Now’s the time to switch to Firefox

A serious security flaw has been found in Internet Explorer – no big surprise there. But this one really IS serious – it was found by attackers before it was found by Microsoft. So exploits are already out there “in the wild.” (This BBC News story has more details.)

The worst part of it is that you could be hit by this exploit just by visiting a “normal” site that’s been infected – being vigilant isn’t enough anymore.

“In this case, hackers found the hole before Microsoft did,” said Rick Ferguson, senior security advisor at Trend Micro. “This is never a good thing.”

As many as 10,000 websites have been compromised since the vulnerability was discovered, he said.

“What we’ve seen from the exploit so far is it stealing game passwords, but it’s inevitable that it will be adapted by criminals,” he said. “It’s just a question of modifying the payload the trojan installs.”

Said Mr Ferguson: “If users can find an alternative browser, then that’s good mitigation against the threat.”

The flaw affects even IE7, the latest (released) version of Internet Explorer – so this isn’t just a flaw in older versions of the program.

So if you’ve been dragging your feet over changing to a different browser, now’s a better time than ever to switch! I’d recommend Firefox, but any alternate browser (such as Opera, Apple’s Safari, or Google’s Chrome) would do to keep you safe.

UPDATE (12/18/2008): Microsoft released a fix for this yesterday – it’s available through the normal Windows Update. Just be aware that you’ll have to reboot your computer (which seems silly for a fix to your browser, but that’s an argument for another day).

The TSA’s Photo ID Rules are Useless

The rules that the TSA has rolled out regarding photo IDs and their requirements for getting onto passenger airplanes are usless. In fact, you could argue that they are worse than useless, since they create a false sense of security – and they cost us a lot of money (both directly and indrectly).

But don’t just take my word for it – Bruce Schneier thinks so, too:

…[T]he photo ID requirement is a joke. Anyone on the no-fly list can easily fly whenever he wants. Even worse, the whole concept of matching passenger names against a list of bad guys has negligible security value.

The bottom line is, the no-fly list – and the photo ID rules that go with it – are worthless. It’s all just for show – full of sound and fury, signifying nothing. Why people still think it’s a good idea – or worse, that it should be expanded – continues to confound me.

The no-fly list is a Kafkaesque nightmare for the thousands of innocent Americans who are harassed and detained every time they fly. Put on the list by unidentified government officials, they can’t get off. They can’t challenge the TSA about their status or prove their innocence. (The U.S. 9th Circuit Court of Appeals decided this month that no-fly passengers can sue the FBI, but that strategy hasn’t been tried yet.)

But even if these lists were complete and accurate, they wouldn’t work. Timothy McVeigh, the Unabomber, the D.C. snipers, the London subway bombers and most of the 9/11 terrorists weren’t on any list before they committed their terrorist acts. And if a terrorist wants to know if he’s on a list, the TSA has approved a convenient, $100 service that allows him to figure it out: the Clear program, which issues IDs to “trusted travelers” to speed them through security lines. Just apply for a Clear card; if you get one, you’re not on the list.

In the end, the photo ID requirement is based on the myth that we can somehow correlate identity with intent. We can’t. And instead of wasting money trying, we would be far safer as a nation if we invested in intelligence, investigation and emergency response — security measures that aren’t based on a guess about a terrorist target or tactic.

That’s the TSA: Not doing the right things. Not even doing right the things it does.

Maybe we should rename the TSA from the “Transporation Security Agency” to the FGSA – the “Feel Good Security Agency.” Or maybe the SBA – the “Security Blanket Agency.” Because almost everything they do it just to make us “feel better” about security, rather than actually making us more secure.

Feeling secure and actually being secure are two VERY different things. The problem is that feeling secure is easy to wave around come election time. Actually being secure is a bit harder to brag about on the campaign trail.

Sad, but true.

Microchip (RFID) Passport Cloned

In case there was any doubt that this whole digital passport / RFID passport thing was never about security (via Slashdot):

“New microchip passports designed to be foolproof against identity theft failed the test when a researcher was able to manipulate one in minutes. The cloned passports were accepted as genuine by the computer software recommended for use at international airports. According to the article: ‘A computer researcher cloned the chips on two British passports and implanted digital images of Osama bin Laden and a suicide bomber. The altered chips were then passed as genuine by passport reader software used by the UN agency that sets standards for e-passports.'”

Once again demonstrating that there is absolutely no reason to have RFID in our passports and that it does not in any way make us more safe or secure.

So let’s just drop the whole idea, huh? My passport’s due for renewal soon – and I do NOT want to get one with a chip in it.

Repeat after me:

  • RFID passports do not make us any safer.
  • RFID passports are not really any harder to counterfeit
  • RFID passports are not inherently more secure
  • RFID passports are a bad idea

Repeat that 600 more times. Then write it down 600 times. Then mail it to your representatives (all of them).

Well? What are you waiting for? Get to it!

TSA – Too much power, too little accountability

This article from “Ask the Pilot” by Patrick Smith is well worth reading. It recounts a story that a pilot had with the TSA people.

Let me give you just one little snippet:

“Ma’am, that’s an airline knife. It’s the knife they give you on the plane.

You can probably imagine where this is headed.

There are a number of other very good articles on that site as well – be sure to check them out.

The Quixotic Quest for Invulnerability

Schneier on Security: Homeland Security Cost-Benefit Analysis.

A very worthwhile read – basically:

The premises:

  1. The number of potential terrorist targets is essentially infinite.
  2. The probability that any individual target will be attacked is essentially zero.
  3. If one potential target happens to enjoy a degree of protection, the agile terrorist usually can readily move on to another one.
  4. Most targets are “vulnerable” in that it is not very difficult to damage them, but invulnerable in that they can be rebuilt in fairly short order and at tolerable expense.
  5. It is essentially impossible to make a very wide variety of potential terrorist targets invulnerable except by completely closing them down.

The policy implications:

  1. Any protective policy should be compared to a “null case”: do nothing, and use the money saved to rebuild and to compensate any victims.
  2. Abandon any effort to imagine a terrorist target list.
  3. Consider negative effects of protection measures: not only direct cost, but inconvenience, enhancement of fear, negative economic impacts, reduction of liberties.
  4. Consider the opportunity costs, the tradeoffs, of protection measures.

There’s nothing new here – this is all common sense stuff, really. This paper just backs it up with research and evidence. Now, if we could just get our leaders to ACT on it, instead of their current tactic of fear-mongering and ass-covering, we’d all be a lot better off.