Safety First

Oh, come on. Really?

Perhaps you heard that a chunk of the Patriot Act has expired. In particular, the various three letter acronyms can no longer collect massive databases of information about who’s calling who, where everyone is when they call, and how long they talk.

Naturally, the Department of Homeland Security is horrified. “How can we keep America safe from the hordes of terrorists creeping through our infrastructure?” they ask plaintively. Never mind that there are serious doubts about whether those massive databases ever produced any results. Never mind that all of the data is still available. They can go to the phone companies and request exactly the same information at any time.

Sigh.

Keep in mind that this is the same Department of Homeland Security that’s also responsible for the Transportation Security Administration. Yeah, those guys who limit you to three ounce bottles of liquids and make you take off your shoes before you board an airplane. Those guys.

Have you also heard that, according to ABC News, a recent DHS test of airport security resulted in a 95% failure rate? Sixty-seven out of seventy of the test team’s attempts to sneak weapons past the TSA’s checkpoints succeeded.

It’s been said many times that the TSA’s efforts are “security theater,” something that looks good, but doesn’t actually accomplish anything. The ABC report, if true, makes it clear that the Theatrical Security in Airports group isn’t even giving us good theater.

At this point, I’d rather have Caltrans running our national security system than the DHS.

Yes, I complain a lot here about the Bay Bridge, with its massive cost overruns and possible inability to withstand a large earthquake. But even I admit that the bridge is serving its primary function–allowing drivers to get from the East Bay into San Francisco and back again–quite well. And, even with the cost overruns, the bridge still cost less than the $8 billion the TSA spends every year.

Before our elected representatives put together a way for the NSA and its friends to rebuild their phone call databases, shouldn’t they require the NSA to demonstrate how the database is at least better theater than airport “security”? And, before they give the TSA another $8 billion, shouldn’t they require the TSA to get its failure levels up to at least Caltrans’ demonstrated standard?

Tech Notes

As expected, Amazon has unveiled their upcoming pocket-sized advertisementsmartphone. That leak we discussed back in April was on the mark. There were only two significant things in Amazon’s grand unveiling that weren’t in the leak: Amazon’s eyes and Amazon’s ears.

Ears as in Mayday, eyes as in Firefly. The “Mayday” service that Amazon introduced on their latest generation of tablets is now coming to your phone. Yell for help, and the phone will connect you to a live customer service representative who can look at your screen and solve your problems. And “Firefly” gives your phone a specifically Amazon-centric eye. You simply take a picture of something, and the phone will tell you all the important information: where to buy it* and how much it’ll cost. Point your phone at that tacky lamp and find out how much it cost. Point it at your state senator and find out how much he costs. Great fun at parties!

* Do you suppose it will direct you to Barnes and Noble if you snap a picture of a Hachette book? Seems unlikely. I’m sure Amazon would rather take your money and wait weeks to ship you the book.

The NSA and its counterparts in other countries are, no doubt, pissing in their pants in eagerness for the public to get their hands on a phone designed to let third parties view its screen and optimized to quickly upload photos. But you probably thought about that already. Did you also think about how much more attractive to criminals Amazon’s customer data is about to become? Just wait until you answer a phone call to your shiny Amazon phone and hear a cheery voice with a thick accent say “Hi, this is Fred from Amazon. We see you’re looking at a Jimmy Choo handbag. We have a special deal going on right now for 25% off. But you need to act quickly because they’re going fast. No, we’ve already got your credit card number. Just give me the three digit code from the back and I’ll enter the order for you…” Real time, targeted phishing attacks. Coming soon to a phone near you.


OK, on to something cheerier (and thanks to Lior for pointing me at this one).

Have you heard about IkeaHackers? It’s a website devoted to, as founder Jules puts it, “modifications on and repurposing of Ikea products.” Ideas range from modest (adding a baby changing table to the top of a dresser) to the ambitious (turning a cabinet into a hanging rat cage). With the occasional diversion into the not quite so well-thought out.

Lior pointed me to instructions for building a catwalk. No, not a platform for fashion models. An elevated path-slash-lounging space for felines. It’s a simple hack, requiring only a bunch of Ikea shelves, lots of threaded bolts (maybe you can pick up some spares from Caltrans; I hear they have a whole pile of galvanized bolts they don’t know what to do with), and the willingness to drill holes in your ceiling.

What a great idea! Give your cats an elevated space of their own to hang out. No more tripping over them on your way to the bathroom at 3 AM. Just remember to duck before you bang your forehead.

I can’t speak for your cats, but ours can–and frequently do–spend hours watching a bug fly around near the ceiling, occasionally jumping at it, only to fall short by several feet. With this catwalk in place, they’d have an elevated launching platform. They might even be able to jump down at the pesky bugs. What fun! Hopefully you were smart enough to remove all breakables from any room with a catwalk. Then there’s Watanuki’s habit of assaulting toes and ankles. Do we really want to give him easy access to ears? I don’t think so!

So maybe the catwalk isn’t for us. It might be for you. Even if it’s not, chances are good you can find something on IkeaHackers that is for you. Take a look soon, though. IkeaHackers is currently in negotiation with Ikea over the use of the name. It appears that the core of the dispute is advertisements for non-Ikea products on the website. Negotiations are continuing as I write this, and Jules is hopeful for a peaceful settlement, but if a settlement can’t be reached, IkeaHackers will have to move to a new, and probably less memorable, domain.

Security, Again

Oh, goodie! Something new to be grouchy about.

A couple of days ago I received a new credit card in the mail. Not because the old one had expired. Oh, no, not a bit. The old one was good for another few months. This replacement was because of the old one “may have been compromised at an undisclosed merchant or service provider”. How nice. I can state with absolute certainty that it was not Neiman Marcus, as I’ve never shopped there. It could have been Target. I’m not too proud to admit that I sometimes shop there. For one thing, they have the best price around on dark chocolate M&Ms.

On the other hand, the letter with my new card did say “undisclosed”. News reports suggest that there were at least three other US retailers have been hacked in the same fashion as Target and Neiman Marcus. Despite the laws requiring disclosure, we may never know who those companies are: given the backlash against Target, they may decide it’s cheaper to risk fines for non-disclosure than to go public and have customers go elsewhere.

Not that there’s really an “elsewhere” to go to. Let’s face it, every retailer, online or brick-and-mortar, is vulnerable to hacking. It’s enough to make you want to go back to cash. Or maybe barter.

But I digress. Let’s get back to that shiny new card I got in the mail. I said that the old card would still have been good for a few more months. Guess what the expiration date on the new card is. Give up? It’s the same as the old card.

So I went through my usual routine to dispose of the old card: chopping it up into itty-bitty pieces, and then mixing the bits into the waste removed from the cats’ litter boxes. It may not be any safer than just throwing out the pieces, but I figure it should at least discourage the casual garbage thieves. Having done that, I braced myself to spend the next several days going around to all of the places that I have set up to automatically charge my card. Nothing important, of course, just little things like my cell phone, my insurance, and the home alarm system.

And then, in a couple of months when the new card expires and the company sends me another new card, I get to do it again. Such fun! What a thrill! What a great use of my time!

Now, keep in mind that this is, if memory serves, the third time this particular card has been replaced due to a security breach at a merchant. The whole “update the auto-payment” routine is getting a bit old.

So I called the company to ask if they could please issue me a new card with an expiration date a couple of years in the future. That way, I should be good with all of the auto-payments until the next security breach. I spoke to a gentleman (I use the term loosely) who was terribly sorry to inform me that there is “no tool to change the expiration date,” but that because I had raised the issue, they might someday have one.

I carefully explained that “might someday” didn’t do me any good now. “Oh, yes sir, I understand. You’ll be getting a call back from a manager soon.” On further questioning, it turned out that “soon” meant “in the next couple of weeks”. I pointed out for the second time that they only allowed a week and a half for me to switch to the new card, so a call in a couple of weeks wouldn’t at all. “Let me see if I can get you a firm date for the call back,” the gentleman said, and then hung up on me.

Of course, I swore for a couple of minutes, then called again. This time I got a disgustingly cheery young woman. I explained that another representative had hung up on me, and asked her to check what notes he had put on my account. “Wants to change expiration date” was the entirety of the message. No explanation of why or reference to the urgency of the matter. So I explained the whole thing to the second rep (in four-part harmony). “But that’s not a problem, sir. When the new card shows up in a few months, you won’t have to do anything because it will have the same number.” I pointed out that I would have to do something: update the expiration date at all of the relevant vendors.

“Oh,” she responded. “Let me talk to a supervisor. Don’t go away!” And off she went. Amazingly, she didn’t hang up. She returned a minute later and told me that they do not change expiration dates until there is less than two months remaining on the card.

“So,” I asked, “if this new card is compromised in the next couple of months, I’ll get another new account number with the same expiration date?”

“That’s right! It’s for your convenience!”

I was a bit shell-shocked at that. I didn’t ask her to try to explain how that was convenient for anyone except the credit card company. I just extracted myself from the call and spent the next several minutes banging my head against the wall, then went off to start updating my auto-payment accounts.

Oh, wait, I thought of someone else for whom an unchanged expiration date is convenient: the criminals who now have my old account number. Visa’s account number generation algorithms are well-understood as even a quick Google search will show. For certain types of cards, there’s a fairly small set of valid account numbers that could be assigned. It wouldn’t be that difficult to generate some trial card numbers and have them match up to the known expiration date. That’s all you need for many online vendors.

If you think about it, changing the account number generation process to also update the account expiration should be a minor software tweak. The code to choose a new expiration date already exists: it gets used whenever a card expires or when a new account is opened. Adding a call to that routine to the “change account number” code should be fairly trivial. Unless their code is a truly horrible mess, it would be a low risk change, and easy to test. But it would, of course, cost money. Visa’s net profit for fiscal 2013 was only $4.98 billion. I suppose a small software change like this would seriously imperil their bottom line. Such a shame.

Such is life. If you’ll excuse me, I need to get over to the Post Office. I’ve got some packages of shredded cards and litter box sweepings to send to Visa, Target, and Neiman Marcus. Maybe it’ll give them some new ideas on security.

Oh, My Heart!

Oh, for crying out loud.

The latest “hot” topic in the media is hacking of medical devices. It’s hardly a new story. It wasn’t new when we talked about it back in April: I cited reports about wifi-enabled, unsecured pacemakers dating back to 2008. So why is it suddenly all over the news?

Wait, before we go there, is it really all over the news? Well, the SF Chronicle ran a piece on the subject over the weekend which had previously appeared in Businessweek. Forbes has a short item on their website. And there are a number of others. It may not be at quite the same level of visibility as Perez Hilton’s feud with Lady Gaga, but it’s out there.

So, why is it out there? Two reasons: a hacked pacemaker played a key role in an episode of the TV show “Homeland”, and security researcher Barnaby Jack died last week just before he was going to demonstrate real-world hacks of pacemakers. Let me say that again. Last December, a character on a TV show was killed by someone hacking his pacemaker wirelessly. Late last month, a real person who had previously exposed security flaws in insulin pumps died of causes unknown. Said real person was going to show off his ability to short out pacemakers wirelessly (not control them, apparently, just destroy them).

It’s a pretty tenuous link, but it’s enough to hang a story or two on when things are slow. And the coincidence of Jack’s death just before his presentation is good for another couple of paragraphs in the story. Yes, I’m betting coincidence, unlike such noted venues of conspiracy theories as Twitter, Reddit, and ABC News.

ABC? Yup. Check out this lovely bit of unbiased (and well-edited) journalism:

Meanwhile, questions — and even conspiracy theories — are swirling around the Web regarding Jacks’ untimely death, with some even blaming the U.S. Government.

“This is an industry where a lot of money and danger is at stake,” ABC News consultant and former FBI Agent Brad Garrett said. “The work he was doing certainly put him at some risk,” ABC News consultant and former FBI Agent Brad Garrett said.

Of course, the San Francisco police, who have ruled out foul play must be in on the conspiracy, and the ongoing investigation is nothing but a transparent attempt to cover up the murder.  Fortunately, we can still get the occasional voice of reason. The Daily Dot quotes one participant in the Reddit discussion as pointing out that Jack had already given the same demonstration last year.

Not that I expect that little revelation to stop the conspiracy theorists. After all, how much credibility does some guy in Australia posting under the name “ThaFuck” have compared to a “former FBI Agent”? (That would be the same FBI that works with the NSA to conduct illegal “information gathering” on American citizens who have communicated with other citizens who have at some time communicated with still other citizens who have once communicated with people outside of the U.S.) Hey, wait a minute. Jack supposedly gave his presentation in Australia. That means he’s not only talked to foreigners, he’s actually been to a foreign country. He’s obviously a terrorist himself!

Ahem. The really frustrating thing here is that Jack’s good work is getting swept under the carpet for the general public. His exposures of the “implement first, release second, worry about security later” mentality that afflicts too much of the technology industry were a valuable service. (In fairness to the device manufacturers, I should note that some of the problems Jack and other researchers have found have been bugs rather than instances of “insecure by design”. Some.) Security flaws are dangerous in ways that go well beyond people’s possessions and financial information. In medicine and other fields, they can kill. We need more people like Barnaby Jack.