Is iPhone identifiable on WiFi network?

Your iPhone is very "loud", disclosing not only its own identity (as an iPhone), but also your identity as well. I thought I'd list the various things it discloses.

TSA: you can't make this stuff up

It's unjust to call the TSA "Nazis" or "little Stalins". It gives too much credit to the TSA, and trivializes the horrors of totalitarianism.

Yet, sometimes, it's hard to avoid the comparison.

An example is the photo the TSA blog posted yesterday to prove that not only did the "Opt Out Day" protest fail, people in fact love the TSA.

The obvious analogy is the following picture from the Soviet era. It shows a caring "Papa Stalin" holding a happy girl (Gelya Markizova):

Soon after this picture, Stalin had her father shot and her mother murdered. The party continued to use this photo for many years afterward to show how everyone loved Stalin.

Propaganda pictures of adoring children just reaffirms the notion that TSA is totalitarian.

Postscript

Note the irony. I was detained for taking pictures in the security area on Nov. 23, this guy (Randy Bonhaus, the father of the girls) was encouraged to take pictures. If I were breaking the law, as the TSA claimed, then so was Randy.

Also note the obvious security weakness. If you are a terrorist conducting surveillance, just bring two girls holding a "We Love the TSA" sign. You'll be able to take as many pictures as needed to find a weakness in the security. (This was one of the many reasons the TSA used to claim why I couldn't take pictures -- because I might be a terrorist looking for weakness).

I was just detained by the TSA

Today, I was detained by the TSA for about 30 minutes for taking pictures while going through security. Taking pictures is perfectly legal.

I took pictures of the "advanced imaging" machines that see through your clothes – the machines that are the subject of so much controversy lately. I was quickly besieged by TSA agents shouting at me to stop taking pictures. I was then detained while they tried to figure out what to do with me.

I should point out that (as far as I know), taking pictures is perfectly acceptable. The following is a section of the 2008 TSA Screening Manual:

2.7. PHOTOGRAPHING, VIDEOTAPING, AND FILMING SCREENING LOCATIONS
A. TSA does not prohibit the public, passengers, or press from photographing, videotaping, or filming screening locations unless the activity interferes with a TSO’s ability to perform his or her duties or prevents the orderly flow of individuals through the screening location. Requests by commercial entities to photograph an airport screening location must be forwarded to TSA’s Office of Strategic Communications and Public Affairs. Photographing EDS or ETD monitor screens or emitted images is not permitted.
B. TSA must not confiscate or destroy the photographic equipment or film of any person photographing the screening location.

I wasn’t trying to cause trouble. I frequently take pictures of the screening area when I pass through airports. I work in the (cyber) security industry, so I’m interested in such things. In this case, I saw something I wanted to photograph and blog about (which I describe at the bottom).

Some sort of manager (old grizzled guy) was summoned to deal with me. He was dressed like the rest in a blue TSA shirt, but must’ve been one level more senior than the TSA employees who were shouting at me to stop photographing.

The old guy, with a couple other agents, escorted me through the normal process of putting my bags through the x-ray and going through the "advanced imaging" scanner. I was planning on asking to get groped instead, but I didn’t want to push it, so I meekly complied.

When I finally got through the machine, my computer and iPhone had been taken off the belt, and had been in possession of the old guy for several minutes. He was holding them at a station at the far end of the conveyer belt.

I asked him to return my items and let me go. He said no, and told me that I was to take a seat while they called people to figure out what to do. Several agents surrounded me preventing me from leaving, while there was a buzz around the main desk as they called people.


Over the half hour, people kept arriving, and we’d go through the following script (these aren’t exact quotes, of course, just my impression of what happened):
TSA: Why are you taking pictures? What’s your motivation?
Me: I find it interesting, and I want to post the pictures to my blog.
TSA: You can’t take pictures in this area.
Me: Well, I read the TSA guidelines on the web a few months ago, and they clearly state that people can take pictures in this area.
TSA: You can’t take pictures in this area.
Me: Can you show me the rules that say that I cannot?
TSA: (Nodding over to the main desk) They are checking on that now.

Some added the following:
TSA: You have to show us your pictures and delete them.
Me: I’m not going to delete my pictures.

Others added:
TSA: Show us the pictures you took.
Me: If I unlock my phone, I want assurances that you will give me the chance to relock it before you take it from my control.
TSA: We can’t give you any promises.
Me: So I’m not going to unlock my phone.

One random question was:
Q: When is your flight?
A: 4:30 (in roughly two hours)
The implied issue was that if I didn’t comply with their demands, they could detain me long enough to miss my flight. On the flip side, they weren’t happy having to deal with me, which was disrupting their routine. They certainly weren’t going to be happy detaining me for 2 hours to make me miss my flight.

I tried to act nonchalant, as if I didn’t care about the time, but I certainly did. This is Thanksgiving, the flights are full, so it’s unlikely the airline would be able to book me on another flight. If I missed that flight, it would mean missing Thanksgiving. On the other hand, it would be a better blog if the TSA forced me to miss my flight for doing something that is perfectly legal. So I decided I was willing to miss my flight, making me as calm on the inside as I was trying to project on the outside.

Another discussion I heard between a TSA agent and a police officer was something about escorting me back out through security (i.e. denying me access). I didn’t actually talk to him. I feel stupid now; I should have pointed out to him that I felt I was being illegally detained by the TSA.

While sitting there, I was drawn into other conversations, like this one with a higher level manager (she was dressed I in a suit rather than a uniform):
TSA: Don’t you have normal operating procedures at your work?
Me: Yes
TSA: How would you like it if somebody came to your work and disrupted your procedures? How would you like it if people took pictures of you at your work?
Me: I don’t work for the government. Government agencies need to be accountable to the public, and therefore suffer disruptions like this.
TSA: Not all parts of the government are accountable to the public, especially the TSA.
Me: Wow. No, ALL parts of the government are accountable to the people, especially the TSA. I’m not sure what type of country you think we live in.

This made me angry. Up to this point, I was trying to project a calm, relaxed attitude. I don’t want to be like those hippy douche-bag activists that try to provoke the TSA with their passive-aggression or belligerence. I wanted to be the calm, relaxed, easy going guy that while standing for principle, was nice about everything else. At several points, I pointed out to the guards that I wasn’t upset, that I understood their job, that I supported their work, and that I was willing to comply with anything that didn’t infringe my rights.

The final guy was "Duty Manager Jerry Estes" (finally, I remembered somebody’s name). We went through the standard script. He then claimed that the reason photographs aren’t allowed is because of the controversy over the images taken by the "advanced imaging" machines, and that absolutely NO images are allowed of the people in the machines.

This was bogus, of course. It actually would be a valid reason if I had photographs of the console showing naked people, but that was locked away in a back room somewhere. My guess he was just looking for another excuse to see the pictures I had taken.

He offered a compromise: if I were to delete pictures of people inside machines, then he would allow me to keep the rest of the pictures. I agreed (I was getting bored, and truly, I didn’t have a lawyer, so I didn’t know how far I could push this). So we reviewed the pictures, and he forced me to delete one. That one didn’t show a person inside of a machine, just a person in front of a machine, but I didn’t argue – it’s nearly identical to another picture.

After that, they let me go as if nothing happened.

Why I took the pictures

The reason I took the pictures was to blog on a typical security issue that, in the industry, is called "security theatre". Screening techniques are chosen to make the public feel safe, not to stop terrorists.

The "advanced imaging" machines that see through clothing are a good example.

First of all, terrorists can get around them pretty easy, but either putting C4 in a body cavity or surgically implanted.

Secondly, terrorists are not deterred by "random selection". The goal of the terrorist is to blow themselves up. Getting caught means not dying, but still has a (lesser) terror effect because people will get scared from the attempt. It’s a win-win for them.

Sure, random selection will deter us from bringing contraband (like nail clippers [well, allowed now]) onto a plane, but I doubt it’s a big deterrent to a suicide bomber.

So, I wanted a picture of the L3 Provision machine in order to include with my blog describing this.

Here all the pictures I took, minus the one I was forced to delete.

Postscript

According to (right-wing conspiracy theory) http://canadafreepress.com/index.php/article/30286, the Obama administration is labeling people like me a "domestic extremist". Ok, I'm being a bit melodramatic here, I believe in accountability and am not trying to protest the security measures, but I'm not sure that law enforcement can understand the difference (especially since this post has been linked from posts labeled Resources for National Opt Out Day).

Ken Murray points out this link of TSA jokes http://www.examiner.com/movie-in-boston/tsa-tsa-tsa-oh-lord-almighty-tsa.

@eileenludwig points to TSA's own blog post clarifying that I can take pictures http://www.tsa.gov/blog/2009/03/can-i-take-photos-at-checkpoint-and.html.

My ornery curmudgeon of a father makes the recommendation that I look at their tag and speak to them using their names. It's easy for them to hide behind the character of a faceless bureaucrat when you don't know their name. But when you make it clear you know their name, they are more likely to fear that they will be held accountable for their actions. Intimidating as all hell.

Hey, I just remembered. I don't remember them looking at my identification (other than the normal check further back in line). I think the incident will be attributed to "annoying passenger" than "Robert Graham".

Here is another guy detained for taking pictures http://boardingarea.com/blogs/flyingwithfish/2010/11/17/so%E2%80%A6i-got-detained-by-the-tsa-at-the-airport-today/. He points out that video cameras probably recorded the entire incident.

Apparently, I could have called TSA public affairs at (571) 227-2829, and they would have told the TSA agents that yes, I can take photos.

Here is how senile hackers work:

• Google for how to to recover deleted images on iPhone.
  
• Google harder
  
• Google "iPhone undelete"
  
• Find page that says to start by jailbreaking phone
  
• Doh! Phone already jailbroken many months ago.
  
• "It's a UNIX system! I know this!"
  
• ssh to iPhone (no, the password isn't alpine).
  
• Robs-iPhone:~ root# dd if=/dev/disk0 | ssh root@192.168.1.2 'dd of=/tmp/dump.dmg'
  
• (wait 3 hours to transfer 8-gig iPhone image across slow 802.11b 11-mbps network)
  
• Ran PhotoRec on the iPhone disk image, wasn't able to recover image (or any thumbnailes)
  
• ....hunting for other recover software to run on the image...
  

This TSA Blog brags how the "Opt Out Day" was a failure, because wait times were actually lower than normal. But they are being disingenuous. Wait times are less because the TSA staffs up with a lot more people during Thanksgiving and Christmas high travel days. That's been true the last several years, which likewise had shorter lines on November 23 as well. In addition, according people I know on Twitter flying today, the TSA simply stopped using the controversial AIT machines in order to prevent the protest from working. That means the protest was a success, not a failure. Lastly, protesters wouldn't cause longer lines -- traffic would simply be redirected through the metal detectors. The protesters would simply cause fewer people to be imaged/groped.

TSA caught lying

In one of their latest posts to their blog, the TSA (the guys in charge of US airpot security) tries to clarify "myth or fact". They outright lie on some things, and spin others. The twisted logic they use in "debunking" these myths are precisely why we don't trust them.

Myth: "TSA Advanced Imaging Technology (AIT) images can be stored on the AIT machines located in our airports"

The TSA claims this is a myth. They debunk the myth by claiming "The machines used by TSA at our airports cannot store, print or transmit images. They simply don’t have that ability".

This is a outright lie. These machines are computers. All computers have the ability to store and transmit images -- the only question is the extent of this ability.

The TSA makes this claim because the software doesn't have a button on their user interface like "e-mail image to friend". But that doesn't mean these machines do not have the ability. Most of these machines are Windows computers connected to a network. When the operator sees a particularly interesting image, he might be able to hit alt-tab, open a command prompt, go to the directory where the images are temporarily saved, then FTP the imabe up to an Internet server.

Or, maybe there is a webserver on the machine, with a vulnereability that would allow hackers to log in and grab the images as they are stored to a temporary directory.

The funniest part of this is that the device always transmit images. The scanner is located at the checkpoint, the operator is in a room in another part of the airport. The images are transmitted from one point to another. Another way they can leak out is if somebody taps that line and records the images as they are transmitted.

This situation is similar to the "carnivore" controversy 10 years ago. These are devices used by law enforcement to eavesdrop on network traffic. Janet Reno, the Attorney General of the United States, gave a speach where she promised they did not have an Echelon-style "keyword search" feature.

Except they did. She lied. The truth is that they have a feature for searching for keywords that was intended to be used for a specific problem (such as search HTTP URL's for a username specified in warrant). However, the feature could easily be used for generic keyword searching. Thus the "lie" was that the FBI didn't intended to use the system for keyword searching, and therefore, it couldn't be done -- when in fact it could easily be done.

So yes, while it's true that these backscatter systems are not designed to transmit or record images, it's an inherent property of computers, and a big danger to our privacy. When the TSA denies this, they are lying.

Myth: AIT is not safe.

The TSA is actually right. Some of these systems (the L3 Provision used at my local airport) use microwave radiation. These are just as safe as your local WiFi access point or your cellphone.

Other systems (like the Rapiscan device) uses low amounts of x-rays. Unlike microwaves, x-rays are dangerous, can unravel your DNA and cause cancer. However, as the TSA says, the amount of radiation you get from these is less than the amount you'll get from cosmic rays during your flight (planes fly above 75% of the atmosphere, so you get a higher dose of x-ray radiation from cosmic rays that would otherwise be blocked by the atmosphere).

Or so they say. The reality is that you are comparing apples to oranges. It depends upon how you measure radiation dose and the risks. They don't look dangerous to me, but then, I haven't looked at them closely. If it's "perfectly safe", then have TSA employees go through the system every day when they come to work (rather than the current system, which exempts TSA workers from having to go through the system).

The issue here isn't so much about whether they are "safe" or "dangerous", but transparency. The TSA doesn't give us the information we can use to evaluate the danger ourselves, but instead insist that we "trust authority". Our country is founded on certain principles, one of which is that we question authority. I've searched the TSA site, the manufacturer site, and googled the entire Internet, and I still can't find any technical information on these devices.

That needs to change before we can trust the safety of these devices.

Myth: Everyone who travels will receive a pat-down.

Myth: Everybody who travels must undergo AIT screening.

I laughed out loud at this, because while either is technically optional, you must choose one or the other. Travelers must either let the TSA "touch their junk" or "view them naked".

Napolitano used this same twisted logic in this interview, where reporters forced her to be more specific when she claimed these things were "optional".

Myth: The TSA pat-down is invasive

The last time I got a pat down, the TSA agent got his hand right up into my junk. I'm not sure if it's possible to be more invasive and still be outside my body. I suppose the TSA thinks "we aren't giving you deep body cavity searches, so you should be grateful".

But what I find interesting is the way the TSA debunks this myth. They don't debunk it by saying "it's not invasive", they debunk it by saying "it's necessary". That is logic that only a twisted government bureaucrat could come up with.

Myth: There has been an overwhelming public outcry against AIT.

The TSA debunks this by pointing to a recent CBS News Poll found that 4 in 5 Support Full-Body Airport Scanners.

But that's the wrong statistic. It's made up of people who mostly don't fly. The "public outcry" is coming from frequent fliers, not couch potatoes sitting in front of their TV sets saying "somebody should do something about airline safety".

Again, this reflects the twisted logic of the TSA. Their response to the public outcry against this by saying "there is no public outcry".

Conclusion

The machines are (probably) safer than critics claim. However, the issue isn't so much safety, but the corrupt nature of the TSA.

First of all, they say "trust us, because we are the authority". This is false for two obvious reasons. The first is the fact that they lie and spin the information. The second is the basic principle that we should always question authority. Yes, that means question authority on the safety of these devices even though they look pretty darn safe.

Second of all, they say "we are doing it for you own good". That's not how our system works. Our government is "by the people". If the flying public wants these invasive procedures, then so be it. If if government officials decide it's for our own good, that's tyranny.

Web 2.0 Report Card

George Ou over at Digital Society has created a "report card" for the various Web 2.0 services like webmail providers and Facebook.

Of the major webmail providers in the U.S., only Gmail is secure against sidejacking attacks. Yahoo Mail and HotMail are insecure, and can be compromised quickly. There are still a lot of HotMail users out there -- they are fools.

I talked to the people at Microsoft responsible for fixing this problem ALMOST THREE YEARS AGO. Yet, they've done nothing about fixing this huge hole. I just tried it out today -- while FireSheep looks a bit funky (it doesn't correctly show the user name), it easily hacks into HotMail accounts.

A discussion at SecTor on Rogue Secure Development

Last week I presented a new methodology for developing secure code called Rogue Secure Development(pdf). The talk was at SecTor in Toronto, and afterwards a lively discussion took place concerning the adoption of such a methodology. RSD is a 5 phase process that bakes in with the traditional Waterfall SDLC and focuses on bare-bones resource requirements for SMBs. The question I put forth to the audience was:

If there is a process that requires minimal amounts of resources, saves money, and creates robust code, what will it take to increase adoption?

There were many answers, but they were all summed up succinctly in 4 options.

1. People are killed, and a lack of a secure coding methodology is directly to blame.

2. Companies go bankrupt, and a lack of a secure coding methodology is directly to blame.

3. A nuclear power plant has a catastrophic meltdown, and a lack of a secure coding methodology is directly to blame.

4. Compliance forces adoption.

I found these dramatic and macabre options disturbing, so I asked, "Is there no business case for secure coding? No cost saving analysis? No risk management prescription?" The consensus in the room was that my suggestions, while potentially possible, weren't going to persuade anybody to break from the status quo. Interestingly, the only factor that seemed to have complete persuasive power was Compliance. In this particular audience, the threat of fines was more of a motivating stick than I've ever seen previously.

In March 2010, Errata did a study asking people what reasons they had if they were not using a secure development lifecycle. By far the most popular answer was resource constraints. The 4 options above would imply that, at least according to security folks, the reason people do not adopt secure coding is because of some black and white risk assessment telling them they are not in danger. So, does this mean that the people in the study aren't being honest with themselves, or that security professionals are out of touch with the motives of the development shops?