It's sometimes hard to remember, but it wasn't that long ago that most carry-on's bypassed so much as an x-ray screening. Then came the obligatory laptop and shoe removal. And, eventually, the "drink 'em or lose 'em" rule, accompanied by the ever-perplexing debate over what constitutes a "liquid", and how many ounces of it you can carry through a TSA line.

(I once overheard a TSA agent explaining to a traveler that, "anything that can be liquefied is a liquid". I felt compelled to explain that, at the right temperature, the whole airplane could be liquefied--but kept my mouth shut, for fear of missing my flight.)

In recent months, some international travelers have been greeted with an indignity that makes the "patdown" look like a "fist-bump". In the past 10 months, over 1000 people had their laptop computers "detained" and subsequently searched. Most would assume that this was with probable cause, but, the DHS maintains that probable cause is not required for such a search.

What some might consider an electronic cavity search, became policy in 2008 when the Department of Homeland Security's U.S. Customs and Border Enforcement published their "Policy Regarding Border Search of Information" (July 16, 2008), which, among other things, allowed Custom's Agents broad discretion to detain "electronic devices, or copies thereof, for a reasonable period of time to perform a thorough border search." Though protocols were established for an "expeditious" response time by assisting agencies, no definition for "reasonable period" was provided.

The rationale cited for this policy, is described in its fourth paragraph, "Review of Information in the Course of Border Search":  "In the course of a border search, and absent individualized suspicion, officers can review and analyze the information transported by any individual attempting to enter, reenter, depart, pass through, or reside in the United States..." While, in the past, this objective could be met with a visual inspection, computers, iPods, smart-phones, and the like, require complex procedures, software and hardware to preserve the integrity of the data being examined. Therefore, such a search is typically conducted in a laboratory setting, and not something that cannot likely be accomplished during even the longest of layovers.

The DHS provides the following definition of a "detention":

"A detention occurs when CBP or ICE determines that the devices need to be kept for further examination to determine if there is probable cause to seize as evidence of a crime and/or for forfeiture. This is a temporary detention of the device during an ongoing border search. Many factors may result in a detention, for example, time constraints due to connecting flights, the large volume of information to be examined, the need to use off-site tools and expertise during the search (e.g., an ICE forensic lab), or the need for translation or other specialized services to understand the information on the device. In a detention, CBP or ICE will keep either the original device (e.g., the laptop) or an exact duplicate copy of the information stored on the device, so as to allow the traveler to proceed with the original device. Once the border search has concluded, the device will be returned to the traveler unless there is probable cause to seize the device. Any copies of the information in the possession of CBP or ICE will be destroyed unless retention of the information is necessary for law enforcement purposes and appropriate within CBP or ICE Privacy Act systems of records."

Effectively, a "detention" is a seizure without probable cause, followed by an unwarranted search. Fortunately, the CBP has taken measures to assure that it only retains information from "detained" devices that are consistent with probable cause, as outlined in Section D:

"Absent probable cause, CBP may only retain documents relating to immigration matters, consistent with the privacy and data protection standards of the system in which such information is retained."

And,

"Except as noted in this section, if after reviewing information, there exists no probable cause to seize the information, CBP will retain no copies of the information."

Which should make passengers a little less uncomfortable, if not a little less violated--were it not for the following:

"Officers may encounter information in documents or electronic devices that is in a foreign language and/or encrypted. To assist CBP in determining the meaning of such information, CBP may seek translation and/or decryption assistance  from other Federal agencies or entities."

The FBI could, for example, aid in this circumstance. But:

At the conclusion of the requested assistance, all information must be returned to CBP as expeditiously as possible. In addition, the assisting Federal agency or entity must certify to CBP that all copies of the information transferred to that agency or entity have been
destroyed... In the event that any original documents or devices are transmitted, they must not be destroyed; they are to be returned to CBP unless seized based on probable cause by the assisting agency.

And that, of course, reads like an invitation to convert a random search without probable cause from one agency, into a "line of sight" search by another.

Now, more than a year later, come new rules intended to preserve passengers' rights and insure domestic tranquility. On August 20, 2009 DHS Secretary Janet Napolitano announced new directives said to "strike the balance between respecting the civil liberties and privacy of all travelers while ensuring DHS can take the lawful actions necessary to secure our borders."

Unfortunately, the new rules won't change much, other than the definition of "reasonable period". According to a "Privacy Impact Assessment for the
Border Searches of Electronic Devices", published by the DHS:

"For CBP, the detention of devices ordinarily should not exceed five (5) days, unless extenuating circumstances exist."

Devices may, however, be released to Immigration and Customs Enforcement Agents for further examination.

"As federal criminal investigators, ICE Special Agents are empowered to make investigative decisions based on the particular facts and circumstances of each case... The ICE Directive requires that Special Agents complete the border search of any detained electronic device or information in a reasonable time, but typically no longer than 30 days, depending on the facts and circumstances of the particular search. The length of detention depends on several factors, but primarily the amount of information requiring review and the format of that information, which can greatly affect the amount of time necessary to complete a search."

What about sensitive, say attorney-client privileged or classified materials?

"Officers may encounter materials that appear to be legal in nature, or an individual may assert that certain information is protected by attorney-client or attorney work product privilege. Legal materials are not necessarily exempt from a border search, but they may be subject to the following special handling procedures: If an Officer suspects that the content of such a material may constitute evidence of a crime or otherwise pertain to a determination within the jurisdiction of CBP, the Officer must seek advice from the CBP Associate/Assistant Chief Counsel before conducting a search of the material..."

Of course, one would anticipate that many lawyers might carry "evidence of a crime", or multiple crimes, on their laptops. Though, quite honestly, I doubt that this is the intention, the ambiguity should not be taken lightly.

Effectively, little has changed, except perhaps the use of FedEx and UPS by people who really have something to hide.

USCBP: Policy Regarding Border Search of Information (2008) U.S. Customs and Border Protection Policy Regarding Border Search of Information (July 16, 2008) size: 160.67KB added: 31/08/2009 popularity: 1

USCBP: Inspection of Electronic Devices (Tearsheet) U.S. Customs & Border Protection: "Inspection of Electronic Devices". size: 39.52KB added: 31/08/2009 popularity: 0

USCBP: Border Search of Information (2009) U.S. Customs & Border Protection: Border Search of Information (August 20, 2009) size: 4.87MB added: 31/08/2009 popularity: 1

Privacy Impact Assessment for the Border Searches of Electronic Devices (2009) Department of Homeland Security Privacy Impact Assessment for the Border Searches of Electronic Devices (August 25, 2009) size: 5.64MB added: 31/08/2009 popularity: 2

ICE: Border Searches of Electronic Devices (2009) Immigration and Customs Enforcement Policy for Border Searches of Electronic Devices (August 18, 2009) size: 452.57KB added: 31/08/2009 popularity: 0

TrueCrypt Real-time on-the-fly industry-recognized encryption of entire hard drive, portion, or removable media. (FREE / Peer-Reviewed / Multi-OS) size: added: 01/09/2009 popularity: 117

It looks like, for some, the stimulus package wasn't enough. In an ironic twist, the man often criticized for moving Trillions from the Federal Reserve Bank into the hands of failing corporations has had a far lesser sum removed from his personal bank account.

"Federal Reserve Chairman Ben Bernanke has been a victim of identity theft. His credit card company became suspicious when they noticed repeated purchases of large, failing American car companies."

- Conan O'Brien (Aired August 27, 2009)

Just days after President Obama announced Bernanke's renomination to the Federal Reserve, officials revealed that Fed Chairman Ben Bernanke was a victim of a wide-spread identity theft ring that used, "stolen personal identifying information, bank and bank record information, personal checks, and other access devices belonging to individual victims, to impersonate those victims at various bank branches throughout the country," according to the U.S. Attorney's Office.

"Identity theft is a serious crime that affects millions of Americans each year," Mr. Bernanke said through a Fed spokesman. "Our family was but one of 500 separate instances traced to one crime ring."

Though there's really nothing funny about identity theft, it just goes to prove that the problem is so pervasive that anyone can fall victim.

When searching a spreadsheet containing the drug test results of 104 professional baseball players federal prosecutors went too far, says the 9th U.S. Circuit Court of Appeals.

After lawfully executing a warrant on a Long Beach, CA drug testing lab for the test results of 10 players, agents uncovered a Microsoft Excel spreadsheet with results of every player that was tested in the program. The government argued that 94 of those results were in "plain sight".

In a 9-2 decision, the court ruled:

"The government should, in future warrant applications, forswear reliance on the plain view doctrine or any similar doctrine that would allow it to retain data to which it has gained access only because it was required to segregate seizable from non-seizable data. If the government doesn’t consent to such a waiver, the magistrate judge should order that the seizable and non-seizable data be separated by an independent third party under the supervision of the court, or deny the warrant altogether."

Citing US v. Hill, 322 F. Supp. 2d 1081 (C.D. Cal. 2004), Chief Judge Alex Kozinski, writing for the majority states the objective to,

"maintain the privacy of materials that are intermingled with seizable materials, and to avoid turning a limited search for particular information into a general search of office file systems and computer databases. If the government can’t be sure whether data may be concealed, compressed, erased or booby-trapped without carefully examining the contents of every file...then everything the government chooses to seize will, under this theory, automatically come into plain view. Since the government agents ultimately decide how much to actually take, this will create a powerful incentive for them to seize more rather than less: Why stop at the list of all baseball players when you can seize the entire Tracey Directory? Why just that directory and not the entire hard drive? Why just this computer and not the one in the next room and the next room after that? Can’t find the computer? Seize the Zip disks under the bed in the room where the computer once might have been."

Four players whose names also appeared in the seized spreadsheet were leaked to The New York Times. Alex Rodriguez, David Ortiz, Manny Ramirez and Sammie Sosa were not included in the search warrant, but Kozinski added, "those players suffered harm as a result of the government's seizure."

The decision crafts Miranda-style guidelines for prosecutors and judges to protect Fourth Amendment privacy rights while conducting computer searches.

I have participated in testimony to a similar effect, whereby courts have ruled that spouses cannot provide consent to search an entire hard drive when directories are clearly controlled by one individual. Likewise, I have been asked by the court, on many occasions to parse data applicable to a search warrant from a mountain of otherwise inadmissible data.

Although this decision only addresses computer hard drives, it clearly has long-reaching implications. After all, nearly every electronic device has become, or will become, computerized to some extent.

While the US government is considering its next move, I expect this may be a sign of things to come.

News Corp.'s (NWS) Rupert Murdoch is mad--perhaps literally and figuratively. Presumably, billions of dollars in losses will have that effect on a person. Not surprisingly, he's looking for ways to stop the bleeding--or, he's just looking for revenge. It's hard to tell.

First, he's ordered an end to the free ride. That means, no more free online news. Yes, FoxNews.com too.  (Hey, that's fair and balanced, right?)  Then, he negotiated with Amazon.com, a higher revenue share for Wall Street Journal electronic Kindle subscriptions. And, finally, he issued an ultimatum: Give us the names of Kindle subscribers, or we walk.

During his fiscal-year-end earnings call with analysts, Murdoch said, "...we don't get the names of the subscribers. Kindle treats them as their subscribers, not as ours, and I think that will eventually cause a break with us."

Murdoch also made it clear that News Corp had no intention of competing with the Kindle e-reader, but instead stressed the need for News Corp properties to "return to their old margins of profitability... Quality journalism is not cheap, and an industry that gives away its content is simply cannibalizing its ability to produce good reporting."

Still, Kindle subscribers have already been paying for the Wall Street Journal, despite the fact that The Wall Street Journal Online has been giving away the same content for free. But, apparently, Murdoch is willing to give up that revenue for what appears to be a turf-war over the ownership of personal subscriber data.

The whole fight begs the question: Do Kindle owners see themselves as Amazon subscribers or Wall Street Journal Subscribers, and--in the end--does it matter how they see themselves?

As for Murdoch's state of mind: Is he howling mad, or is he crazy like a Fox News Host? That remains to be seen. But, if he messes with Amazon subscribers, I pity the fool.

You know the saying: "Don't judge a book by its cover." The word "book" doesn't mean what it used to. Today, many people listen to books on their iPods, and read books on devices like the Amazon Kindle, and Sony Reader. Even Barnes & Noble announced this week that they're getting back into the game.

No surprise, Google would like their piece of the action as well. And, that's got the EFF concerned. Unlike traditional sources of literature, a person reading an e-book can unwittingly produce nearly as much information as they consume.

In some respects, reading an e-book could be analogous to buying a used college textbook, and reselling it after you're done. The previous owner might have highlighted important information and made some notes in the margins. As a second-hand-reader, you may even find these notations provide some valuable insight--not just into the book, but into it's previous owner as well. By the time you're ready to sell-back the book, you may have added even more notes and highlighted some additional paragraphs. Perhaps, making the book even more valuable to its next owner.

In much the same way, as an individual reads an electronic book, additional research--like online searches related to the subject matter, can be recorded on a server revealing significant insight into the mindset of the reader. Whereas, the process of reading involves a one-way flow of information, from the book to the brain, online, so much more occurs behind the scenes.

The biggest difference between the notations made on paper, and those recorded online, is that the online reader has no control over (or even knowledge of) what data is being observed, collected, preserved and cross-referenced, for how long, and with whom it is shared.

At this point, it's reasonable to note that Google, arguably, already controls the world's largest database with which to cross-reference your personal habits and interests.

You wouldn't, for example, likely volunteer every book or magazine you ever read in college to your next prospective employer (or your next date, for that matter). Sure, your résumé might say, "well read", but you're referring to Faulkner, not Hefner. Google, on the other hand, knows, not only what you searched for and read on it's Google Books web site, but also what pages you read. So, if you read the Starr Report because you're "really into politics" but you skipped to the best part, you're BUSTED!

Before you read your next (or first) electronic book, read this:

EFF: Don't Let Google Close the Book on Reader Privacy

The first set of mass-production plug-in electric vehicles are slated to arrive this year. Among other incentives, they won't pay a dime in fuel tax. Looking to head-off that shortfall, several states, including California, Oregon, and Missouri have investigated charging by the mile, instead of by the gallon.

Why not simply base mileage on a vehicle's odometer? Beside the obvious tampering concerns, a state has no right to collect for out-of-state mileage. In the past, it had always been assumed that anyone traveling interstate would eventually need to fill-up with taxable liquid fuel at a regulated pump, thus contributing to each state's highway improvement budget.

Not so, in this modern era. Electric vehicles, like GM's Volt, can be charged from any conventional outlet, or faster via a dedicated higher-voltage charger. Though, theoretically, taxes will be paid on the energy consumed, those taxes don't directly contribute to things like highway improvement.

Now comes the increasingly ever-depreciating GPS with the ability, not only, to collect state and interstate road-usage data with a fair degree of accuracy and tamper-resistance, but also the ability to transmit that data wirelessly on-schedule, on-demand, or even in real-time.

It's that last feature that has many up in arms. How else could this data be used? It could, for instance, report traffic violations to municipalities without involving a law enforcement officer, even as they occur. It could also be used to prove that someone was speeding, or is a habitual speeder, after the fact. Perhaps as evidence in a traffic accident. Or for the purposes of increasing one's insurance premium. It could be used to automatically alert authorities when a suspect returns to their jurisdiction, or to the "scene of the crime". For that matter, it could be used after an incident to locate all individuals who were in the area, and even retrace their path. Spouses could subpoena the data as evidence of infidelity. Ex-spouses could use it to collect child or spousal support.

Some have suggested that such a system would come with built-in privacy mechanisms. For instance, it might only record the mileage in each state, and not specific location data. The biggest problem with that is, now you have no way to audit the accuracy of the figures, or the system as a whole. It presents the possibility of systemic inaccuracies or even gross abuse. In other words, much like electronic voting, how do citizens patrol their government?

Read more @ Kansas City Star

“Anything using RF energy — we have the right to inspect it to make sure it is not causing interference,” says FCC spokesman David Fiske.

According to Wired:

The FCC claims it derives its warrantless search power from the Communications Act of 1934, though the constitutionality of the claim has gone untested in the courts. That’s largely because the FCC had little to do with average citizens for most of the last 75 years, when home transmitters were largely reserved to ham-radio operators and CB-radio aficionados. But in 2009, nearly every household in the United States has multiple devices that use radio waves and fall under the FCC’s purview, making the commission’s claimed authority ripe for a court challenge.

Wired: http://www.wired.com/threatlevel/2009/05/fcc-raid/

Wired
Boston Court's Meddling With 'Full Disclosure' Is Unwelcome

"In eerily similar cases in the Netherlands and the United States, courts have recently grappled with the computer-security norm of "full disclosure," asking whether researchers should be permitted to disclose details of a fare-card vulnerability that allows people to ride the subway for free. The "Oyster card" used on the London Tube was at issue in the Dutch case, and a similar fare card used on the Boston "T" was the center of the U.S. case. The Dutch court got it right, and the American court, in Boston, got it wrong from the start - - despite facing an open-and-shut case of First Amendment prior restraint. The U.S. court has since seen the error of its ways -- but the damage is done. The MIT security researchers who were prepared to discuss their Boston findings at the DefCon security conference were prevented from giving their talk.

The ethics of full disclosure are intimately familiar to those of us in the computer-security field. Before full disclosure became the norm, researchers would quietly disclose vulnerabilities to the vendors -- who would routinely ignore them. Sometimes vendors would even threaten researchers with legal action if they disclosed the vulnerabilities. Later on, researchers started disclosing the existence of a vulnerability but not the details. Vendors responded by denying the security holes' existence, or calling them just theoretical. It wasn't until full disclosure became the norm that vendors began consistently fixing vulnerabilities quickly. Now that vendors routinely patch vulnerabilities, researchers generally give them advance notice to allow them to patch their systems before the vulnerability is published. But even with this "responsible disclosure" protocol, it's the threat of disclosure that motivates them to patch their systems. Full disclosure is the mechanism (.pdf) by which computer security improves.

Outside of computer security, secrecy is much more the norm. Some security communities, like locksmiths, behave much like medieval guilds, divulging the secrets of their profession only to those within it. These communities hate open research , and have responded with surprising vitriol to researchers who have found serious vulnerabilities in bicycle locks , combination safes (.pdf), master-key systems and many other security devices .

Researchers have received a similar reaction from other communities more used to secrecy than openness. Researchers -- sometimes young students -- who discovered and published flaws in copyright-protection schemes, voting-machine security and now wireless access cards have all suffered recriminations and sometimes lawsuits for not keeping the vulnerabilities secret. When Christopher Soghoian created a website allowing people to print fake airline boarding passes, he got several unpleasant visits from the FBI.

This preference for secrecy comes from confusing a vulnerability with information about that vulnerability. Using secrecy as a security measure is fundamentally fragile. It assumes that the bad guys don't do their own security research. It assumes that no one else will find the same vulnerability. It assumes that information won't leak out even if the research results are suppressed. These assumptions are all incorrect.

The problem isn't the researchers; it's the products themselves. Companies will only design security as good as what their customers know to ask for. Full disclosure helps customers evaluate the security of the products they buy, and educates them in how to ask for better security. The Dutch court got it exactly right when it wrote : "Damage to NXP is not the result of the publication of the article but of the production and sale of a chip that appears to have shortcomings."

In a world of forced secrecy, vendors make inflated claims about their products, vulnerabilities don't get fixed, and customers are no wiser. Security research is stifled, and security technology doesn't improve. The only beneficiaries are the bad guys. If you'll forgive the analogy, the ethics of full disclosure parallel the ethics of not paying kidnapping ransoms. We all know why we don't pay kidnappers: It encourages more kidnappings. Yet in every kidnapping case, there's someone -- a spouse, a parent, an employer -- with a good reason why, in this one case, we should make an exception.

The reason we want researchers to publish vulnerabilities is because that's how security improves. But in every case there's someone -- the Massachusetts Bay Transit Authority, the locksmiths, an election machine manufacturer -- who argues that, in this one case, we should make an exception. We shouldn't. The benefits of responsibly publishing attacks greatly outweigh the potential harm. Disclosure encourages companies to build security properly rather than relying on shoddy design and secrecy, and discourages them from promising security based on their ability to threaten researchers. It's how we learn about security, and how we improve future security."

--- Bruce Schneier is Chief Security Technology Officer of BT Global Services and author of Beyond Fear: Thinking Sensibly About Security in an Uncertain World . You can read more of his writings on his website .

...........................................................

http://feeds.wired.com/~r/wired/topheadlines/~3/370596313/securitymatters_0821

Posted by email from secondwave's posterous