luggage a pair of red, plastic, toy handcuffs I was taking (along with massage oil, candies, and a teddy bear) to a girl on the East Coast. The gate agents wouldn't even arrange to lock the toy cuffs away DURING flight, despite the fact they were so flimsy as to be symbolic for play in privacy, not securing or taking control of anyone on a plane.

BTW, anyone been thru those re-entry puffer-sniffer scanner machines? I recently was in one. I wonder what kind of (if any) isotopes they're throwing at us.