Full body scan - shield or show?

Semi-Originally posted 06/14/2011 on lubbockonline.com

Due to technical problems, this is a repost from January 4, 2010

Full body scans in airports - they're getting a lot of attention again, both for and against. One blog feels that just by agreeing to fly we are consenting to scanning. Another story on Canada.com agrees. It asks the seemingly reasonable question, "Do we need to see hundreds or thousands killed for the privacy objectors to back off?"

Privacy groups are against the full body scanners, saying they are invasive and demeaning. Flyersrights.org and the ACLU are both against the scanners. In a release on its website the ACLU says:

"We should be focusing on evidence-based, targeted and narrowly tailored investigations based on individualized suspicion, which would be both more consistent with our values and more effective than diverting resources to a system of mass suspicion," said Michael German, national security policy counsel with the ACLU Washington Legislative Office and a former FBI agent. "Overbroad policies such as racial profiling and invasive body scanning for all travelers not only violate our rights and values, they also waste valuable resources and divert attention from real threats."

I have to admit, I lean more toward the ACLU position. Yes, I know that a full body scan might have caught the explosive in the bombers undies - although there are claims that the bomb would have made it through a scanner. But that isn't really the issue. The issue is that we don't need to add any new security measures, we need to properly use the ones we have.

I can't say it enough. The system is broken. People are saying, "We need full body scans to keep anyone else from getting through." No, we need to start making full use of the intel we're gathering. Bush dropped the ball when he didn't follow through on his order that the U. S. intelligence agencies, FBI, CIA, NSA, etc. share information, and Obama is following his example.

The point in this is not that a scanner would have stopped this guy before he could turn himself into a eunich. It is that he should never have made it to the point where he would have to go through a scanner. We had more than enough info to forbid this guy to get on a plane. He was on a watch list, then his father notified the U.S. Embassy that he had been radicalized and might do something dangerous. That would have put him in a "watch very closely" list for me. Not for the U.S. government. According to examiner.com:

"On November 20th the embassy sent a "Visas Viper cable" to the State Department which detailed the father's warning.  The information was then given to the Counter-Terrorism Center in Washington D.C. which ruled that their was insufficient information present to revoke Mutallab's visa."

While people are screaming for more measures to limit our freedoms and take away our rights, the real problem is that the information we are gathering has everything we need to stop these terrorists, if we would only use it. Putting scanners in the mix will not make us safer, it will only be one more layer of false security.

No matter what methods we devise to detect explosives at the airport, our first and best line of defense will always be gathering data to stop terrorists before they can get a ticket. And the evidence shows we're doing a good job of gathering it, we just aren't using what we're getting.

More Homeland (in)Security

In a report on Yahoo News, EILEEN SULLIVAN and MATT APUZZO of the Associated press tell us why Faisal Shahzad was almost able to leave the country by plane after his alleged failed bombing attempt. It's a sad statement that just four months after dumb luck kept the crotchbomber from blowing himself and his fellow passengers out of the sky in a plane he shouldn't have been able to board, dumb luck again prevents a terrorist wannabe from igniting his bomb - and in this instance, escaping by boarding a plane he should never have been able to board.

This sad statement on U.S. security reminded me of an almost 4 year old blog post by Bruce Schneier on the arrests in July, 2006 of terrorists reportedly hoping to set off a so-called "binary explosive" - something apparently extremely difficult to do. Regardless of the likelihood of that scenario, Mr. Schneier makes some very good points:

"None of the airplane security measures implemented because of 9/11 -- no-fly lists, secondary screening, prohibitions against pocket knives and corkscrews -- had anything to do with last week's arrests. And they wouldn't have prevented the planned attacks, had the terrorists not been arrested. A national ID card wouldn't have made a difference, either.

Instead, the arrests are a victory for old-fashioned intelligence and investigation. Details are still secret, but police in at least two countries were watching the terrorists for a long time. They followed leads, figured out who was talking to whom, and slowly pieced together both the network and the plot."

Last Christmas's intelligence fiasco points out the same thing. In 2001 we had a massive intelligence failure - all the pieces were there, but inter-agency, even intra-agency, rivalry prevented the all the pieces being gathered to be put together. In December 2009 all the pieces were there, but were ignored, or not communicated in a timely manner. In the two incidents of the last 6 months the terrorist boarded an international flight despite being on the no-fly list. All of this shows that we don't need more ways for the government to monitor and spy on us. Adding new ways to gather information so it can be misused - or not used at all - is not an answer. We need to make proper use of the methods we already have in place. Then we can know what is working and what needs changing.

Surviellance law needs updating

Scott M. Fulton, III, managing editor of betanews.com, wrote an in-depth article on technewsworld.com about the need to update the Electronic Communications Privacy Act (ECPA), an ancient (in technology terms) law that sought to update the code covering telephone communications so that it also covered computer communications. But it was written in 1986, almost a quarter of a century ago. Computer communications now are radically different than they were then. In 1986 most computer communications were between universities, government agencies and government contractors. Today the communication between those three segments is a fraction of the communications between private companies and citizens.

The Digital Due Process (DDP) group, led by the Center for Democracy and Technology, has defined some principles for Congress to take into consideration when they look at updating the ECPA. The goal is to get internet communications the same protection given to wiretapped telecommunications. This isn't the first time that the DDP has tried to influence policy, but this time they've enlisted two of the more visible company in recent privacy discussion, Microsoft and Google. Their involvement should put some weight behind the DDP's suggested principles.

Internet communications are in dire need of legislative protection. Despite recent court rulings, just how protected online communications such as email are is uncertain. And with more of individuals critical data being stored online or in third party cloud services, the current laws and precedents make the Fourth Amendment moot. By use of the Third Party Doctrine law enforcement can deny Fourth Amendment protections to anything you store online. That includes email, financial data (if you access your bank account online...) and even your dropbox account.

Check out Mr. Fulton's article to learn a lot more about this issue. I've only touched the surface of what he covers. Before I finish, I want to include one quote to emphasize how important it is that current laws be updated, and the standard of how much privacy protection is afforded online data be updated:

"The Supreme Court has said that you can issue a subpoena -- not because you believe the law is being violated, but merely to assure yourself that the law is not being violated." Jim Dempsey, CDT Vice President for Public Policy

I don't know about you, but to me that sounds a lot like assuming guilt without evidence. Kind of flies in the face of "innocent until proven guilty" doesn't it?

Facebook puts new spin on old crimes

KTLA.com in LA reports a new spin on a not so new pastime. For that matter the spins probably not all that new. There's not really anything new about groups of teenagers or early twenty-somethings finding an unoccupied house, breaking in, and trashing it. It's also not new that the partiers don't really care if the house is empty because it's abandoned or because the occupants are away. Actually, they probably prefer the occupants be away, that way there's probably food and maybe alcohol already there.

What Facebook and other social media have made possible are a much shorter amount of time needed to setup the "party". Twenty years ago it took time to find a suitable house, let people know where the party was being held, and get everybody there. Today, thanks to Facebook, Twitter, Foursquare, and others, a careful online search can find empty houses in minutes. A Facebook update or a tweet can potentially allow thousands of people to find out about the party simultaneously, and in no time you have hundreds of people trashing your home.

As I said, this isn't exactly new. What is new is that many people are now transmitting to anyone who cares to look that they are leaving for an extended periods. So along with having your mail held, your newspaper subscription suspended, and your lights set to go on and off while your gone, make sure no one in your family reports to the world at large that you are going to be gone.

Remember, sites like Facebook are tools. It's up to us how we use them.

Full body scans can't be abused. Right.

Michael Holden reports in Reuters "Oddly Enough" news that a security worker at London's Heathrow airport is in hot water for looking at a coworker who "mistakenly strayed into the scanner."

The 25 year old man is not in deep trouble yet because the incident is still being investigated, but if the investigators conclude he actually did see things he shouldn't have it will put a whole new spin on full body scans. Citizens around the world have been assured repeatedly that security workers wouldn't be able to see their "naughty bits" on the scans. If the investigation proves they can, there could be a massive public outcry.

Of course, the investigation is being carried out by government employees, and the government has a vested interest in finding that nothing actually happened.

Obama supports DNA sampling when arrested

Politico's Josh Gerstein tells us that, "President Obama backs DNA test in arrests." In an interview with John Walsh on America's most wanted the President professed his strong support of gathering DNA of everyone arrested for a felony crime:

"It's the right thing to do, and then, as you well know, John, this is where the national registry becomes so important, making sure that, not only are we getting these DNA tests done state by state, but then, nationally, everybody's talking to each other. That's how we make sure that we continue to tighten the grip around folks who have perpetrated these crimes."

It's a great sentiment. The problem is, that when it comes to DNA testing upon arrest, it's wrong. In the interview John Walsh says that it's no different that taking fingerprints or an arrest photo. But that is not true.

DNA samples, unlike fingerprints, don't just identify you. They have the potential to reveal health issues, genetic relationships (siblings, parents), and possibly potential behaviors. You may give up the right to protect this information if you are convicted, but to take it upon arrest flies in the face of "guilty until proven innocent." Requiring DNA sample of people who have been arrested, but not indicted, let alone convicted, says the exact opposite. It assumes you are guilty until the DNA sample proves you innocent. That is not the way justice is served in the U.S.

See the portion of the interview that talks about DNA (about halfway through on Youtube.

See the entire interview on amw.com

Privacy vs Security at RSA conference

Brian Prince of eWeek Europe reports that U.S. Cyber Defense experts agreed on two things: U.S. cyber security needs beefing up, and doing that while protecting privacy won't be easy. Former head of U.S. Homeland Security Michael Chertoff saw the situation as a balancing act:

“You don’t want necessarily to have the government literally sitting there and operating the internet and opening and closing doors because it’s not hard to imagine a situation like you have in other countries where someone makes a decision that the threat isn’t just an attack by a botnet but an attack on ideas the government doesn’t like. So the key is to build a system that allows a sharing of information that does put on critical infrastructure a responsibility to maintain itself…but preserves a certain gate between them and a certain amount of accountability so that the government can’t simply just roughshod over the privacy.”

That's an important statement - and one that very neatly sums up the difficulty of providing security while maintaining privacy. The rest of the panel discussion showed a real concern and understanding of the importance - and complexity - of maintaining privacy while ensuring security.

Chertoff was one of a three member panel. The other two members were Marc Rotenberg, executive director of the Electronic Privacy Information Center ( EPIC ), and former special advisor on Cyber Security for George W. Bush, Richard Clarke. Richard Clarke is now chairman of Good Harbor Consulting. To be honest, I was a little surprised at the attitude shown by Mr. Chertoff and Mr. Clark. Hearing Mr. Chertoff, co-author of the Patriot Act, talk about the importance of limiting governments ability to invade citizens online privacy was unexptected.

Of course, not everything they said was so pretty. Clark wants a system that is flexible enough that it isn't compromised when some companies don't keep up with the latest patches and malware protections. His idea? Have Tier 1 ISP's do deep packet inspection to detect illicit activity. This is just a liiiiiittle bit contradictory to Mr. Chertoffs statement above. Deep packet inspection would mean they see everything everybody does that goes through a Tier 1 ISP. A lot of traffic will never hit a Tier 1 ISP, but the fact that US citizens would be being treated as criminals with no evidence that they are would be a major constitutional problem. Of course, it should be a major constitutional problem with the nationwide phone tapping that's still going on, and we know how that went. Not surprising at all that Rotenberg saw a slippery slope, "If we go down this road you really have to be very careful because one rationale easily collapses into another."

It was encouraging that Clarke felt the U.S. government had discredited itself over the past ten years where privacy is concerned. He also felt that the agency best equipped to protect the country, both military and civilian, is the NSA. But in an amazing twist, he feels that the NSA is not the agency that should be protecting the private sector. The problem is, there isn't anyone looking out for the private sector:

“The problem is right now no one is defending the private sector,” he continued. “The theory of the Obama administration seems to be cyber-command defends the military, DHS (Department of Homeland Security) – which can’t do it yet – defends the .gov community, and the rest of us are on our own.”

As scary as that is, it's better than being watched by the NSA. And I'm happy that all three panel members seem to agree with that sentiment.

.

Big Brother's on the way

Fosters.coms Aaron Sanborn reports that in Dover, NH the police are going to be installing 23 cameras in various public buildings. The cameras aren't going to be constantly monitored but will be used to provide evidence in the case of crime. Sanborn talked to Dover Police Chief Anthony Colarusso.

"In general the security cameras are a deterrence that will hopefully prevent anything from happening," Colarusso said. "If people know a camera is in a certain area, they may be less likely to commit a crime."

Really? How many bank robberies occur every day in the U.S.? Are they more or less per capita than they were before the advent of cameras? Is there any evidence that they really are deterrent?

Well, the answer to that is a resounding "?".

Some studies show the cameras to be effective, some show them to be ineffective. Some show them to be effective, but closer study shows camera installation coincided with increased patrols - so which was the bigger deterrent? The questionable track record combined with the expense to setup and maintain and the privacy concerns of cameras should weigh heavily in the consideration of any camera deterrent program. But it doesn't. The appearance of doing something often trumps all other considerations.

For a very good article on "Police Cameras" check out the article at Howstuffworks.com. Or you can check out my original post on the subject - it says much the same thing, but howstuffworks.com has even more supporting links.

School administrations are not police

Just days after telling you about the student who successfully sued her school for violating her free speech rights when they punished her for her Facebook page we see a new lawsuit filed, this time alleging invasion of privacy by school officials. If true, it is truly a case of school officialdom run amok.
In the Lower Merion School District each high school student was issued a laptop to improve and engage the students more fully in their education. The laptops were equipped with webcams and had software installed on them that allowed the webcam on a stolen laptop to be activated remotely, sending a still picture of whoever was using the laptop back to the school.

That's all well and good, but the students and their parents were not informed of this feature. Even that might not have been a big deal, but in at least one instance a picture was taken of a student whose laptop had not been stolen. And the student (and his family) learned of this when an assistant principal called the boy into the office and informed him that he was engaged in inappropriate activity at home. For proof he produced the picture taken using the webcam.

One has to wonder how many photos were taken, and showing what. The school had no right to be taking pictures of the students. Even if they thought the student was involved in something illegal, they had no right to activate the camera. Even the police would have had to prove probable cause to a judge and gotten a warrant.

http://pleaserobme.com/

It's not a joke. Do you use one of the numerous services that let you tweet or otherwise post your location for the world to see? pleaserobme.com searches twitter and posts the tweets that give away the tweeters location.

It's not as nefarious as it sounds (or as it could be). The site was developed by three guys to demonstrate that we have some very bad habits, security-wise. The actual address data appears to be substituted with data from lands far away from the original poster. But that doesn't change the fact that large numbers of people are making their locations known. And part of knowing where you are is knowing where you're not. Which is exactly the information a burglar wants. Not to mention stalkers, psycho exes and assorted crazies.

Do you tweet your location? How often have you said something like, "Going to the game, hope we win. Go Tech!" How many hours would that give a crook to burglarize your home?

Facebook speech protected (sometimes)

Katherine Evans probably wasn't thinking about being part of a landmark case in online Free Speech when she created her Facebook rant against a teacher in 2007. She didn't keep it up long - apparently she was one of the few who didn't like the teacher - but the principal took exception anyway, took her out of her advanced placement classes and suspended her for three days.

In todays Miami Herald Hannah Sampson reports that a Magistrate Judge Barry Garber ruled that the Facebook page falls under the umbrella of Free Speech:

``Evans' speech falls under the wide umbrella of protected speech,'' Garber wrote. ``It was an opinion of a student about a teacher, that was published off-campus, did not cause any disruption on-campus, and was not lewd, vulgar, threatening, or advocating illegal or dangerous behavior.''

This is a very good ruling, in my opinion. The judge recognizes that the schools cannot, and should not, be able to dictate students life off campus. But at the same time it recognizes that there may be cases that Facebook or other online speech would not be protected.

As the internet continues to mature and governments start putting more effort into taming this beast cases like this one will define what we can and can't say online. And in the era of social media, what we can say online will be a defining factor in having a free society.

Obama = Bush

Now that I've got your attention, yes, I mean that. When it comes to citizens privacy rights, I can see no discernable difference between their administrations. Obama is continuing the national phone monitoring that was started by the Bush Adminstration. A program that is unconstitutional and does little if anything to benefit national security.

If that wasn't bad enough, last night I saw two articles talking about a case being argued today in Philidelphia. The first was at Cato-at-liberty.org and was pretty short. The headline says it all:

The Government Can Monitor Your Location All Day Every Day Without Implicating Your Fourth Amendment Rights

The second was an opinion piece by Catherine Crump at the Philadelphia Enquirer. It began with,

"If you own a cell phone, you should care about the outcome of a case scheduled to be argued in federal appeals court in Philadelphia tomorrow. It could well decide whether the government can use your cell phone to track you - even if it hasn't shown probable cause to believe it will turn up evidence of a crime."

The Obama administration is asserting that U.S. citizens have no reasonable expectation of privacy when it comes to their cell phones. This premise comes from the "third party doctrine." The third party doctrine is controversial to say the least, and in the modern age the equivalent of completely removing all Fourth Amendment protections without the pesky need to actually repeal it.

The third party doctrine says that once you knowingly give information to a third party you lose the right to the Fourth Amendment protections. Just to help keep things clear, the Fourth Amendment says:

Fourth Amendment – Protection from unreasonable search and seizure.

The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.

The third party doctrine is based on the premise that, since the phone company, your ISP, and any other company you may give data to is not within the four walls of your home or on your person, that data is no longer protected by the Fourth Amendments clause against unreasonable searches and seizures.

Forget whether or not you are doing anything illegal. Under the third party doctrine the government can subpoena your browsing history from your ISP without having to prove probable cause. Anything you put on Facebook (not that Facebook is private), and possibly even anything you backup to Carbonite or other online backup service.  I say possibly to the backup services because they are usually encrypted, so a "reasonable expectation of privacy" can be argued. The same can't be said for email, cell phones, text messages or almost anything sent over the internet.

I don't know about you, but almost everything I do that doesn't involve direct, face to face communication goes through a third party before reaching it's destination. There is almost nothing I do that the government can't look into for no other reason than curiosity using the third party doctrine. Knowing the history of the American colonies and the revolution, I know the founding fathers never intended the government to have that kind of power.

GAO to TSA: Test those scanners first!

In a report by Jaikumar Vijayan on pcworld.com we learn that the Government Accountability Office (GAO) has told the TSA to make sure they properly test the full body scanners they are trying to deploy. The GAO reminds the TSA that another technology, Explosive Trace Portals, was rushed to deployment, and performed so abysmally that only about 1/2 the units purchased were installed, and by the end of 2009 all but 9 were out of service. Those 9 will be gone by the end of the year.

The GAO says that the TSA had not tested the full body scanners by October 2009, but claims to have finished testing by the end of that year. The problem, according to the GAO, is there is no verification that real world tests, ie tests trying to fool or bypass the scanners, were done.

Without such tests - carried out with a sincere desire to get past the scanners - there is no guarantee that the scanners are effective. It's easy to find something carelessly hidden. It's another thing to catch something carefully hidden by someone with a good idea of how to hide it.

If some of the things I've read are correct, as little as a millimeter of skin will keep  these scanners from finding something. Having the amount of skin necessary for a bomb pulled up and sewn down over high explosives doesn't seem very attractive, but we're talking about people who are not expecting to be in one piece for much longer when this is done. Of course, there are less violent ways to hide a bomb inside the body. People smuggle drugs that way all the time.

This really comes down to a cost benefit analysis. The cost of the methods required to get around full body scanners - apparently very low. The cost of the scanners? A very high $130,000 to $170,000 each. Unless the TSA can show the scanners can effectively reduce terrorist attempts, the cost outweighs the benefit. From the information available now, that seems unlikely.

TOR cracked to catch child pornographers

Tuesday I wrote about TOR, The Onion Router. Wednesday in ZDNets "Zero Day" blog I read about a TOR server patch written for the purpose of catching child pornographers. Not just to the geographic location they are operating from, but to the computer they are working at. A worthy endeavor. But since the author, HD Moore of Metasploit fame, is releasing the source code, modified versions of the patch can be created to track anyone using TOR. This means TOR as a standalone item has become useless for protecting people who need protecting, i.e. human rights activists in oppressive countries, journalists and police under cover, and anyone with a legitimate need to keep their location hidden.

Moore (arguably) had good reason to do this. In Germany, at least, TOR is being heavily used, or is suspected of being heavily used, to traffic in child pornography, and the German authorities have been cracking down on TOR servers. But is the possible benefit in one admittedly important area worth the cost in several other important areas?

But there is an alternative the the TOR package by itself. It is also cross platform, and free. It will run on Intel Macs, Windows, and Linux. It is called JanusVM and runs in a virtual machine. It plugs the holes used by Moore's patch, and keeps your location obscured. From the Janus website:

JanusVM is powered by VMware, built on the Linux 2.6.14 kernel, and brings together openVPN, Squid, Privoxy, and Tor, to give you a transparent layer of security and privacy that is compatible with all your TCP based applications. DNS request are also passed through Tor so even your ISP doesn't know what web site you are looking at.

JanusVM is free, cross platform, and can take a little more setup than the basic TOR package, depending on how your network is setup. But if you need anonymity online, it's the best thing going now.

Airport romance never pays

Of course, it would help if a little common sense went with it. Friends describe Haisong Jiang as a hopeless romantic. They say he just wanted to say goodbye to his girlfriend one more time. They also say that he didn't realize what a flap he would cause. He's a doctoral student in molecular biology, which would indicate a certain amount of intelligence. But sometimes people do fit stereotypes. I knew a chemical engineering Ph.D. candidate who was incredibly book smart, but was the poster child for the uncommonness of common sense. So I'll give Haisong Jiang the benefit of the doubt on not realizing how much trouble he would cause by crossing that rope to go into the secure area with his girlfriend in Newark Airport January 3rd.

But I watched the video of the his transgression (well, I watched the 6 minute unedited video), and it is obvious that he did know what he was doing was wrong. He waited around for several minutes, even after the guard asked him to move on. And I would think his girlfriend should be held responsible as well. She waited until the security guard was gone and came back for her boyfriend, then walked with him to the 'secure area.'

The guard is also culpable in this fiasco. He should not have left his post unattended. If he had some serious business he needed to attend to he should have called for relief.

How much trouble should they be in? I'm not sure. Unless he's been an exemplary employee for a long time, I would strongly recommend firing the guard. There is too much relying on his vigilance to let a slip like that slide. The lovebirds? I'm a little torn. I think they need more severe penalties than the crime he is being charged with carries (she isn't being held responsible, AFAIK), but I don't really want to ruin to lives over what might have gone entirely unnoticed a few short weeks ago.

That's the kicker, of course. And perhaps the damning bit that's missing. These two have been carrying on a long distance relationship for a year or so. How many times have they played exactly this scenario when she visits? Or when he visits? As I said earlier, he was obviously waiting, and it appears that she was, too. It looked like they had either done this many times, or planned it very carefully.

His reaction when he found out the police were at his house is also interesting. Almost like he was expecting it eventually. According to a story in the NY Daily News, he said, "You got me." It doesn't sound like there was any surprise at all. That just leaves the question, why is he the only one being charged?

Why does the girl go free when she went to get him - knowing he wasn't supposed to cross the secure barrier? The guard is facing disciplinary action, the boyfriend is being charged, however lightly, and the girlfriend walks. Doesn't sound right to me.

Full body scans: Trading privacy for illusion of security?

Hebba Aref has been a privacy advocate for some time. And she experienced anti-muslim prejudice first-hand when she was told that she couldn't be in a picture with Candidate Obama because of her head scarf. That was an overzealous volunteer, and Mr. Obama called her personally to apologize when he found out. I can imagine that was a defining moment in her life.

In the past she has been against full body scanners and profiling in airports. Then she sat six seats in front of a young Nigerian man on Christmas day, 2009, and she remembers the sound of the detonator, the flash, and the terrorist being led down the aisle with no clothes on below the waste.

Her experience that day changed her view of how airport security should be handled. In an article in the Detroit Free Press she says: "I'm always standing up for rights and privacy concerns, but now I hope that body scans will be mandatory," Aref, 27, said Wednesday. "Balanced against national security, it's worth the invasion of privacy. And I acknowledge the fact that there has to be attention paid to Muslims."

Coming close to death is a life changing experience, but often after some time has passed and the fear moves further away people revert to their previous opinions and attitudes. Only time will tell us if Miss Aref will continue to favor body scanners and profiling. But her story, moving as it may be, is just another emotional appeal, and emotional appeals are poor things to build policy on. Granted emotional appeals are the stuff that shapes public opinion, but they're still bad for building policy.

One of the more interesting quotes on full body scanning and privacy  came from an article in the Washington Post on January 4, 2009. It was about the images generated. It said,

"They're virtual. Passengers walk through the machines fully clothed; the resulting image appears on a monitor in a separate room and conceals passengers' faces and sensitive areas."

Correct me if I'm wrong, but I believe "sensitive areas" refers to the breasts and groin on women and the groin on men. If the groin area is concealed, how are we protected from an underwear bomb?

Here are a few other quotes from the same article:

"It covers up the dirty bits," said James Carafano, a homeland security expert at the conservative Heritage Foundation.

"I don't think it's any different than if you go to the beach and put on a bikini," said Brandon Macsata, who started the Association for Airline Passenger Rights.

"It covers up the dirty bits," and it's the same as a bikini ... that sounds to me like the primary area of concealment - the crotch, will be concealed by software in the scanner. That makes it kind of hard for the human viewing the image to see if anythings been added to the area.

I've read that the full body scanners are not designed to detect the types of explosives used in most terrorist attacks. According to an article at newsdaily.com, Dutch Interior Minister Guusje ter Horst said that there is no 100% gaurantee that the new detectors would have caught the underwear bomber.

Adding fuel to the fire - or not, since there's been almost no mention of it anywhere else, the Independent ran an article, Are planned airport scanners just a scam? on January 3rd reporting that British research into full body scanners showed that they would not detect an explosive of the type used by the crotchbomber. According the to article,

"But Ben Wallace, the Conservative MP, who was formerly involved in a project by a leading British defence research firm to develop the scanners for airport use, said trials had shown that such low-density materials went undetected.
Tests by scientists in the team at Qinetiq, which Mr Wallace advised before he became an MP in 2005, showed the millimetre-wave scanners picked up shrapnel and heavy wax and metal, but plastic, chemicals and liquids were missed. "

Other interesting claims are made. Supposedly American experts have stated that traditional airport pat downs wouldn't have stopped Mr. Abdulmutallab from getting on the plane. There's a really simple reason for it. In the U.S. the security people aren't allowed to frisk sensitive areas. Not that frisking those areas will stop everyone. I was with a friend going into "The Who's Last" concert in Dallas in 1983...I think that was the concert...anyway, they were frisking everyone. My friend had a recorder with the mike in his pants. The officer hit the mike,

"What's that!"
"My d**k."

The officer got a surprised look on his face and waved him through. I still wonder if anyone managed to get something more dangerous in that way?

For me the scanner issue isn't really about privacy, although that is important. It's really about using unproven technology without making sure the measures we already have in place are working. To be honest they usually do work, but we need a lot of improvement. And before we spend $165 million on scanners we should spend a few hundred thousand making sure they do what is claimed.

Does anyone remember the bomb sniffing machines they spent millions on after 911? The machines that are mostly decommissioned because they didn't work as claimed, and spent more time broken than working? We don't want that to happen again - but it's probably already to late, because they've already ordered them. And they may not even detect the explosive they're being bought to protect us from.

The more things change the more they stay the same.

[Edited at 12:21 to improve headline by Bert]

Obama shoulders responsibility

Whatever you may think about President Obama's handling of the economy, foreign relations, or the war on terror, yesterday he stepped up to the plate and acted like a leader. He gave a broad outline (which was all he should have given) of what went wrong and what will be done to fix the problems. And that's where it gets sticky. I've been doing a little research on those handy-dandy full-body scanners that everyone's talking about, and I like the idea of using them less now than I did before. In a couple of days I'll go into some of the problems with them. But aside from the full body scanners, it looks like President Obama is taking this threat to our security seriously now and taking real steps to keep us safe from external threats.  That is his primary job as President.

Bono's hurting because of music pirates?

In a New York Times editorial U2 front man Bono gives his top ten things he thinks are important for the next decade. His second item is a plea to stop this horrible thing that has almost killed the music industry - file sharing. Not for the sake of artists like him, but for the little guys trying to get started. The ones who can't make a living because their music is being distributed free by pirates. He apparently does know how ridiculous he sounds, because he ends the section with, "Note to self: Don’t get over-rewarded rock stars on this bully pulpit, or famous actors; find the next Cole Porter, if he/she hasn’t already left to write jingles."

There are a few things he is ignoring, however. There is a thriving indy music industry based on internet distribution. Many young artists have started their careers using the internet and are quite happy as regional sensations. Other types of content providers have discovered that carefully managed free distribution increases sales instead of decreasing them. Baen books started an experiment in 1999 or 2000. Instead of trying to stop internet sharing, they embraced it. They put some of the older titles of authors who were willing to give away a book or two online as free downloads. They're still doing it today. I'll give you three guesses why.

If you are a fan of fantasy and science fiction, check out the Baen Free Library. And see how intelligence and forward thinking handle new "problems". And after picking up a book or two by an author you've never read before, if you like it, buy something else by the same author. After all, he was nice enough to give you an enjoyable free read, and he's got bills the same as you and I.

Full body scan - shield or show?

Full body scans in airports - they're getting a lot of attention again, both for and against. One blog feels that just by agreeing to fly we are consenting to scanning. Another story on Canada.com agrees. It asks the seemingly reasonable question, "Do we need to see hundreds or thousands killed for the privacy objectors to back off?"

Privacy groups are against the full body scanners, saying they are invasive and demeaning. Flyersrights.org and the ACLU are both against the scanners. In a release on its website the ACLU says:

"We should be focusing on evidence-based, targeted and narrowly tailored investigations based on individualized suspicion, which would be both more consistent with our values and more effective than diverting resources to a system of mass suspicion," said Michael German, national security policy counsel with the ACLU Washington Legislative Office and a former FBI agent. "Overbroad policies such as racial profiling and invasive body scanning for all travelers not only violate our rights and values, they also waste valuable resources and divert attention from real threats."

I have to admit, I lean more toward the ACLU position. Yes, I know that a full body scan might have caught the explosive in the bombers undies - although there are claims that the bomb would have made it through a scanner. But that isn't really the issue. The issue is that we don't need to add any new security measures, we need to properly use the ones we have.

I can't say it enough. The system is broken. People are saying, "We need full body scans to keep anyone else from getting through." No, we need to start making full use of the intel we're gathering. Bush dropped the ball when he didn't follow through on his order that the U. S. intelligence agencies, FBI, CIA, NSA, etc. share information, and Obama is following his example.

The point in this is not that a scanner would have stopped this guy before he could turn himself into a eunich. It is that he should never have made it to the point where he would have to go through a scanner. We had more than enough info to forbid this guy to get on a plane. He was on a watch list, then his father notified the U.S. Embassy that he had been radicalized and might do something dangerous. That would have put him in a "watch very closely" list for me. Not for the U.S. government. According to examiner.com:

"On November 20th the embassy sent a "Visas Viper cable" to the State Department which detailed the father's warning.  The information was then given to the Counter-Terrorism Center in Washington D.C. which ruled that their was insufficient information present to revoke Mutallab's visa."

While people are screaming for more measures to limit our freedoms and take away our rights, the real problem is that the information we are gathering has everything we need to stop these terrorists, if we would only use it. Putting scanners in the mix will not make us safer, it will only be one more layer of false security.

No matter what methods we devise to detect explosives at the airport, our first and best line of defense will always be gathering data to stop terrorists before they can get a ticket. And the evidence shows we're doing a good job of gathering it, we just aren't using what we're getting.

Do you have the skills?

The feds are looking for people with the skills necessary to move the U.S. into the 21st century, cybersecurity wise. If you have the skills to help secure our networks and a security clearance, you can make some pretty good money, even if you don't have a ton of experience. You do have to have some, but the main point is that you have some experience and a security clearance. Cyber attacks have tripled recently, but cybersecurity talent with security clearance is so rare that government agencies and government contractors are fighting for the same people, and the government can't compete.

The governments inability to pay competitive salaries is hurting our ability to protect important data. The problem isn't being able to figure out how the bad guys might get at it, it's in figuring out how to close the holes we can find. And the ability to respond to a breach varies widely from department to department. The State Department has well equipped and trained staff who can respond quickly, determine the attack vector, and plug the hole, then analyze and determine was to prevent similar attacks in the future. The Commerce Department, which handles data every bit as sensitive as State, lacks similar equipment and training. Both suffered serious breaches. State was able to determine how it was done and prevent data theft. Commerce was never able to determine how the attack was pulled off, although they say no data was compromised. But they still replaced hundreds of workstations.

This is a serious problem. Organized crime and hostile governments (note: in this context, all other governments are hostile) are marshalling major resources at cracking the security in U.S. government and private corporate facilities. It is not the governments place to protect private companies (nor should it be), it is of paramount importance that government agencies are able to keep data safe from prying eyes. Their databases contain information that could do irreparable damage to our ability to compete in the marketplace. They contain data on research in all types of technology that we would not want falling into enemy, and maybe not even friendly, hands. If there is any one area we cannot afford for our government to skimp on, it is national security, and part of that is making sure that we have the best cybersecurity experts providing the best policies and procedures for preventing breaches, and when they do occur, detecting, plugging, and cleaning up after quickly and efficiently.