It’s a Threat!

It’s been a bad week for anyone who pays attention to security.

Remember CISPA, the bill that would have allowed companies to share pretty much any customer information with the government and each other in the name of “cybersecurity”? CISPA passed in the House, but never made it out of the Senate. Of course, no bad bill ever really dies, and this year’s zombie version zipped through the House with little opposition. In late October, the Senate passed their own version, known as CISA (Cybersecurity Information Sharing Act).

Late last week, Infoworld reported that assorted Congress critters have been meeting to reconcile the House’s CISPA and the Senate’s CISA, and potentially merge them with two other related bills, PCNA (Protecting Cyber Networks Act) and NCPAA (National Cybersecurity Protection Advancement Act).

Is anyone surprised that the changes being discussed relate to removing what few privacy protection measures the bills included? Or that the combined bill would potentially make the NSA–yes, the same NSA whose charter is to spy on potential threats outside the United States–into the lead agency to manage the sharing of information?

Well, this week it got even better. “Better” for anyone who wants to give the NSA more authority to monitor Americans inside the U.S., that is. Worse for anyone who honestly believes they have a right to privacy. The new and “improved” version of CISA, stripped of those weak privacy protections, was–according to Engadget–included in the budget bill introduced Tuesday.

Yes, the budget bill that has to be passed in order to avoid another government shutdown like the one we had in October of 2013. The one that must be passed so quickly nobody’s going to have time to read all 2,000 pages, much less understand their implications.


Meanwhile, the Federal Aviation Administration has released its regulations regarding drone registrations. All drones, even those purchased before the rules go into effect on Monday, must be registered. Failure to do so leaves the owner liable for civil fines of $27,500 and criminal penalties as high as $250,000.
Registering a drone will cost you. There’s a charge of $5, and you’ll need to re-register every three years. And yes, the FAA will be taking your credit card information in order to charge you. So, not only will they have your name, address, and other personal information, they’ll have your card information. Shall we start a pool on how long it’ll take for someone to hack the database and start selling the information?

For the record, a “drone” is defined as an unmanned aircraft weighing more than 0.55 pounds but less than 55 pounds, controlled remotely (which exempts paper airplanes* and Frisbees), and operated outdoors. So, if you’re planning to smuggle a remote-controlled airplane into the next basketball game you attend, you don’t need to register it, but you will if you’re going to a football game (no roof on most football stadiums, so they’d be “outdoors” by definition).

* The PowerUp gadget that lets you remote-control a paper airplane with your smartphone is, fortunately, well under the 250 gram lower weight limit. A typical paper airplane with a PowerUp attached will weigh less than 15 grams.

And then there’s the latest example of what security guru Bruce Schneier calls “CYA security”: doing something in the face of a threat so nobody can accuse you of taking any risks.

Tuesday, every school–more than 900–in Los Angeles was closed. Why? Because of a bomb threat. According to an anonymous e-mail, a coordinated attack would be made against every school in the city with bombs, assault rifles, and nerve gas.

Never mind the fact that such an attack would take far more than the thirty-two people the message claimed would be involved. Forget that the letter failed to capitalize “Allah”–a mistake no Islamic extremist would ever make. Disregard the recent episodes of the TV show Homeland which involved an extremely similar threat.

Far better to cancel school for 600,000 students and spend thousands of dollars searching every single school for explosive devices than to allow any perception that the school district is taking chances with the lives of children. Remember, there are elections coming up. (There are always elections coming up.)

At least administrators in New York, who received an identical e-mail, recognized it as a hoax. Maybe the LA school district was swayed by their proximity to Hollywood, where any threat is a credible one.

Safety First

Oh, come on. Really?

Perhaps you heard that a chunk of the Patriot Act has expired. In particular, the various three letter acronyms can no longer collect massive databases of information about who’s calling who, where everyone is when they call, and how long they talk.

Naturally, the Department of Homeland Security is horrified. “How can we keep America safe from the hordes of terrorists creeping through our infrastructure?” they ask plaintively. Never mind that there are serious doubts about whether those massive databases ever produced any results. Never mind that all of the data is still available. They can go to the phone companies and request exactly the same information at any time.


Keep in mind that this is the same Department of Homeland Security that’s also responsible for the Transportation Security Administration. Yeah, those guys who limit you to three ounce bottles of liquids and make you take off your shoes before you board an airplane. Those guys.

Have you also heard that, according to ABC News, a recent DHS test of airport security resulted in a 95% failure rate? Sixty-seven out of seventy of the test team’s attempts to sneak weapons past the TSA’s checkpoints succeeded.

It’s been said many times that the TSA’s efforts are “security theater,” something that looks good, but doesn’t actually accomplish anything. The ABC report, if true, makes it clear that the Theatrical Security in Airports group isn’t even giving us good theater.

At this point, I’d rather have Caltrans running our national security system than the DHS.

Yes, I complain a lot here about the Bay Bridge, with its massive cost overruns and possible inability to withstand a large earthquake. But even I admit that the bridge is serving its primary function–allowing drivers to get from the East Bay into San Francisco and back again–quite well. And, even with the cost overruns, the bridge still cost less than the $8 billion the TSA spends every year.

Before our elected representatives put together a way for the NSA and its friends to rebuild their phone call databases, shouldn’t they require the NSA to demonstrate how the database is at least better theater than airport “security”? And, before they give the TSA another $8 billion, shouldn’t they require the TSA to get its failure levels up to at least Caltrans’ demonstrated standard?