“Toyota — Moving Forward”… Um, yeah, so we’ve heard.

The beleaguered Toyota  Motor Corporation has begun to run television ads acknowledging its tarnished reputation, and promising to earn back customer confidence.  But the kids in the marketing department apparently didn’t catch their own (unintended) punchline at the end of the spot. The tag line “moving forward” tends to underscore the problem that brought the company to this point.  Yes, we heard that the cars move forward. Uncontrollably, and on at least one occasion at a horrifying speed.

What President Obama meant when he spoke of Las Vegas

With all the huffing and puffing that’s followed the president’s remark about blowing cash in Las Vegas, nobody has stepped back to examine the context. President Obama’s meaning and motive have both been misconstrued.

Obama was offering the family budget as a metaphor for the federal budget. He was talking to a gathering of “regular folks,” to the extent that any town hall where the president appears consists of regular folks. To highlight his new agenda starring the middle class, Obama tried to draw upon the lexicon, the experience, and the aspirations of the middle class. At least as they’re perceived in Washington, D.C.

The president said, “You don’t go buyin’ a boat when you can barely pay your mortgage.”

This was purposeful. He didn’t say “You shouldn’t buy a yacht if your stock options are down by 60 percent.”  Nor did he say,  “Don’t buy a kayak if the lease on your Prius has a large balloon payment.”  He said boat.

Next, the  president said, “You don’t blow a bunch of cash in Vegas when you’re trying to save for college.”   Obama seemed to be suggesting that if you aspire to buy a boat instead of a yacht or a kayak, then Las Vegas must be your idea of a vacation splurge, not Martha’s Vineyard, or Sedona, or Aspen.

In Washington, they don’t know that Las Vegas is brimming with sophisticated discos, and restaurants with single-syllable names where the plates are square, not round, and the desserts are decorated with cross-hatched butterscotch-amaretto sauce, and burnt orange peel curlicues.

Moreover, in Washington, where there is no middle class, “middle class” is ill-defined. Nobody in Washington has a great deal of day-to-day interface with the middle class.  That’s all.  The president (and/or his speechwriters) didn’t mean to offend. If Obama is willing to forgive Harry Reid for letting slip with some ill-considered, pre-civil rights era remarks about race, Nevada should forgive Obama for letting slip with some outdated ideas about Las Vegas and the middle class.

What happened to the (non-invasive) airport puffer security scan?

It was probably 2006 or 2007.  Reno was the  host city for a trade show for airport executives.  The Reasonable Reporter is fuzzy now on the details, and was unable to get a memory boost on New Year’s Eve from airport spokesman Brian Kulpin.  No doubt the poor man has been in high demand for the past week.

But it was Kulpin who escorted the Reasonable Reporter through the displays of airport wares, which spanned the spectrum from mundane items, like comfy seats for waiting at the gates, to the super-sophisticated “puffer machine,” which became the focus of the news report in no small part because of its signature sound – pfffff — a satisfying bit of ear candy for the radio bosses.

The “explosives trace-detection portal machine” was puffer’s real name, and its job was to detect and analyze tiny traces of certain chemicals carried on a passenger’s skin or clothing, including substances like, well, like PETN on the waistband after someone stuffed a bunch of it into his undies.  So sensitive was the puffer, according to its company representatives, that a farmer sporting a tiny spec of fertilizer on the sole of his boot had set off its sensors.  And to its great credit, the puffer was content to smell you. It didn’t undress you with its eyes.

What happened to the puffer?  According to the Wikipedia summary,  the puffer broke down a lot, and after initially planning to install it in 434 airports, the TSA decided in late 2007 not to order any more of the puffer.  That date coincides rather neatly with initial stirrings of horror over something called the backscatter x-ray machine.  You saw the images it produces on the front page of the New York Times this week.   Lovely side-by-side front and rear shots of a male passenger’s anatomy in all its backscatter (and frontscatter) glory.

The Reasonable Reporter covered the privacy advocates earlier this year on the DataSecurityPodcast, as they lashed out against the x-ray machines.  Electronic Privacy Information Center announced a campaign against “virtual strip searches” by TSA agents. It was a campaign that EPIC hoped would “go viral.”

It didn’t go viral. In fact, it barely broke the surface. There was no widespread public outcry against making it possible for TSA agents to peer into your shorts.

Now, though, in 19 American airports, guys you wouldn’t give the time of day at the local internet cafe can check out every detail of your unclothed body, without even taking you to dinner first. TSA’s initial installation plan to place the leering machine into five airports was expanded. EPIC filed a lawsuit earlier this month, seeking enforcement of a FOIA request. We shall watch to see where this goes, against the backdrop of the Christmas day undie attack.

Meanwhile, never wasting a good crisis, the D.C.  lobbying firms have ramped up  on behalf of the x-ray machines, holiday week or not.  Read about it in the Washington Examiner.

More to follow.

The Cyberattack that Struck (or Didn’t Strike) Citibank (and Others)

On Tuesday the Wall Street Journal reported that the FBI is investigating a cyberattack at Citibank, in which tens of millions of dollars were stolen. In response, Citibank issued a carefully-worded denial of any breach to its systems. It’s conceivable that the FBI and Citibank are both correct — that a cyberattack did occur, and that there was no penetration of Citibank’s systems.

Whatever took place  (or didn’t) at Citibank, it’s not in dispute that U.S. businesses have suffered massive losses this year as funds vanished inexplicably from bank accounts. Enormous sums of money – the FBI estimates $100 million in unauthorized transfers –  simply evaporated, leaving both the banks and the customers mystified.

Initially, banks accused customers of sharing passwords.  How else could this have occurred? In turn, customers, some of whom lost hundreds of thousands of dollars from one month to the next, accused the banks of fiduciary neglect.

In recent months, information security researchers have begun to piece together the extremely sophisticated cyberattack behind these thefts.  The Zeus trojan, as an early variant was dubbed, is a criminal instrument which requires one to stand back in awe of its well-crafted capabilities.

Zeus and its many offspring originate far from the bank account. They start as packets of malicious code, planted by hackers on legitimate websites. Local newspaper sites, online retailers, and search engines are among the candidates to become unwitting hosts to the malware. Once a server is infected, it attempts to infect 100 percent of its visitors. John or Jane Business Owner browses the weather report at Daily Chronicle dot com, using the same workplace computer where banking transactions are done.  One click on the five-day forecast, or another innocent-looking link, and the malware is injected into John or Jane’s computer. This is called a drive-by download.

Some web surfers avoid infection, but many don’t. Zeus and friends are polymorphic, meaning they are engineered to evade traditional security tools by constantly changing their signatures, so that firewalls and anti-virus software don’t recognize them.  They often get past the front gate.  The trojans then lie in wait, primed for action at the first sign of a bank transaction, which – yes — they are engineered to recognize. (This is the simplest layer of the attack. The code includes a database of bank URLs. Something  easily compiled by searching Google.)

When it sees the user is logging on to a bank website, the malware comes to life. It records the user name and password, which it might send back to its human creator. But more likely, it rides along on the transaction, noting the amount, and executing a nearly-simultaneous transaction of its own while staying within a reasonable dollar range of the legitimate transactions. It then directs the funds to a predetermined bank account. Since businesses frequently conduct multiple fund transfers during their online banking sessions, the criminal activity is obfuscated. If the business issues 20 paychecks, 22 transfers would not draw undue attention at the bank.

Weeks later, when the bank statement arrives, the fight to recover the funds begins.  While consumers have 60 days to unwind a fraudulent transaction, businesses have only 48 hours.  By the time the time the missing funds are noticed, it’s too late.  Adding insult to injury, a new user name and password won’t deter further attacks. Recall that the malware is watching for the bank’s URL, and will record the user credentials no matter what they are. The whole process begins again.

And so it can be said, truthfully, that a bank’s systems have never been breached. They have not.  The banks –  many of them –  have been  indirect victims of cyberattacks on their customers. It might also be true, as Citibank asserts, that no account holder has lost money.  In some cases, an insurer could step in to fill the void, leaving account holders unharmed.

Thirty-seven years of controversy over Roe v. Wade

It’s timely, though the timing is probably accidental, that Republican candidate for U.S. Senate Sue Lowden’s record on abortion is being combed for inconsistencies.  The anniversary of Roe v. Wade is about a month away.  It’s always highlighted by the media.  The Reasonable Reporter uses the occasion annually  to recommend a visit to Netflix to order “Citizen Ruth,” a hilarious and dark send-up of both sides.

The brilliance of Citizen Ruth is that every character in it is thoroughly unlikable, including the protagonist Ruth, a crude and anti-social pregnant addict (played by Laura Dern), who is arrested and tossed into the same holding cell with a group of pro-life demonstrators.  Zaniness ensues. Grim zaniness, but zaniness all the same, as each side of the abortion fight tries to recruit Ruth to be its emblem, stooping lower and lower in their successive bids to win her.

Citizen Ruth illustrates a bitter truth, which is the futile nature of prolonged public debate on an irreconcilable question.  The film also caricatures, in cruel shades, adherents to the absolute, emotion-stirring positions.

For more than a decade the true points of public contention on abortion have been taxpayer funding, parental notification, and late-term procedures. Nonetheless, candidates are under pressure to adopt an absolute pro-life or pro-choice position, at least in a tough primary. What does a candidate do if he or she is inclined with most of the American public?

Sarah Palin signs books, meets with Jim Gibbons in the Biggest Little City

When Sarah Palin went rogue, it meant some headaches for the GOP, but who knew it would also cause headaches for earnest local reporters and  talk show bookers whose job is to deliver interviews with newsmakers?  The  former McCain running mate is not speaking with reporters these days — even reasonable ones.

But she did speak with the governor of Nevada tonight, the Reasonable Reporter learned while skulking around the Reno Costco parking lot with a camera in the blistering cold. Gibbons entered the store through a rear door just before 4:00 p.m.  The former Alaska governor arrived with her husband, their baby, and her parents. Gibbons spokesman Dan Burns confirmed that Palin spoke with the governor for about 20 minutes. Burns does not know what Gibbons discussed with Palin.  No other elected officials, candidates, or potential candidates were present, Burns said.

So what does it mean?  Burns told the Reasonable Reporter that Governor Gibbons showed up at Costco to welcome Palin to Nevada, although he had no official role in the Costco appearance and did not appear with Palin during her book signing.

Reasonable Reporter ventures out with a camera

No hint of recession at the Reno Barnes & Noble on Sunday of Thanksgiving weekend. The café was packed with latte-sipping book lovers. Customers browsed the shelves. Some leaned over the second-floor railing and watched a women’s choral group tucked between the escalators below, singing Christmas carols.  Nearby, a table, where mother-and-daughter authors autographed books. Former Congresswoman Barbara Vucanovich signed her book, From Nevada to Congress and Back Again, with daughter and former executive director of the Nevada Commission on Ethics Patty Cafferata, who’s published nearly a shelf’s worth of books about Nevada history.

Barbara V signs books

Wednesday, December 2: Volunteers from Planned Parenthood protested the Stupak amendment, led by Public Affairs Veep Alison Gaulden. The group rallied in front of the federal court house in Reno (where Senators Harry Reid and John Ensign keep offices).

Gaulden: “We cannot have health care reform that leaves women worse off than they already are, so we need Senator Reid to hold firm on not accepting anti-choice amendments and we need Senator Ensign to not support any amendments that may come up.”

Gaulden issues a reminder to Reid and Ensign

Lessons from Las Vegas: What happens in the database should stay in the database.

Any shred of information about the daily lives of citizens not currently contained in a government database will certainly be captured soon, as federal stimulus dollars create new opportunities for state and local agencies to track the activities of the average guy.

Raise any questions about whether the average guy wants to be tracked – and you will also raise the eyebrows of folks who view the “race to the database” as a tool for better government, or a way to meet energy needs, or a jobs program.  Building citizen databases is the twenty-first century equivalent of building Hoover Dam.

Raising digital privacy concerns does not make you a luddite, or a member of the Tin Foil Hat Brigade that fears government above plagues, floods, and earthquakes. No question technology can be applied to make government more efficient, and save resources in all the ways envisioned.  The problem is that government agencies have a terrible track record when it comes to protecting the data they collect. That goes for government agencies at all levels, all over the nation, especially the feds. If you have doubts, ask the federal government’s own auditors at the GAO, which consistently gives low marks for federal database security.

Perhaps you’ve been watching as the Las Vegas Sun chronicles the data breaches at University Medical Center and the Las Vegas Metropolitan Police Department.  Two weeks, two stories that make a privacy curmudgeon’s skin crawl.

At the county-owned medical center, employees have allegedly received thousands of dollars selling confidential patient records to personal injury attorneys.  Medical insiders told the Sun it’s been going on for a long time, and that hospital management mostly shrugged its shoulders after receiving tips about the privacy violations. The Sun also reports that the hospital’s chairman of the Board of Trustees –  a county commissioner – was told about the activity, which is both a civil and a criminal HIPAA infraction, but he said he didn’t respond because he was not familiar with HIPAA, the federal health care regulation that lays out stringent patient privacy requirements.

Meanwhile, in court proceedings, Las Vegas Metro has confirmed that police personnel have improperly grabbed citizen information from a restricted database. This, arising from a lawsuit claiming that confidential data about ordinary Nevadans was leaked by police to a private investigator. The investigator was  working on behalf of a politically well-connected person. The citizens were not suspected of any crime, but their names, dates of birth, and social security numbers were turned over the investigator, the lawsuit says, and have been in turn disseminated to third parties.

The Sun’s report included the assertion by Metro that Metro is not responsible for the actions of miscreant officers, who were violating Metro policy.

And so, with these events as a backdrop, let’s look at the future of private citizen information.

Smart energy meters are on the way, to monitor each household’s electrical activity, allowing numerous inferences. Inferences by whom?  It depends on how public policy is crafted, but the interested parties might include divorce lawyers, insurance companies,  law enforcement, and others who benefit from an orderly  snapshot of private activity.  If you can afford lots of energy use, perhaps you can afford more alimony. If your house was dark during the third week of August, and your wife’s best friend was also out of town, well?…  And by the way… could that extra juice continuously drawn from the garage circuit be powering the plant lights used by pot growers?

If the Regional Transportation Commissions and NDOT get their wish, Nevadans will install a custom on-board gizmo in their cars to report mileage, facilitating a shift from the per-gallon tax to the per-mile tax.  A simple odometer reading at the time of the pre-registration smog check would allow such taxation. But the transportation agencies would also like to gather data on when and where the mileage occurs, paving the way for a higher tax on folks who drive through bottlenecks at rush hour. And, as a byproduct, creating daily activity logs about vehicle owners.

The transportation agencies acknowledge that privacy is a concern among the taxpayers, but appear to view the concern primarily as a political obstacle to be overcome.

There’s more. Electronic medical records. The liabilities speak for themselves, and examples are plentiful. Online reporting requirements for businesses that receive stimulus funding include taxpayer ID numbers.  The  state databases link to the federal database, creating, in effect, one gigantic target for cybercriminals, poorly guarded, if federal database history is any guide.

The Reasonable Reporter, observing up-close the manner in which digital progress is approached by government agencies, ventures that government workers are not inherently bad guardians of the citizen, but that the building process is consistently focused on the gathering of information, rather than the protection of information.  Security and privacy are often an afterthought, and, by the way, strong security and privacy cost money.  Legislators and agency heads frequently wage hard fights for the money to accomplish the projects themselves, never mind the additional cost for protecting the citizen data.

After the data is collected, we arrive at the intersection – no, let’s call it a freeway cloverleaf – of politics, policy, and those few careless or profit-seeking human beings who would wander astray in the absence of internal policy enforcement. When the data leaves the database and the press comes knocking, predictable statements from management ensue.

“We view security as a top priority,” they say.  Or “We have a policy,” or “We are now changing our policy.” The most commonly used statement, however, was unavailable to the agencies in the Las Vegas cases:  “There is no evidence that anyone has been harmed.”

A new Thanksgiving Day epithet: “F the Jews”

When one encounters the politics of race on of Thanksgiving Day, it’s often devoted to the ambivalence of Native Americans toward the holiday. Native American writers have published, with some bitterness,  many a piece taking aim at the American folklore — myth some would call it — of a warm-and-fuzzy harvest feast shared by the Indians and the European Settlers.

Flash to Thanksgiving Day 2009 in Reno, Nevada.  Members of the Temple Emanu-El on Lakeside and Manzanita have a different story to contemplate.  The sun rose on the temple this morning, revealing the vandalism below.  Clueless teen prank, or something worse?

Social Engineering: high tech crimes require low tech legwork.

This is a true story. It happened in one of America’s most technically literate cities. A municipal employee was on the street, tinkering with a “smart” parking meter. This meter accepts credit and debit cards, and recognizes pre-paid parking cards.  A young man approached the technician and gushed about the gadget. He said he’s fascinated with technology, and wants to work in the field some day.  He asked numerous questions about the meter’s functions, answered generously by the city employee, who clearly relished the role of the expert.

The “kid” then returned to his lab, where he and several other researchers were exploring ways to hack the smart meter system. For instance, if parking is free on Sunday, why not make the meters think every day is Sunday? Better yet, what if, instead of deducting money from pre-paid parking cards, the meters added money? Unlimited free parking for our friends, that’s what.

Hackers have a very twenty-first century name for the street-level part of this research.  They call it “social engineering.” That’s because “working a patsy” would sound tired, not wired.

The Reasonable Reporter will now present a meditation on social engineering, prompted by a weekend excursion to a movie called Law Abiding Citizen. The film is an imaginative story of high tech murder and mayhem by an accomplished social engineer.  Go see it, despite the reviews, which are astonishingly tepid. Especially since the film could be described as a melding of two legendary predecessors. Death Wish meets Enemy of the State.

Everyone from the estimable Roger Ebert to the gang at Rotten Tomatoes finds the movie’s plot implausible. This is troubling evidence that Americans have a distorted notion of technical crime. Learn this, damn it: There is no high tech crime without low tech legwork. In other words, social engineering.

The Reasonable Reporter does not wish to sound snotty, but for all your Tweeting and Skyping and YouTubing, you people are remarkably unhip when it comes to the ordinary scam artists all around you. You are so technically evolved, apparently, that you no longer fear a good old-fashioned con job – involving, you know, a guy chatting you up, pretending to be something he’s not, in order to make a rube of you.

But it’s happening every day to technically sophisticated people. The office assistant who quits her job to make thousands of dollars working at home! It doesn’t occur to her that she’s facilitating crime, even when the boss, whom she’s met only online, instructs her to receive large cash transfers from important clients, deduct her own pay, and then send the rest of the money to offshore accounts.

Right here in Nevada, a business hires an independent contractor to help with the marketing effort.  The contractor gains unrestricted access to the client data and is able to email to himself as much of it as he wants. Down the road, he opens a competing business, using those valuable contacts, as well as financial data he gathered with the cooperation of the business owner.

God forbid the Reasonable Reporter bring up voting machines again. But seriously folks, one of the most-discussed polling place attacks is simply an old-fashioned two-man con. One guy creates a diversion at the check-in table while the other guy reaches around to the reset button on the back of the machine – some models have one – and wreaks election-day havoc.

We really must lose this outdated image we have of cybercriminals as social misfits in dark apartments who gain system access magically by tapping away at their keyboards all night. Watch some old movies to reintroduce yourself to the art of the con. Remember Psycho? Janet Leigh wouldn’t have been at the Bates Motel if she hadn’t pulled off a spectacularly successful feat of social engineering.