Where's the Head of Security?

I had a nice chat with a gentleman in the know this evening about WikiLeaks. Since he was speaking to me as a private person and not in an official capacity, he shall remain nameless. He brought up the issue that has been bothering him since this whole thing broke:

Why was it possible to obtain this much data - much of it marked secret - without someone knowing?

Who was (still is? I would imagine this person assigned to latrine detail in the meantime) head of security at the State Department? They have themselves a "Bureau of Diplomatic Security". Isn't it their job to keep an eye on the data floating around and the people with access to it? They have all this theater about having to have security clearances in order to see certain documents.

Of course, I've always thought it was a farce ever since doing my doctorate. There were papers that I wanted to read that pertained to my dissertation, but they could not be sent outside the United States and could only be read by a US citizen. Since I was at that time still a US citizen, I flew over, read the documents, and took lots of notes.

Oh, wait - they apparently didn't have anyone assigned to computer security. Look at this job announcement:

DS To Recruit Security Protective Specialists
On Monday, December 21, 2010, Diplomatic Security will open the position of Security Protective Specialist. The application period will close Thursday, January 20, 2011.  Interested individuals may access the announcement through www.usajobs.gov.

Apparently, Eric J Boswell is still the head of security.  If I was Hillary Clinton, I would have had his head on a plate the day after WikiLeaks broke. Why are the commentators in the US not demanding that Something Be Done about the computer security up at State?

Oh, maybe this is why:

Ambassador Boswell earned a Bachelor of Arts degree from Stanford University, and served in the U.S. Army. He speaks French.

Does Stanford offer computer science degrees as a B.A.? I realize that security is more than just computers, but it would be useful if the guys at the top actually understood computers.

The gentleman and I pondered the state of computer security at weapons sites around the globe. This sent a shiver down both of our spines, so we called it an evening, wished each other a Merry Christmas and went out into the cold and snow.

The Gun

Two weeks ago during one of our "terror warnings" I had an unexpected free morning. I got some things sorted out, and on my way to an afternoon meeting I treated myself to lunch at Salomon's Bagels. I love bagels, and there is a great little bagel store next to the Jewish bookstore in the Joachimsthaler Str.

The bookstore usually has a policeman standing outside, guarding it, and this day was no exception. Except that the policeman had a machine gun slung over his shoulder, and it was pointing straight ahead. And the policeman was not paying attention to anything other than his mobile phone.

I found this very, very strange, and was lucky to be able to pass behind him on the way into the bagel store. I had a lovely lunch, but on the way out, the policeman was still there, the machine gun still pointing straight ahead. He wasn't texting any more, but he had his back to the wall, so I had to pass in front of the mouth of the gun to pass him.

I thought about speaking to him, as a gun which is not in use is to be kept pointed to the ground - WiseKid, now experienced in the ways of the military, explained this to me later. But I decided that discussing anything with someone pointing a gun at me was not really a great idea. I gave the guy a wide berth, kept my eyes on the mouth of the gun, and passed as quickly as I could.

When I got home, I got mad, and wrote a complaint at the online police station. Today a woman called and apologized profusely. She said that the policeman had been called to a discussion with his boss and had reviewed with him the proper way to hold a gun and that he can only use a telephone for police business, not for personal business. I explained again that as a citizen of a free country that is not at war, that I do not want to have guns pointed at me by police. She agreed, and apologized another few times. They didn't want to write me a letter, but prefer the personal touch.

Well, okay. A letter would have been nice, but I really am surprised that my online letter had consequences. I rather expected it to be piped to /dev/null. Now if we could just get them to tone down the security theater ...

Paranoland

annalist, a German-language blog that discusses so-called "security", among other things, links to a disturbing film that was shown on arte: Paranoland. If you understand French or read German, have a look. The passion for "security" has led to 89 taxis being blown up by police for security reasons in 2008. There have been questions on the source for this number, I'd love to see the source, too.

The Potemkin Airport

I haven't seen this on any English-language news, so I am translating and referencing it here, so that perhaps the one or the other might pick it up.

You have probably heard about a Potemkin village: mock towns built up along the Dnieper river in order to impress the Russian Empress Catharine II during an inspection visit.

Well, airport security has been called "security theater" by many, including Bruce Schneier. The German hacker's organization Chaos Computer Club (CCC) has demonstrated that airport security is not just theater, but in many places just a facade, put up to impress the traveling public.

While the poor people paying for transport are queuing up to have their underwear inspected and to dispose of their liquids purchased outside on the free market, the determined terrorist just has to invest about 200 Euros and walk around and use the side entrance.

Spiegel Online reporter Matthias Kremp reports on this simple hack in January 2010, as demonstrated on the public TV show Kontraste (ARD) (the 6:30 minute video by Matthias Deiß is available at this link, in German).

Entrance to the security areas is organized by an RFID chip-based challenge-response system. Personnel with a security clearance has an ID card that many wear on a lanyard around their necks. When they pass a guarded entrance point, an electromagnetic challenge is sent to the card, and the card responds.

Two CCC members purchased an RFID kit and set it up so that it can query an ID card. The card responds, and the kit records the response. The kit (which fits nicely into a pocket) can then be switched to respond mode, and when it passes a control point, the recorded response is replayed and the door opens.

The recorder must get within 70 cm of the card in order to record, but in a crowded airport it is easy to bump into someone on purpose and make it look like an accident.

The hackers alerted the airport security people, as they were not out to blow up airplanes, but had been interested in a security puzzle. As one of the men says on camera, they were shocked that it was so easy. Did security start insisting that people keep a one meter distance from all people with security clearances? Did they beef up security? No. They did nothing.

Exasperated, they turned to Kontraste, an investigative, publicly funded TV show which (apart from series like Tatort) is the only reason I am still willing to pay my TV tax without too much grumbling. Kontraste loves this kind of story. They demonstrated how easy it is to enter the building on film.

Then they contacted airport security, who was not willing to talk to them. By email they answered "for security reasons we will not be giving any additional information". Aha. Security by obscurity.

The system used for security is from the Swiss company Legic Identsystems and is called Legic Prime. From their online presentation:

LEGIC prime is widely used in access control related applications such as multiapplication company cards, in large-scale ticketing projects or in the leisure industry. Easier organisational processes and to increase the convenience are thereby the main focus.

Um, leisure industry? Convenience? I thought airports were focused on security! Kontraste But they were all unwilling to make public statements. quickly determined that not only did the Hamburg airport use this system, Stuttgart, Dresden, Hanover, and Berlin also use it. You see, it used "encryption", and that makes it secure. It also has "key management". Wooooo.

The gentlemen from CCC demure. No, they didn't find any trace of encryption, not even ROT13. So Kontraste headed down to the Swiss headquarters to try and get a statement on camera, but were rebuffed. However, their efforts did effect a change on the web page. Instead of "high security" this system now offers "basic security".

A speaker for the police union was quite willing to go on camera and demand that someone DO SOMETHING RIGHT NOW. They are the ones who have to put their lives on the line when some terrorist decides to start something. But of course, Hamburg alone would have to exchange 15.000 cards and numerous transponders, the cards run about 10 € apiece. At least, according to the web page, they could upgrade to Legic advant, which has

• 
  
• Advanced security
• AES 128/256 bit / DES / 3DES encryption
• Mutual authentication between reader and transponder
• Diversified authentication and data encryption
• Physical Master-Token System Control and Automatic Key Management

Well, then let's get going. Or else one has to wonder what the point of all the security theater for the paying patrons is about.

Security by .... Fruit Box

I went down to the hotel lobby to use the free computer to read the news last night. Underneath the desk was a green fruit box.

Curious person that I am, I lifted the box. What a surprise! Here was the router with free connections, and the IP number of the router helpfully taped to the front of the box.