Archive for December 2009

What happened to the (non-invasive) airport puffer security scan?

December 31, 2009

It was probably 2006 or 2007.  Reno was the  host city for a trade show for airport executives.  The Reasonable Reporter is fuzzy now on the details, and was unable to get a memory boost on New Year’s Eve from airport spokesman Brian Kulpin.  No doubt the poor man has been in high demand for the past week.

But it was Kulpin who escorted the Reasonable Reporter through the displays of airport wares, which spanned the spectrum from mundane items, like comfy seats for waiting at the gates, to the super-sophisticated “puffer machine,” which became the focus of the news report in no small part because of its signature sound – pfffff — a satisfying bit of ear candy for the radio bosses.

The “explosives trace-detection portal machine” was puffer’s real name, and its job was to detect and analyze tiny traces of certain chemicals carried on a passenger’s skin or clothing, including substances like, well, like PETN on the waistband after someone stuffed a bunch of it into his undies.  So sensitive was the puffer, according to its company representatives, that a farmer sporting a tiny spec of fertilizer on the sole of his boot had set off its sensors.  And to its great credit, the puffer was content to smell you. It didn’t undress you with its eyes.

What happened to the puffer?  According to the Wikipedia summary,  the puffer broke down a lot, and after initially planning to install it in 434 airports, the TSA decided in late 2007 not to order any more of the puffer.  That date coincides rather neatly with initial stirrings of horror over something called the backscatter x-ray machine.  You saw the images it produces on the front page of the New York Times this week.   Lovely side-by-side front and rear shots of a male passenger’s anatomy in all its backscatter (and frontscatter) glory.

The Reasonable Reporter covered the privacy advocates earlier this year on the DataSecurityPodcast, as they lashed out against the x-ray machines.  Electronic Privacy Information Center announced a campaign against “virtual strip searches” by TSA agents. It was a campaign that EPIC hoped would “go viral.”

It didn’t go viral. In fact, it barely broke the surface. There was no widespread public outcry against making it possible for TSA agents to peer into your shorts.

Now, though, in 19 American airports, guys you wouldn’t give the time of day at the local internet cafe can check out every detail of your unclothed body, without even taking you to dinner first. TSA’s initial installation plan to place the leering machine into five airports was expanded. EPIC filed a lawsuit earlier this month, seeking enforcement of a FOIA request. We shall watch to see where this goes, against the backdrop of the Christmas day undie attack.

Meanwhile, never wasting a good crisis, the D.C.  lobbying firms have ramped up  on behalf of the x-ray machines, holiday week or not.  Read about it in the Washington Examiner.

More to follow.

The Cyberattack that Struck (or Didn’t Strike) Citibank (and Others)

December 23, 2009

On Tuesday the Wall Street Journal reported that the FBI is investigating a cyberattack at Citibank, in which tens of millions of dollars were stolen. In response, Citibank issued a carefully-worded denial of any breach to its systems. It’s conceivable that the FBI and Citibank are both correct — that a cyberattack did occur, and that there was no penetration of Citibank’s systems.

Whatever took place  (or didn’t) at Citibank, it’s not in dispute that U.S. businesses have suffered massive losses this year as funds vanished inexplicably from bank accounts. Enormous sums of money – the FBI estimates $100 million in unauthorized transfers —  simply evaporated, leaving both the banks and the customers mystified.

Initially, banks accused customers of sharing passwords.  How else could this have occurred? In turn, customers, some of whom lost hundreds of thousands of dollars from one month to the next, accused the banks of fiduciary neglect.

In recent months, information security researchers have begun to piece together the extremely sophisticated cyberattack behind these thefts.  The Zeus trojan, as an early variant was dubbed, is a criminal instrument which requires one to stand back in awe of its well-crafted capabilities.

Zeus and its many offspring originate far from the bank account. They start as packets of malicious code, planted by hackers on legitimate websites. Local newspaper sites, online retailers, and search engines are among the candidates to become unwitting hosts to the malware. Once a server is infected, it attempts to infect 100 percent of its visitors. John or Jane Business Owner browses the weather report at Daily Chronicle dot com, using the same workplace computer where banking transactions are done.  All it takes is one click on the five-day forecast, or another innocent-looking link, and the malware is injected into John or Jane’s computer. This is called a drive-by download.

Some web surfers avoid infection, but many don’t. Zeus and friends are polymorphic, meaning they are engineered to evade traditional security tools by constantly changing their signatures, so that firewalls and anti-virus software don’t recognize them.  They often get past the front gate.  The trojans then lie in wait, primed for action at the first sign of a bank transaction, which – yes — they are engineered to recognize. (This is the simplest layer of the attack. The code includes a database of bank URLs. Something  easily compiled by searching Google.)

When it sees the user is logging on to a bank website, the malware comes to life. It records the user name and password, which it might send back to its human creator. But more likely, it rides along on the transaction, noting the amount, and executing a nearly-simultaneous transaction of its own while staying within a reasonable dollar range of the legitimate transactions. It then directs the funds to a predetermined bank account. Since businesses frequently conduct multiple fund transfers during their online banking sessions, the criminal activity is obfuscated. If the business issues 20 paychecks, 22 transfers would not draw undue attention at the bank.

Weeks later, when the bank statement arrives, the fight to recover the funds begins.  While consumers have 60 days to unwind a fraudulent transaction, businesses have only 48 hours.  By the time the time the missing funds are noticed, it’s too late.  Adding insult to injury, a new user name and password won’t deter further attacks. Recall that the malware is watching for the bank’s URL, and will record the user credentials no matter what they are. The whole process begins again.

And so it can be said, truthfully, that the bank’s systems have never been breached. They have not.  The banks —  many of them —  have been  indirect victims of cyberattacks on their customers. It might also be true, as Citibank asserts, that no account holder has lost money.  In some cases, an insurer could step in to fill the void, leaving account holders unharmed.

Thirty-seven years of controversy over Roe v. Wade

December 18, 2009

It’s timely, though the timing is probably accidental, that Republican candidate for U.S. Senate Sue Lowden’s record on abortion is being combed for inconsistencies.  The anniversary of Roe v. Wade is about a month away.  It’s always highlighted by the media.  The Reasonable Reporter uses the occasion annually  to recommend a visit to Netflix to order “Citizen Ruth,” a hilarious and dark send-up of both sides.

The brilliance of Citizen Ruth is that every character in it is thoroughly unlikable, including the protagonist Ruth, a crude and anti-social pregnant addict (played by Laura Dern), who is arrested and tossed into the same holding cell with a group of pro-life demonstrators.  Zaniness ensues. Grim zaniness, but zaniness all the same, as each side of the abortion fight tries to recruit Ruth to be its emblem, stooping lower and lower in their successive bids to win her.

Citizen Ruth illustrates a bitter truth, which is the futile nature of prolonged public debate on an irreconcilable question.  The film also caricatures, in cruel shades, adherents to the absolute, emotion-stirring positions.

For more than a decade the true points of public contention on abortion have been taxpayer funding, parental notification, and late-term procedures. Nonetheless, candidates are under pressure to adopt an absolute pro-life or pro-choice position, at least in a tough primary. What does a candidate do if he or she is inclined with most of the American public?

Sarah Palin signs books, meets with Jim Gibbons in the Biggest Little City

December 9, 2009

When Sarah Palin went rogue, it meant some headaches for the GOP, but who knew it would also cause headaches for earnest local reporters and  talk show bookers whose job is to deliver interviews with newsmakers?  The  former McCain running mate is not speaking with reporters these days — even reasonable ones.

But she did speak with the governor of Nevada tonight, the Reasonable Reporter learned while skulking around the Reno Costco parking lot with a camera in the blistering cold. Gibbons entered the store through a rear door just before 4:00 p.m.  The former Alaska governor arrived with her husband, their baby, and her parents. Gibbons spokesman Dan Burns confirmed that Palin spoke with the governor for about 20 minutes. Burns does not know what Gibbons discussed with Palin.  No other elected officials, candidates, or potential candidates were present, Burns said.

So what does it mean?  Burns told the Reasonable Reporter that Governor Gibbons showed up at Costco to welcome Palin to Nevada, although he had no official role in the Costco appearance and did not appear with Palin during her book signing.

Reasonable Reporter ventures out with a camera

December 4, 2009

No hint of recession at the Reno Barnes & Noble on Sunday of Thanksgiving weekend. The café was packed with latte-sipping book lovers. Customers browsed the shelves. Some leaned over the second-floor railing and watched a women’s choral group tucked between the escalators below, singing Christmas carols.  Nearby, a table, where mother-and-daughter authors autographed books. Former Congresswoman Barbara Vucanovich signed her book, From Nevada to Congress and Back Again, with daughter and former executive director of the Nevada Commission on Ethics Patty Cafferata, who’s published nearly a shelf’s worth of books about Nevada history.

Barbara V signs books

Barbara V signs books

Wednesday, December 2: Volunteers from Planned Parenthood protested the Stupak amendment, led by Public Affairs Veep Alison Gaulden. The group rallied in front of the federal court house in Reno (where Senators Harry Reid and John Ensign keep offices).

Gaulden: “We cannot have health care reform that leaves women worse off than they already are, so we need Senator Reid to hold firm on not accepting anti-choice amendments and we need Senator Ensign to not support any amendments that may come up.”

Gaulden issues a reminder to Reid and Ensign

Gaulden issues a reminder to Reid and Ensign