STFU about the TSA
Thanksgiving is upon us and as I reflect upon all of the things in my life I have to be thankful for one thing is certain, Life is Good. Sure, there are things that could be better, but when put into perspective I really don’t have much to complain about. There are people out there with no jobs this holiday season, trying to provide for their families. There are people who don’t know where their next meal will come from. There are people, brave men and women, who are over seas fighting for our country who will not see their families and are just trying to make it home in one piece. I could go on and on with the examples of people who have hardships, more hardships than myself, but lets stop there. So where am I going this this feel good story? I am going to the topic that no one can seem to avoid right now, the TSA.
Whether I am on Facebook, Twitter, blogs, around the water cooler, listening to the radio or watching the nightly news I can not seem to escape people bitching about the TSA. I know this is not going to be a popular sentiment with the readers of my blog, or most of my friends: STFU about the TSA and in particular the TSA Agents. I get that people don’t like being touched. I get that people don’t like being seen “naked”. You have options though, drive or take the train. Do I think the TSA has gone too far? To some extent yes, but on the other hand, whether you agree or disagree the goal is to keep us safe. I’m not going to make this post about whether or not the new procedures are actually helping to keep us safe. That is a battle for another day. What I am going to make this post about is how all your bitching, whining, and harassment toward the TSA agents is misdirected.
If you didn’t like a movie that was playing at theaters across the country, would you harass the person selling tickets to the movie? You know, the kid behind the counter who sells the actual tickets for 8 hours per day, do you harass him? I hope not. He is just doing his job. Whether he agrees with the theater’s choice of showing the movie or not he is trained to stand there and collect money for tickets. He does it or he loses his job. I look at TSA Agents the same way, they are doing their jobs. Don’t like that comparison, ok here is another one.
Do you agree with the war in Iraq? If the answer is no, do you then harass soldiers when you see them? What about veterans, do you harass them? If you do, then you deserve a punch in the face…twice. You should be thanking them for their service. You should be picking up their tab at the bar. You should be glad they are out there doing what we can’t or won’t. At the end of the day though, these men and women are out there doing their jobs (though a very dangerous one). Whether or not you agree with the policy that puts them there doesn’t change the fact that they are serving our country and doing what is asked of them. While I do not put TSA Agents on par with soldiers, I think their goals are the same, to keep people safe. They are being asked to keep the skies safe by screening thousands of people per day who pass by them. For the most part, they encounter normal people just trying to get from point A to point B. Now what about that one passenger who isn’t trying to get from point A to point B? Would you want the pressure of finding that one in 10 million passenger who’s agenda is to hijack the plan, or worse…blow it up? I wouldn’t. There is a lot of pressure that goes along with that job, so for travelers to say TSA agents “take their job too seriously” I’m not sure they understand what it is they are actually tasked with doing.
Lets say the TSA agent doesn’t do his job and lets say he lets someone through who later blows up a plane. Imagine the backlash from the American public. Because one guy was not screened thoroughly enough things can be turned upside down. One could argue that is how we got to where we are today. What about the agent? His life will be turned upside down as well, as will every TSA agent currently employed. It is a thankless job, and it just got a lot harder because now you are harassing these guys and gals. You refuse to get scanned, then you threaten them about giving you a pat down, then you video tape it, post it on YouTube, and post to Facebook or Twitter for all the world to see. Thankless doesn’t even describe the position. For the record, yes there are some TSA Agents who step over their boundaries, but that is true in every profession from cops, to firefighters, to IT folks. There are always going to be some bad apples.
So I leave you with this: If you don’t like the policies and want to see them changed, write to your representatives and offer up suggestions on making the policies better but let the TSA Agents do their job and while you are at it thank them for putting up with us. They want to get in their hours, get home to their families, and collect a pay check like the rest of us.
Hope everyone have a save and happy Thanksgiving.
–DanO
Filed under: Uncategorized | 2 Comments
Tags: TSA
Back from Vegas and feeling good
Once again I made the annual pilgrimage to Las Vegas for BlackHat and Decfon. As expected it was another great week spent attending interesting talks and hanging out with some of my favorite people…doesn’t get much better than that. My last day in Vegas somehow got me roped into a fitness challenge, sadly I can’t use alcohol as an excuse. My buddy Ward decided we should have a little competition to see who can get in better shape for BlackHat 2011. I’m not one to back away from a challenge so it’s on! This is going to spread into more of an open challenge for all, but my goal is really just to beat Ward. Good luck buddy, you are going to need it.
I really wanted to get this post out last night but for various reasons it didn’t happen. Since a day late is better than nothing, here it goes. Yesterday Kaspersky announced that the First SMS Trojan for Android has been found in the wild. Usually this is not something that I would blog about, sms for profit on a mobile device is nothing new. What I think stands out though is how much easier Android makes this type of attack. There are very little controls in place to prevent users from installing anything they want, good or bad. This is kind of the point of Android but I see it as a flaw in the current implementation. I decided to re-tweet this announcement from Kaspersky and it raised some questions over why I and the security industry make a big deal out of these things. I get where that attitude comes from, really I do. From a technical standpoint it isn’t impressive, new, or surprising. In Vegas, between BlackHat and Defcon, there were a lot of sessions related to Android, so it is expected that there would be malware out there. However; from a general awareness standpoint, I think it is a valid story. So why do I think it is valid from an awareness standpoint if it is expected? Expected by a security or tech guy is different than expected by the masses. My non techie friends have no idea this kind of stuff is possible unless I tell them or they see it on the news. Taking that up a notch, I often have discussions about security risks with CxO folks who after the explanation ask “Has it happened?” They want real life examples. I can talk until I am blue in the face about something that was demonstrated onstage at Defcon or in my lab, but until it happens to someone in the real world and it gets press, it is as if it can’t/won’t happen. Mobile devices are still looked at simply as cell phones by many, but they are much more.
Now, I’ll admit that this is not something people should freak out about and vendors are going to milk this to try and profit (what else is new). As I mentioned before, malware for a phone that allows someone to initiate SMS messages and profit from it isn’t new. As an individual the worst that can happen is you get a big bill and then have the hassle of disputing the charges. You would probably call Verizon and tell them you didn’t send those text messages they would work something out and you would not pay the full amount. Now if the malware was smart, it would only initiate a few messages per month and hide on the phone, therefore not raising the eyebrows of most users. Would you notice a few extra dollars on your personal mobile account or family plan? What about companies that have corporate plans for employee phones? They have hundreds if not thousands of phones. The likelihood of a few premium text messages being caught is low. I know that at our small company with less than 100 mobile lines that are paid for by the company the finance department would never notice an extra $5-$10 per line each month. It was pointed out that premium SMS isn’t really bad like giving away company secrets, so why are we talking so much about it.
My argument to that is the SMS vector is the quick hit for profit and just the tip of the iceberg. It takes much less effort by an attacker to write code that will send a text and instantly make money than to invest the time to write much more complicated spy software, grab the data, look for company secrets, and then try to profit from it (more risk too). That doesn’t mean it can’t be done right, it just isn’t being done yet. There are a few companies selling this type of spy software today (Flexispy, MobiStealth, and Mobile-Spy to name a few), so it exists. It requires you to have access to the phone as after installing the application you need to activate and configure it but it will log location data, sms messages, email messages, call logs (some record actual calls). Sure, turning that into a piece of malware that self activates and configures is more work but I don’t think it is far off.
Make no mistake, I do not think installing an agent from Kaspersky, McAfee, Sophos, Symantec etc. is the answer. It isn’t the answer on desktops and it will not be the answer on Android and other mobile devices. We need to treat these mobile devices more like a computer and less like a phone. A lot of the same protections we use on the laptop/desktop side should carry over, for example:
1. Better protection for users. That may take away some of the functionality but have a user mode and admin mode. Just as you don’t need to run everything as root, users don’t need complete admin access to their mobile device at all times.
2. Better controls for corporate IT departments. Allow them to push policies for what can be installed and what can be accessed on the device.
3. More user awareness is needed. Many Android users do not understand that the device is really a mini computer that allows them to text and place calls. They look at it like a cell phone with cool features. They need to change how they think of the device.
Interested to hear what others think.
–DanO
Filed under: Android, Conference, Mobile Phone, Security | Leave a Comment
Do you remember the days when you would call technical support and actually get someone knowledgeable on the phone who could help you resolve a problem? I remember a time when this was true, or maybe I just want to remember it that way…kind of like remembering how I used to walk to school, uphill, both ways, in the snow…..barefoot. My latest support nightmare revolved around trying to get an IP security camera configured. I took it out of the box, followed the directions….nothing. I then verified via the DHCP server that it was grabbing an address and it was…good news. Tried using the software that came with the camera to access it once again….nothing. Tried accessing the web interface…nothing. Port scanned the device…nothing. Power cycle and repeat…nothing. Break out the paper clip and reset the device…nothing.
Seems like the web server built into the camera is defective, but maybe, just maybe there is some secret piece I am missing. The call to tech support begins.
Starts out simple enough, give out my name, email address, camera model, and serial number. The woman, who has a heavy accent (India if I had to guess) is having a hard time understanding me as I spell out the information. I explain the problem and what steps I have taken to troubleshoot the problem.
Her: Did you install the software?
Me: Yes
Her: Did you search for the camera?
Me: Yes
Her: Did it find the camera?
Me: No, that is why I am calling you.
Her: Is the camera powered on?
Me: Umm…yes it is powered on.
Her: Is it connected to your network?
Me: Yes
Her: With a cable?
Me: Yes with a cable…it is blue in case that matters.
Her: Lets uninstall and reinstall the software.
Me: I already did that. It didn’t make a difference.
Her: Let me know when the software is uninstalled.
Me: I already uninstalled and reinstalled, it didn’t make a difference.
Silence for about a minute.
Me: Hello
Her: Is the software uninstalled yet?
Me: ummm…sure…I mean yes, yes it is.
Her: Ok please put the CD in and install the software again.
Me: Reinstalled….same problem.
Her: That was fast, what software did you install?
Me: My computer is super fast. I installed the config software.
At this point she has me repeat the search process using the software. Still no dice. I explain that I know it has an IP address on the network.
Me: Is there a way to configure this camera without using the software?
Her: Lets reinstall the software again.
Me: Do we have to use this software for the initial config or is there a special admin page we can connect to on the device?
Her: Lets do a reset of the device while you reinstall the software.
Me: DO I NEED TO USE THIS SHITTY SOFTWARE TO CONFIGURE THIS DEVICE?
Her: Yes, the software is required for initial setup.
30 minutes later after rebooting, resetting, changing cables
Her: Ok, the software is not working. Lets configure this manually.
Me: You mean configure without using the shitty software?
Her: Yes, please open Internet Explorer and type…
Me: Grrrr…..
That didn’t work either.
Her: What do you see for lights on the device?
Me: I see a solid orange light.
Her: Do you see a green light?
Me: No, I see an orange light.
Her: Is there a green flashing light?
Me: All I see is a single light. It is ORANGE, not GREEN, and it is not flashing it is solid.
Her: Please unplug the power to the device, I will tell you when to plug it back in.
Me: Ok
Her: Did you unplug it?
Me: Yes
Her: Did you plug it back in?
Me: No, I was waiting for you to tell me when to plug it back in.
Her: Good
(wait 20 seconds)
Her: Did you plug it back in yet?
Me: Still waiting for you to tell me.
Her: Good
(wait 30 seconds)
Me: Do you want me to plug this in yet?
Her: Oh yes, please plug it in now.
The device goes through it’s boot process and when it settles down.
Her: What do you see for lights?
Me: I still only see an orange light.
Her: Do you see a green light?
Me: I only see an orange light.
Her: Is the green light solid or flashing?
Me: OMG
In the end I just told her to give me the case number and I would get a new camera because as much fun as this phone call has been I can’t take it anymore.
New camera arrived yesterday and appears to be working just fine….for now.
Filed under: Uncategorized | 2 Comments
Apple does it again
How a company can release a product as high profile as the iPhone and not realize there is a major flaw with the antenna design is beyond me. But I received word today that there is another flaw, not just with the new iPhone, but with iOS4 that can wreak havoc on Exchange servers.
Apparently iOS4 can somehow make your Exchange server stop accepting MAPI sessions from Outlook clients. Apple is aware of the problem and has released a configuration profile that you need to install on the iPhone. This is sure to be a pain in the ass for Exchange Admins as employees buy their own iPhones or update their 3G(s) iPhones with the new OS. Way to go Apple!
Note: If your Exchange server stops accepting MAPI sessions and you can not get the problem iPhone updated, disabling ActiveSync for the user at the Exchange level should open up MAPI again.
Filed under: Apple | 1 Comment
Tags: activesync, iOS 4, iPhone, MAPI
Here comes the bus
I want to get feedback from folks on this, so comment away. Over the past six months I have been working with companies going over pro’s and con’s of moving their most critical service(s) off to the “cloud”. I’m not going to get into the upside and downside here, because it is different for every service and every company. A concern that has come up with the security folks involved is focused around their reputation and credibility.
One side of the argument is that their reputation is on the line regardless of where the data lives. They are responsible whether it lives in-house or not. With that line of thinking they are much more comfortable keeping the data in-house where they can monitor and manage it and everything around it. Moving their data off to a Google Apps account for example, where they are limited in what they can implement for security policy and monitoring is next to nothing makes them very anxious. They do not want their credibility as a security professional riding on Google.
The alternate argument is that by having the data in-house there are unrealistic expectations put on their ability to keep the data safe. Nothing is 100% secure and therefore it is just a matter of time until it gets breached at which point they will lose a lot of credibility. Moving it offsite, lets pick on Google again, seems like a great idea because if there is a breach they can stand back and say “Not my fault” because securing that data is no longer their responsibility. The obvious thought there is that they can not be blamed for someone else’s mistake or lack of control.
Camp1 thinks that they are getting thrown under the bus the first time Google has a breach. Camp2 thinks they will be driving the bus over Google when the SHTF.
I’ll save my thoughts on this until after people comment. What do you think?
–DanO
Filed under: Security, Uncategorized | 4 Comments
