(A)bort, (R)etry, (I)gnore: Perspectives on Information Security

I recently made and posted a Youtube video of my 2 year old son getting a pat down at airport security.

I figured I should provide a few words of context here to clarify my intent and the circumstances surrounding the video — and what security lessons we should draw from this incident and others like it.

Security researchers know, as commonly accepted wisdom, that no security system, digital or otherwise, is 100% foolproof or secure. Bad things will happen. Malicious activity is impossible to prevent.

Meaningful security is therefore about managing risk. We, particularly as citizens of a free and open government, should actively question the cost of security mechanisms imposed for the purposes of managing that risk and keeping us safe. If the risk is low and the cost is high, we should find a better, alternative security mechanism (or change our policy to make better use of the existing mechanism, or change the policy to even consider other mechanisms, or none).

In any event, the video I recorded is meant to help us ask this question: is patting down toddlers a useful security mechanism? If not, what policy changes should we consider to improve the value we are getting for the investment in airport security measures?

The video shows 44 seconds of what was about a 30 minute episode, so a lot of context is missing, including the ho-hum standard screening that led up to the pat-down and the discussion with various CATSA employees and law enforcement that followed asking me to delete the footage (and finally deciding that it was OK for me to have recorded it and retained it). We submitted to routine screening and were cooperative the entire time (modulo my refusing to hand over my already-scanned laptop with the raw footage while the matter of whether I was allowed to record that footage was still pending).

One of the chemical sensors detected something (no idea what substance or in what concentration) on our baby food jars. This alert triggered an automatic escalation to re-screening and a choice of a patdown or the X-ray machines (it is impossible to tell what X-ray technology they are using, how it is calibrated, whether rigorous independent testing is performed, etc., so we chose the pat-down, knowing that we would be denied boarding if we didn’t comply). At this point, a CATSA employee (for those in the US, the Canadian equivalent of the TSA) gave my two year old son a quick pat-down. Knowing the pat-down was coming, I opened my laptop and started recording.

I emphasize that the agent was quick and courteous, and did not hurt my son (he later gave me a pat down and was also quick and friendly). I have no problem with the CATSA employees — they are just being asked to complete their jobs and carry out the security mechanisms that policy puts in place.

However, I still think something is deeply amiss if we consider patting down a toddler (who was in toddler PJs, which any parent can tell you is fairly impossible to hide something in) a valid, high-efficacy security mechanism. So I did the only thing I could to retain some measure of control, and that was to record the incident.

Why did I do this?

Because sometimes we get so used to something (and as a FF, I’ve been through about 60 screenings a year for the past 5 years) that we just come to accept it as good and proper. We shuffle through a line at 6:30 in the morning, half-awake, and comply with requests that are, in retrospect, totally absurd. That ground starts to get slippery and slope pretty quickly. Humans are designed to obey authority (see Milgram and Stanford experiments/incidents).

Is our current approach to physical safety in commercial airline travel useful? Does it work? Is it consistent with our values? Are there safer, more effective mechanisms that preserve our dignity? Is there an open process of public calibration and testing for these mechanisms?

A lot of people are uncomfortable with the line we seem to be crossing to defend against a constantly moving, amorphous, low-risk threat. But only a few people seem to actually want to say something. As the signs on MTA transit says: “If you see something, say something.”…the phrase could easily be applied to citizen oversight of security measures, not just “weird stuff” that citizens should report to local law enforcement. You have a right to speak up if you don’t like something.

I was asked to delete the video and was told that it was illegal for me to record checkpoints. Here is a list of evidence to the contrary (kudos to P. Mocek for blazing a trail here):

CATSA FAQ: http://www.catsa.gc.ca/Page.aspx?ID=26&pname=TravellerFAQs_FAQVoyageurs&lang=en&sid=7&sname=Pre-Board-Screening-Experience_Processus-de-controle-preembarquement

http://blog.tsa.gov/2009/03/can-i-take-photos-at-checkpoint-and.html

http://www.papersplease.org/wp/mocek/

http://articles.cnn.com/2010-11-25/tech/shooting.video.tsa_1_tsa-s-office-tsa-checkpoints-shooting-video?_s=PM:TECH

http://www.krages.com/phoright.htm

http://www.freerepublic.com/focus/f-bloggers/2632673/posts

http://www.flyertalk.com/forum/travel-safety-security/938543-pv-alert-can-i-take-photos-checkpoint-airport-13.html

http://www.boingboing.net/2011/01/24/flier-beats-tsa-vide.html

The TSA also says: “We recognize that using video and photography equipment is a constitutionally protected activity unless it interferes with the screening process at our checkpoints.” (see here)

Now, I’m not a big fan of some of Microsoft’s business practices or software, but I reserved a special disdain for their often impenetrable “documentation” — particularly Knowledge Base articles that seemed written by marketing and lawyers to keep any useful technical information away from the public.

In terms of explaining things to office desk jockeys, however, It looks like the situation has improved. I recently came across an tutorial on their site about how to create Gantt Charts using Excel (Microsoft’s “Project” software is the main way to do this, but I don’t have Project).

http://office.microsoft.com/en-us/excel-help/create-a-gantt-chart-in-excel-HA001034605.aspx

In my attempts to track down all sorts of citation-related minutia for a research grant, I came across this blog post:

http://saintaardvarkthecarpeted.com/blog/archive/2009/11/Sugar_Free_Jazz.html

that summarizes my talk at USENIX LISA last year. It’s a warm fuzzy feeling to know that people paid attention.

Helpful configuration information:

http://www.ucalgary.ca/it/help/articles/email/clients/tbirdosx/ldap

I recently started using git for managing libdisorder. I had used git once before, gotten distracted with other things, and never seriously learned it. I typically use either cvs or svn to manage code and paper repositories. The code is now hosted at both dyne.org and github:

http://github.com/locasto/libdisorder

http://code.dyne.org/?r=libdisorder

I found the following documentation to be of use while setting up the two remote repositories fed from my single local repository:

http://www.kernel.org/pub/software/scm/git/docs/user-manual.html#public-repositories

http://toolmantim.com/thoughts/setting_up_a_new_remote_git_repository

I recently spent 11 days in Hanover, NH at Dartmouth College leading the SISMAT (Secure Information Systems Mentoring and Training) summer seminar. This seminar is one part of a comprehensive training, job, and research program for undergraduates. Students go on to an internship in information security and then a follow-on research project at their home institution under the guidance of a local faculty mentor and with occasional advice and support from us.

This year was the third year of SISMAT. Sergey and I refreshed the curriculum and implemented some changes inspired by the “failure modes” learning pattern we (inadvertently) discovered during last year’s seminar (as described in our March SIGCSE paper).

Briefly, the failure modes philosophy holds that students learn topics (e.g., networks) more naturally by observing the interplay in failures of a system (e.g., at layer 2 and layer 3 when certain services or connectivity don’t exist). This learning style seems more informative than just hitting students with the standard code pattern for opening a socket in C or Java. We tried to apply this principle (along with some other Hacker Curriculum principles) to other areas of the craft, including hands-on exercises with Web application vulnerabilities, disassembling various pieces of shellcode, and analyzing the detritus of a real intrusion.

SISMAT is always a lot of fun, and this year we had a great group of lively and talented students who are now well on their way to becoming (ethical) hackers. So far we’ve had 23 students go through the program, and we’ve had about a dozen faculty mentors from these students’ home institutions. We’re in the process of tracing how their projects and future careers have gone.

With severely limited funding for innovative cybersecurity education programs, we’re happy to do our part to fulfilling the need for well-educated information assurance professionals (and we’re grateful to the organizations that have funded us so far). It’s too bad that the prevailing opinion is that nothing fundamental or innovative could possibly happen in the education space: basic research into techniques, mechanisms, and systems is valued much more than actually producing well-educated cybersecurity professionals.

From the University of Calgary’s “Procedures Pertaining to Appointment, Promotion, and Tenure of Academic Staff“:

Academic freedom is the right of academic appointees to examine, to question, to teach, to learn, to
investigate, to speculate, to comment, to criticize, to write, to publish and the like, freely, without
pressure, direct or indirect, to conform to or defer to prescribed doctrines.

I recently installed Bootcamp and Microsoft Windows XP SP3 on my MacBook Pro.

While this was mostly straightforward, the process got complicated because I did not have my Leopard installation DVD with me, and the cost of traveling to it…well, you can guess. Not worth it.

The lack of the DVD is crucial because it contains Windows XP drivers for the Mac-specific hardware. Fortunately, this page:

http://support.apple.com/kb/HT1999

helped me run down what drivers I needed (mostly the RealTek sound driver). I got an updated NVidia driver from the Apple web site, so the laptop, when booted into Windows, is now able to display proper video and sound — which is, along with external keyboard and mouse, what one needs for Windows-only video games. Network, trackpad, and other misc items are still not working. It has been a heck of a time, especially since the “updates” to Bootcamp that Apple has available:

http://support.apple.com/kb/DL967

and

http://support.apple.com/downloads/Boot_Camp_Update_2_1_for_Windows_Vista_32

don’t seem to run in WindowsXP SP3 (a clean, from ISO install, not an SP2 to SP3 upgrade).

Yesterday I gave a talk at the USENIX LISA conference about the difficulties involved in the process of recovering a network infrastructure from a large-scale intrusion.

Stories about post-mortem analysis of such incidents are rare. Here are a few links and pointers:

“Big-Box Breach: The Inside Story of Wal-Mart’s Hacker Attack” (HTML)

Chronicle of a Server Break-In (HTML, see link to Paul’s actual postmortem)

Abe Singer. “Tempting Fate,” ;login:, Volumn 30, #1, Usenix Association, November 2005. (grab a copy of ;login)

Eugene H. Spafford. The Internet Worm Program: An Analysis (PDF)

Cliff Stoll. “The Cuckoo’s Egg” (HTML)

Bill Cheswick. “An Evening With Berferd In Which a Cracker is Lured, Endured, and Studied” (PDF)

On my way back to Vancouver from CISSE, I ran into a border guard who asked me for proof, such as an airline itinerary, that I intended to leave Canada. Not having any such documentation (I ceased carrying printouts of my airline itineraries since I have never been asked for them), I could only assert that I had stable employment in the US and no long-term plans to remain in Canada. At this point, we were at an impasse, since he had no way to verify my intent, and I had no ready way to prove it to him.
His worry was obvious: I am one of those people who are highly mobile, with almost no fixed address or infrastructure holding me to a particular country or location.

Even if they were to pull me into secondary screening and look at the electronic copies of my itinerary, my intent could have been to simply abandon my ticket home. My point is this: beyond some in-depth interview, no paper can prove what my intent might have been.

This incident highlights just how difficult border access control can be: guards are tasked with divining the intent of visitors, travelers, and citizens. Intent is a complex, multi-layered thing with an important temporal component. Border guards must try to understand both long-term and short-term intent as well as any potential security threat or otherwise illegal status. In the course of a one minute conversation, they tend to do this fairly well (from my perspective: I have never been refused entry or even pulled into secondary screening in either direction).

In any event, the guard let me go with a strong admonition to carry such proof in the future and make their job easier. But now that the Western Hemisphere Travel Initiative is in full force (i.e., passports required for even land travelers), will border guards be forced to turn more to other secondary documentation to prove intent? How reliable is this documentation at predicting, conveying, or verifying intent?

Might their job previously have been made easier by the diverse array of identification (keeping in mind that identification has little to do with intent) material presented before WHTI? Now that everyone has a passport, that identity “feature” is more homogeneous, and thus carries less information. At the end of the day, allowing someone into a country is ultimately a trust decision.