Security

Declan McCullagh at News.com reports that Sen. John McCain is preparing to hold a press conference with John Walsh of America’s Most Wanted and Miss America 2007 to announce a bill that will create a new mandate for Internet Service Providers to eavesdrop on all of their customers email and web traffic in search of child porn images. The act apparently requires ISPs to implement new technology to compare all images transmitted or received by their customers to a federal database of images (presumably via some one-way hash function, so that the database is not itself distributing child pornography), and to report any that are detected to John Walsh’s National Center for Missing and Exploited Children, a nonprofit, non-governmental organization that operates as a clearinghouse/proxy for federal and state law enforcement with Congressional mandate and federal funding. The new bill is known as the Securing Adolescents From Exploitation Online or SAFE Act, and is not to be confused with the 2003 SAFE Act (Security and Freedom Ensured), the 1997 SAFE Act (Security and Freedom through Encryption), or the 1998 SAFE Act (Safety Advancement For Employees).

Connecticut substitute teacher Julie Amero faces up to 40 years in prison for “risk of injury to a minor or impairing the morals of a child” because a seventh-grade classroom computer was infected with malware. While browsing the web for information about hair styles, the browser hit a website that caused pop-ups ads for pornographic sites to pop up. Because Amero’s attorney failed to raise the issue of malware, most of a defense expert witness’s testimony was excluded from presentation to the jury, which unanimously voted for conviction. There are so many things wrong here: * The school district had let its filtering software expire, so the machine didn’t have adequate protection (and was likely unpatched for major vulnerabilities). * The police did an incompetent investigation, failing to check for malware. * The police testified, falsely, that Amero would have had to physically click on a pornographic link to get those sites to pop up. * Amero’s attorney did an incompetent job of defending her, by failing to bring up the critically important issue of malware. * And the law itself is absurd–Amero shouldn’t get 40 years in prison even if she had intentionally shown pornography to seventh graders. Lindsay Beyerstein has a good summary of the case at the Huffington Post, including links to the expert testimony that shows conclusively that malware, not Amero, was at fault. P.Z. Myers criticizes the “insane anti-porn hysteria” aspect of the case at Pharyngula. UPDATE (June 7, 2007): Julie Amero has been granted a retrial! She will get a new trial sometime in 2007. UPDATE (November 26, 2008): The state of Connecticut has finally decided to drop the charges against Amero. UPDATE (December 4, 2008): But Amero still loses her teacher’s license! ...

Bruce Schneier has commented on the Aqua Teen Hunger Force nonsense in Boston: Now the police look stupid, but they’re trying really not hard not to act humiliated: Governor Deval Patrick told the Associated Press: “It’s a hoax – and it’s not funny." Unfortunately, it is funny. What isn’t funny is now the Boston government is trying to prosecute the artist and the network instead of owning up to their own stupidity. The police now claim that they were “hoax” explosive devices. I don’t think you can claim they are hoax explosive devices unless they were intended to look like explosive devices, which merely a cursory look at any of them shows that they weren’t. ...

Boston authorities have now escalated their response to the “Aqua Teen Hunger Force” movie publicity campaign, by arresting two of the men who put up magnetic lights showing the Mooninite characters Ignignokt and Err, on charges of “placing a hoax device in a way that results in panic." But this is absurd–it wasn’t a “hoax device”–they were lighted pictures of characters from a movie. It was not designed to look like anything remotely dangerous. Massachusetts Attorney General Martha Coakley said, “It had a very sinister appearance. … It had a battery behind it, and wires.” So anything with a battery and wires (like, say, an iPod) is now a threatening, sinister appearing device? Massachusetts is trying to cover its stupidity with more stupidity. Nine other cities didn’t find this remotely threatening, and nobody saw the ones in Boston as threatening for the first 2-3 weeks they were up. (For photos and my initial report, see here.)

Here’s a nice flash game that requires you to screen airport passengers on the basis of an ever-changing set of arbitrary rules. (Via Bruce Schneier’s blog.)

The strange objects that set off a scare in Boston and caused at least one of them to be blown up were magnetic lights set up by Turner Broadcasting to promote the Aqua Teen Hunger Force movie. They had been in place for weeks before being mistaken for something dangerous and causing authorities to shut down bridges and access into the Charles River. Aqua Teen Hunger Force is a usually entertaining short cartoon that appears on the Cartoon Network’s adult swim. This isn’t the first time that a movie marketing campaign has resulted in this kind of hysterical over-reaction. In April of last year, a device that played the “Mission: Impossible” theme was placed into Los Angeles Times newspaper vending machines. One of the devices in Santa Clarita had exposed wires, was mistaken for a bomb, and the L.A. County Sheriff’s Office arson squad blew it up. UPDATE: CNN has a photo of one of the Aqua Teen light boards, which depicts the Mooninite named Err (the smaller one), extending his middle finger. (Correction–it’s the bigger one, Ignignokt, in the picture above, though there are some of Err as well.) UPDATE (February 1, 2007): Here’s how an Associated Press story in the Arizona Republic described these devices: “The exact nature of the objects was not disclosed. But authorities said some looked like circuit boards or had wires hanging from them." That sounds a lot scarier than the reality, doesn’t it? It conveniently omits the fact that there’s a clear pattern of lights depicting a cartoon character. That article goes on to say “At least some of the devices resemble one of the villains on “Aqua Teen,” part of Cartoon Network’s late-night Adult Swim lineup.” Is there any evidence that any of them did not? Nine of ten cities where these devices were put in place did not have a panicked overreaction, and the one that did waited two to three weeks before jumping into a panic. Had they been actual malicious devices, their reaction would have been too late. One word of advice for future marketeers: put a label on your devices with a phone number that can be called so you can explain what you’re doing before the authorities blow up your equipment. Here’s another picture of one of the devices in place. ...

I’ve got a couple of websites of hierarchically organized links that I’ve maintained for quite some time, though I haven’t really worked on them much lately. I currently get more spam link submissions than genuine link submissions to each, so I’d like to request contributions of legitimate entries. One is my skeptical links site, which is fairly extensive, especially on a few topics such as Scientology, creationism, the websites of skeptical groups, and critiques of organized skepticism. The other is my security links site, which is much less extensive, but still has some useful links, mostly on security and hacking tools and security standards. Contributions are welcome–just go to the appropriate area and click the “add a site” link at the top of the page. ...

During my long plane flights this week, I used some of my time to catch up on reading back issues of The Economist. Here were a few of the stories I found particularly interesting in the January 6-12, 2007 issue: “Medicine at the Top of the World” (p. 65): LYING in an intensive-care ward is a world away from climbing Everest, but a connection will be drawn this spring when 45 scientists and 208 volunteers tackle the mountain to bring back information about oxygen deprivation. The reason they are going is that hypoxia (a lack of oxygen in cells, which can lead to death) is the one thing that links practically all patients in intensive-care wards—and there is no better place to study it than in the thin air of the world’s highest mountain.The story describes the Xtreme Everest expedition, which will take 250 people up Mount Everest, setting up mobile labs at various elevations to study hypoxia. The volunteers will climb up to 5,300 meters, and 16 climber-scientists will ascend to the summit to become the first to have blood drawn at the top of the world’s tallest mountain. The research will be used to try to identify the genetic basis of people’s ability to handle hypoxia, which couldn’t be easily be conducted on patients in intensive care due to not having enough of them in one place at the right time. “The logic of privacy” (pp. 65-66): ...

I got a call from the fraud department of my bank this morning, asking me whether I had used my debit card this morning at The Sports Basement in San Francisco for a $71.00 charge. I said that I hadn’t, and they said there was a debit prenotification, which they’ve seen as a prelude to withdrawals from around the globe using cloned cards or electronic access to accounts. They had already blocked further use of my card information, and under my banking agreement I would not be liable for any loss in any case. When I asked how my information got out, they indicated that they believe the miscreants are just using brute force–changing numbers based on a known card to find new valid card numbers. The only alternative I could see based on my card habits would be if I inadvertently used an ATM with a skimmer attached to the front of it somewhere or fell victim to an ATM with a tapped phone line connection. I rarely use ATMs these days; this may provide me with some incentive to do so even less frequently.

Via Bruce Schneier’s blog: Historical Comments AlisonM (2006-12-23): Funny, and yet scary at the same time. . .