Showing posts with label bad security. Show all posts
Showing posts with label bad security. Show all posts

Tuesday, September 15, 2009

A tale of bad security

Back in 1987, I was working at a branch of the Federal Home Loan Bank Board. The FHLBB was an organization (now defunct) described to me when I was there as holding roughly the same place w/r/t US savings and loans as the Federal Reserve did for US banks. [Insert half a dozen jokes that write themselves here.]

One of the things the 12 FHLBB branches did was to gather all the information on mortgage paper from their constituent S&Ls and transmit it at the same time every day to the mainframe in DC. This was done with a 2400-baud modem, which was a perfectly reasonable way to transmit data in 1987. What concerned me was that this was done with no data compression, no encryption, nothing. It was a clear, uncompressed flat text file with info on hundreds of millions of dollars of mortgage paper every day. PC-based compression and encryption was in its infancy back then--PKZip 2.0 was kind of the standard for this at that point--but that would've been a heckuva lot better than the nothing they were doing. Even worse, there wasn't anything that prevented someone from logging into the mainframe themselves. The password for logging in was "superman" and had been unchanged for over 2 years.

I figured I'd talk to the DP manager and suggest there was a problem. I don't recall his name, but he was a forgettably vague man who looked baffled by the things going on around him. I said that there was a problem with transmitting all this data at the same time every day in the clear on an unsecured line. "I see...." he said, looking confused. "Why would that be a problem?"

"Well," I explained, "if someone wanted to, they could monitor the data flow and get the mortgage numbers a month before they're released by the Fed and know what's coming. They could even go so far as to inject their own phony data stream into the system and artificially inflate or deflate the numbers by adding bogus mortgage paper numbers of their own."

"I see," he said again, slower. There was a slight pause and I could tell he was really trying to keep up with this but he was in way over his head already. "Why would they want to do that?" he finally asked.

"Well," I said (thinking "The natives really can understand you; they're just pretending they don't to be difficult, but if you keep speaking louder and slower, it should get through eventually!"), "if they inject their own numbers, they'll be able to affect the movement of interest rates on mortgage paper and then make money by making investments that reflect their advance knowledge of how the market is going to move."

"I... see...." he said again. I was dreading what he was going to say next, but sure enough, there it was: "Why would they want to do that?"

"It'd be a really bad idea!" I said. (You just can't help some people.) "You should change the password regularly to something secure, consider changing the time you transmit data, and maybe go for a secure line." He clearly had no understanding about why he needed to do any of this, but he said he'd take care of this. Okay, fine.

A few days later, I asked the guy who did the data transfer if he'd changed the password. "Yes," he said proudly, "I changed it to 'batman'."

The best you can hope for some people is that they'll just forget to breathe some day, y'know?

Share/Bookmark
Posted by John Hedtke at 9/15/2009 12:47:00 PM 0 comments
Labels: , ,

Thursday, June 25, 2009

Homeland Security, by any other name...

...would be just as bad. The original Department of Homeland Security was something from Germany in the 30s and early 40s, with the “Abteilung der Heimat-Sicherheit” ("Department of Homeland Security"). What I hadn't stopped to consider was that the Soviet "Komitet Gosudarstvennoy Bezopasnosti” (better known as the KGB) translates as "Committee for State Security." There's a lovely short piece about this obsession with "security" here.
Share/Bookmark
Posted by John Hedtke at 6/25/2009 06:01:00 AM 0 comments
Labels: , , ,

Wednesday, February 18, 2009

Airports don’t trust pilots not to hijack themselves

This letter appeared in the Telegraph today.

SIR – As an airline captain I am also searched, along with my crew, prior to boarding our aircraft (Letters, February 16).

On one occasion, on an international flight, my nail clippers were confiscated – I assume security considered I might hijack myself with them. Prior to departure, the handling agent presented our pre-flight paperwork, together with a set of chef’s knives removed from a passenger. They were given to me for safe-keeping during the flight.

I stowed them next to the flight-deck crash axe.

M.M. MacDonald

Springfield, Fife
Share/Bookmark
Posted by John Hedtke at 2/18/2009 10:24:00 AM 0 comments
Labels: ,

Thursday, November 13, 2008

From StupidSecurity.com

Regular readers will be aware that I've quoted things from StupidSecurity.com before. Today's entry was a corker:
"My brother-in-law went through security at Auckland domestic airport and witnessed a passenger having to fish out her nail scissors from her handbag and leave them behind. He went through security and then boarded his plane. After being seated he could smell petrol. He knew you shouldn't be able to smell petrol on a plane, because planes don't use petrol. The smell got worse and eventually he got the attention of one of the flight attendants.

They started to look around to see where it was coming from. They found in the overhead compartment a chainsaw in a bag that was leaking petrol into the compartment. His plane was delayed as the owner was identified and the chainsaw removed and put with the main luggage. The owner of the chainsaw said security had stopped him but had let him through because it wasn't one of the things on their list to confiscate."

Share/Bookmark
Posted by John Hedtke at 11/13/2008 06:54:00 PM 0 comments
Labels: ,

Thursday, April 26, 2007

Kazim Ali's "Poetry is Dangerous"

Kazim Ali, a faculty member at Shippensburg University, got hassled recently for putting out a box of old poetry manuscripts for the recycler, something he's done before on a number of occasions. This time, he was spotted by a ROTC person, who saw his dark skin and just knew he was a terrorist.
Share/Bookmark
Posted by John Hedtke at 4/26/2007 11:44:00 AM 1 comments
Labels: , ,

Sunday, April 01, 2007

Pranking the Super Bowl and the viewing public

This clip from zug.com is a story about how a dozen guys got together to prank the Super Bowl under the noses of federal marshals, Homeland Security guys, and probably lots of local police and rent-a-cops. They set it up so hundreds of people in the stands flashed a message on the screen, thinking they were spelling out Prince's name, but in fact, they showed a quite different message. To 93.1 million viewers.

What the author of the prank finds interesting--apart from the fact that they could do this so easily--is that the major news media apparently refused to report on it, on the grounds that (I'm paraphrasing here) this shows, once again, that the Emperor has no clothes. But it's not like we didn't know that already.

The author of this prank has a really good commentary about what they did here:

As I write this, I'm sitting in the Miami International Airport watching a TSA agent systematically destroy my carefully-packed carry-on luggage. He's taking every single item from my bag, including my fake business cards, badges, and detailed plans for the heist. Once we make it through this final checkpoint -- which we will -- we'll be on our way home.

No system is 100% secure. In a system as massively chaotic as the Super Bowl, there are too many variables to ever fully control. All they can do is look for rogue elements, then try to subdue or remove them. But when the rogue employees look exactly like the real employees, what can you do?

We live in a zero-risk society, convinced that more security, more police, more searches, and more technology will make us more safe. This is false. As we've proven, even four comics and a cameraman can outwit the most tightly-controlled event in history. Everyone did their job. No one did anything wrong. But no system is completely safe.

Life involves risk.

I want to leave you with this final thought. Life is some risky business. When we cling to the illusion of security, we give up our freedom and our privacy. When we willingly remove more clothing at airport security, when we allow our government to pass wiretapping legislation, when we give them power to spy on us, we are giving away our precious civil liberties that our founding fathers earned with blood.

So embrace the risk. Take a chance in life. Blow your kid's college education fund on a silly prank. That's what it's about. When we live in fear, then the bad guys have already won. (Are the bad guys the terrorists, or our own government? I'm not so sure anymore.)

It was the prank of a lifetime, and no one else could have done it. A corporate parent like Viacom would never have allowed Ashton Kutcher to do it for "Punk'd." College students could have thought it up, but would have never found the funds to pull it off. It was a magic moment, a momentous message.

Do you see?
The whole description of what they did and how they did it appears here.
Share/Bookmark
Posted by John Hedtke at 4/01/2007 05:07:00 PM 0 comments
Labels: , , ,
Subscribe to: Posts (Atom)