Standard Mischief

Just in case you are easily amused, here’s the latest roundup of bandwidth theives.

The standard mischief in this case is to swap the picture on your server, renaming the original and changing your links to point to the new picture’s name. Rob does a pretty good demo of the prank. One of the finer points about the trick is to change the date of the file that you are going to substitute to something that?s earlier than the original picture. That way the original thief keeps reloading the original picture from his cache, instead of your substitute. This keeps the prank a secret from the thief for longer, but new site visitors get the prank image. Unfortunately I wasted an enormous amount of time last night trying to do just that. On my end, changing the date is pretty straightforward, but even when I had the settings correct on my FTP program, my hosting provider changes the date upon upload.

If you want to do this automatically, there’s always the .htaccess trick.

Anyway, here are the examples. At least one of these ought to still be working, but as of today, all of them do. (They should all be pretty much safe for work. My standard substitute image is text only, with one cuss word.)

http://www.friendster.com/15332091

http://www.spritz.it/blog/

http://ar15.com/forums/

http://artinheart.org/

myspace.com

militaryphotos.net

Yesterday’s blog entry covered a webpage that allows anyone to create a boarding pass good enough to get past the initial TSA screening. It was created by Christopher Soghoian as an example of how the TSA at the airport is enacting “security theater”, instead of real security. Chris also points out that anyone who receives their pass via email, could just edit that instead; which is only a slightly harder trick to pull off.

At least one congress-critter was not amused.

According to ABC news:

“The Bush administration must immediately act to investigate, apprehend those responsible, shut down the website, and warn airlines and aviation security officials to be on the look-out for fraudsters or terrorists trying to use fake boarding passes in an attempt to cheat their way through security and onto a plane,” wrote Rep. Edward Markey, D-Mass., a senior member of the Committee on Homeland Security, in a statement.

However, Christopher points out that the exploit is not a new one. In fact, congress-critter Senator Schumer (D-NY) published nearly the same exploit in a February 2005 press release. Chris says, ?Perhaps he’ll be my cell-mate.?

I’ve been unable to google up a response from Senator Chucky, which is strange because it is oft repeated that the most dangerous place in DC is in between Charles Schumer and a camera.

Just for fun, I’ll point out that Rep. Markey isn’t above squealing about border security himself. This document shows security shortcomings in our Nation’s ports. What if teh Terrorists got ahold of it?

The bottom line is that “security theater” isn’t about real security, it’s about projecting an image that we are actually “doing something”, whether or not those things make us safer or not.

Build a security fence, sufficiently staff the border, have real security at the airport and lay off those people with nail clippers and clear plastic baggies of shampoo.

Latest word: Christopher reports that the FBI is at his door.

Yup, seems Chris Soghoian has made something that lets anyone generate a fake boarding pass, a pass that should allow you access through the secure area and right up to the gate. (Update: looks like Chris has a blog too)

It’s not really a feat of HTML wizardry by itself, but the idea is brilliant.

It’s useful for:

1. To meet your elderly grandparents at the gate
2. To ‘upgrade’ yourself once on the airplane - by printing another boarding pass for a ticket you’re already purchased, only this time, in Business Class.
3. Just to demonstrate that the TSA Boarding Pass/ID check is useless.

I, of course, love it. There’s also some tips to circumvent teh “No Fly” list, (although I can’t personally vouch for them). This might be useful because an innocent party who has their name on the ?No Fly? list usually enjoy a steady diet of extra scrutiny. There seems to be no way to appeal the fact that you are on said list, and I understand the very best you can do is apply and get a TSA “I’m not a terrorist” super secret ID card. However, it seems that even with that ID card, you can’t check-in online or by using a kiosk, you still need to check in in person. (Thanks for the tip, Paul)

Update: I took a second look at the boarding pass code and found that the barcode is a static picture, and is not generated on the fly. So this likely won’t pass a barcode scanner test. Just FYI. Chris says the TSA check is just to see that whatever you printed out matches what your government issued ID says, and they don’t do a barcode check at that spot.

Update 2: Slate, from last year.

Finally, I’d like to point you to Scott Adam’s Blog, where he discusses a recent trip through security.

[Boarding pass tip via Feministe.us]

Is anyone really surprised?

My main complaint about these cards is that they are promiscuous (meaning they ?sound off? to any reader within range) and they are silent (meaning, they do not inform the owner with a beep or something when they are being accessed). Besides that, researchers have now discovered that beyond being promiscuous, these new ?contactless smart cards? sound off indiscrimantly with the owners’ plaintext name, credit card number, and expiration date.

New York Times:

The card companies have implied through their marketing that the data is encrypted to make sure that a digital eavesdropper cannot get any intelligible information. American Express has said its cards incorporate ?128-bit encryption,? and J. P. Morgan Chase has said that its cards, which it calls Blink, use ?the highest level of encryption allowed by the U.S. government.?
But in tests on 20 cards from Visa, MasterCard and American Express, the researchers here found that the cardholder?s name and other data was being transmitted without encryption and in plain text.

…

And because the cards can be read even through a wallet or an item of clothing, the security of the information, the researchers say, is startlingly weak. ?Would you be comfortable wearing your name, your credit card number and your card expiration date on your T-shirt?? Mr. Heydt-Benjamin, a graduate student, asked.

The Credit card issuing companies, of course, say the threat is unrealistic.

Companies that make and issue the cards argue that what looks shocking in the lab could not lead to widespread abuse in the real world, and that additional data protection and antifraud measures in the payment system protect consumers from end to end.
?This is an interesting technical exercise,? said Brian Triplett, senior vice president for emerging-product development for Visa, ?but as a real threat to a consumer ? that threat really doesn?t exist.?

And:

Though information on the cards may be transmitted in plain text, the company representatives argued, the process of making purchases with the cards involves verification procedures based on powerful encryption that make each transaction unique. Most cards, they said, actually transmit a dummy number that does not match the number embossed on the card, and that number can be used only in connection with the verification ?token,? or a small bit of code, that is encrypted before being sent.

What he’s saying is that after the credit card is placed near the reader, and the plaintext is transferred, there’s an additional challenge and response exchange going on to prove that the card is indeed genuine. However, if the key bits of info (name, CC number, and expiration) fall into nefarious hands, they can use that data to order stuff online, or encode that data on a standard magnetic strip and use it at a regular terminal.

?It?s the classic ?Let?s depend on security through obscurity ? who?s going to look?? ? he said. ?Then, whoops! As soon as somebody does look, you roll out the security.?

There’s tremendous inertia in the industry to use the RFID system, and I’m not entirely sure why. My best guess is that with the contactless promiscuous RFID cards they can snoop in on you, recording whenever a customer enters the store, how long they spend shopping, what displays they linger over, and how often a consumer buys something, even if they pay cash.

All these benefits are lost if they adopt the other type of smartcard, (the one with little gold contacts, widely rolled out in Europe) such as the Amex Blue, because this kind of card only squeals your most personal information when card ?A? is inserted in to slot ?B?.

[Thanks Claire]

I was talking with my friend the other day, and the conversation went around to his place of work, a gun store, and specifically a small sign I had noticed. The sign said something like ?no cellphones allowed?.

I, like everyone else, thought that was in place for the usual polite reasons, but the real reason is actually a bit more interesting. It seems gun stores up around Baltimore, Maryland were getting cased by thugs, and their preferred method was to scope out the shop by taking a bunch of cellphone pictures. Hence the ban.

Now this is wacky on so many levels. The first thing I asked if if the shop banned cameras in PDAs, or belt buckle cameras, or wireless X-10 cameras hidden in purses or bags, and my friend shot back that the ban was not in place because of the management, but because of the *cough* ?request? of the state police.

Okay, let’s work our way through this. It isn’t a state law. It isn’t a federal law. It isn’t the opinion of the Tobacco Ninjas, dutifully coded in the federal register as BATFE regulations (with the force of law after the prescribed waiting period.) It isn’t an equally constitutionally questionable executive order from el Presidente of the United States of America. Nor is is some screed signed off by Maryland Governor Bob Ehrlich.

If I’m getting my story straight from my source, this isn’t even a polite request by officer friendly of the Maryland state police. Apparently some thug from the government decided that banning all cellphones was an effective method of thwarting crime against gun stores and instead of every other legitimate and non-legitimate (but still commonly used) method of creating yet another onerous requirement that must be followed by the merchant, they just issued a memo. Great.

And I suppose that because this isn’t anything near a legitimate law with prescribed penalties, the only way the troopers can force compliance would be through threats, intimidation, and selective enforcement.

Maryland had a 7-day waiting period long before the feds did. The actual text of the law stated that if the dealer did not hear back from the police with a yay/nay within the prescribed time, it was OK to release the firearm. However, because of wholly inappropriate police pressure, many FFL holders had a policy to not release anything until they got the OK, even if it took forever. One of my approvals took almost a month. For that privilege, I wrote a check to the state police to have them investigate me. I didn’t even get a refund after my good name came back clear (like Mr. Buttle did in the movie Brazil).

I’d like to meet this person at the state police who creates new powers out of thin air. Are we a nation of laws or of men?