Archive for the 'Security Advisories' Category

Nov 16 2011

Google’s wifi mapping non-solution

Published by under Privacy,Risk,Security Advisories

Google got in a lot of trouble last year for capturing private data from wireless networks when they were driving the googlemobiles around to get video shots for StreetView.  Basically, rather than just capturing the SSID for the access points, in a lot of cases they captured data streams from the AP’s, which violated all sorts of European privacy laws.  And in reply to this, Google came up with a solution:  users can opt-out of Google’s wireless access point mapping solution by simply adding “_nomap” to the end of their SSID!  So simple it’s stupid.  No, I mean it’s so simple it’s absolutely idiotic and a waste of the digital ink that was used to express the idea!

I think MG Siegler expresses it best when he said, “The solution is a joke.”  Siegler thought of the same things I did when he saw this so-called solution.  First, only a fraction of a percent of people are even going to understand that Google is mapping their access points and even a smaller segment of the population is going to understand what that means.  And of that small group, only a much smaller percentage are going to make the changes to SSID names necessary to opt-out of the Google mapping.  I thnk that his .01% of the 10% of the people who actually read the article is a bit generous; only the truly paranoid will opt out using this method, and they probably weren’t advertising their SSID to begin with.

Let’s think about the pain in the arse it is to change a SSID to include ‘_nomap’.  My house is probably not normal, but it’s what I have to use as an example.  I have two wireless networks, two access points, three desktops, half a dozen laptops and a server that all would have to be changed to include the ‘_nomap’ SSID.  Plus there are a few more systems to worry about when you include the gaming systems the kids use.  The average household probably doesn’t have nearly that much equipment, but they also don’t know enough about wifi to set it up with proper encryption in the first place, so why would Google assume the average home user would know enough to change the SSID on all these systems once they finally got them running on their home network?

Let’s be honest; all Google is doing is waving their hands over StreetView in an effort to claim they’re doing something in front of governmental bodies who wouldn’t know the difference between an SSID and Sid Vicious.  In most cases, they’d probably recognize Sid Vicious before they’d have a clue what an SSID was or what it’s used for!  Siegler nails it when he states that Google might as well ask for people to solve calculus problems.  And I’d be willing to guess there are a number of people would have an easier time solving advance mathmatical equations than they would changing their SSID.

I want a solution that doesn’t require me to change my SSID to opt-out of Google’s mapping.  It’s a stupid solution and I’m not changing my SSID to include the ‘_nomap’ modifier.  My last thoguht is two-fold:  What effect will this have on the all the data that Google has already collected (Answer: none) and will Google actually honor their own ‘_nomap’ identifier and drop the data at collection or will they simply not display the access points using ‘_nomap’ but keep the data in their database?  I think you and I both know the answer to the second one as well.

One response so far

Nov 11 2011

Open Tabs 11/11/11

Whether you call it Veteran’s Day, Pocky Day,Binary Day or something else, it’s Friday, I don’t know about you, but I’m looking forward to this weekend and spending some time with friends.  Being a parent, I don’t get out for adult time as much as I once did, which makes the rare occassions all that much more special.

If you know a veteran, today would be a good day to tell them thanks.  I ‘repaired’ radios long ago and far away on a little artillery base in Germany.  I put repair in quotes because our job was to say “Yep, it’s broken”, replace the radio and send the broken one off for repair by someone who actually did electronics troubleshooting.  I was lucky and my enlistment was during a relatively peaceful time, but we have hundreds of thousands vets out there who saw events and actions most of us can’t even imagine.  Please respect them for their sacrifices.

I haven’t done this in a few days, so there’s a lot of built up articles.

Open Tabs 11/11/11:

No responses yet

Oct 17 2011

Think about what you want from your QSA/QSAC

Published by under PCI,Security Advisories

After four years of working as a Qualified Security Assessor (QSA) for two different Qualified Security Assessment Companies (QSAC) it’s a huge relief to be able to introduce myself as a ‘recovering QSA’.  As a friend of mine the pointed out, the taint of being a QSA is not something that washes off easily, it sticks with you in insidious ways, bubbling to the surface when you least expect it.  I make it sound worse than it really is, but I do find myself slipping into the mindset of “this is how you’d meet with a compliance requirement” sometimes when what I really want to say is “this is how you’d make your company more secure”.  After four years, it’s a hard habit to break.

Because of my experience as a QSA, I’ve had several people ask me for help picking out their next QSAC recently.  They want to know which company they should go with, what they should expect from the process and how to get to their Report on Compliance (RoC) as painlessly as possible.  For companies who are approaching PCI Compliance for the first time, it’s a scary proposition, because they’re painfully aware of how much they don’t know about what’s going to happen and what’s going to be required of them in the assessment.  For companies who’ve been through it before, they’re often feeling pretty smug in having last year’s RoC and underestimate the difference the QSA’s experience and understanding of the rules can make.  Companies who’ve been through the process many times understand that the specific QSA they get for their assessment is often more important than the company he or she works for.  Remember, you’re going to be assessed by that person and the company processes behind them are less important to you than their ability to understand your company.

Let’s get something out of the way:  if you simply want someone who can come in and check a bunch of boxes without understanding your infrastructure, go with the lowest bidder, someone who guarantees they’ll come in and assess your entire company in two days and phone the rest of their assessment in.  Seriously, if you’re not looking for a partner to give you advice in how to secure your environment and you just want a piece of paper with little or no increase in security, find someone who will give it to you.  Don’t look for an experienced QSA, look for one who’s relatively new to the job, one who can be bullied or fooled into agreeing with your assertions without verifying them.  We all know companies who operate on this business model exist and it’s not worth wasting your time and money if you are looking for check box compliance.  I’ve had too much experience with companies who could care less about securing their infrastructure and simply want to do the least amount of work possible to make the assessor go away.  If your company fits into that category, it’s less of a headache if everyone agrees to accept this premise and moves on. 

If you’re looking to get more out of an assessment than just a piece of paper though, you have a number of things to start considering.  How important is compliance to you versus how important is security to you?  Are your goals and your company’s goals the same?  Are you going to use the assessment to help you get funding for projects you know you need (and if not, why not)?  Is this your first assessment or have you been through several before?  Are you interested in having an on-going relationship with the QSAC and the QSA or do you want to get through this project and move on to your next headache?

It’s very important that your goals and the company goals are the same, and if they’re not, it’s even more important that you understand where they diverge and how you can use that stress to your advantage.  When the security department reports to the CFO or to a part of the organization that’s more concerned with how much money is being spent than how effective security measures are, your goals will probably be far different.  Learn to use the QSA in order to close that gap, use them as an appeal to authority.  “I know you don’t want to spend the money, but we won’t pass our assessment if we don’t” is a very powerful statement in many businesses.

Very few people conflate security and compliance at this point in time, at least that’s my hope.  But compliance can be a useful tool in getting the security tools you need in order to fulfill your commitment as a security professional to your company.  If you’re concerned with getting complaint more than you are about being secure, go back to the earlier point of simply getting the cheapest check box QSAC you can.  On the other hand, if you’re looking to be more secure when the process is complete, try to use compliance as a crowbar to pry funding from management.  Think a lot about that as you’re looking for a QSA, about how you can use the PCI DSS requirements to support your argument for new tools or additional headcount.  Your QSA can help a lot in this process, especially if his initial report comes back, especially if you both understand what you need and how it will help secure your company.  Most good QSA’s are also security professionals and get excited when you approach them as such instead of treating them like the enemy.  If you can frame the argument for a security control as a way to meet several compliance measures, your budget has a much greater chance of getting approved.

The first time you go through a PCI assessment is painful, no matter how well you think you understand the PCI DSS requirements and how to implement them.  And in many cases, the second assessment isn’t a lot easier, since it’s been 8-12 months since your previous assessment and you’ve let a number of the requirements slip without realizing it.  Look at the 2011 Verizon PCI Report and you’ll realize that this is exactly what happens to far to many companies.  Year over year numbers around maintaining compliance are actually a bit depressing when you read into them; you’d hope that getting controls in place were the hard part, but really, it’s the  maintenance of controls that is the hard part for most companies to do.  It makes sense in some ways, since it’s easier to concentrate on getting a IDS or log management solution set up than it is to monitor it on a daily basis.  Let this thought sink in as you’re looking for a QSA:  just because you were compliant last year doesn’t mean your teams have properly maintained the tools over time.

All too often, the goal of companies is to get the assessor in and out as quickly and painlessly as possible.  But is this really a good use of the resources you have at your disposal?  While compliance seems like a once a year exercise, it’s really a year round commitment; it’s just that you’re compliance is going to be assessed once a year.  The assessment represents a point in time view of your work, but in the long run, you’re going to be judged by what you do when the QSA isn’t there much more than you’ll be judged by what you do while she’s on-site.  If you have a QSA that you understand and can work with, it helps to have a relationship that you can use to call them up when you have a question.  Most QSA’s get to see a dozen or more different environments a year and asking them how other companies meet with a requirement can help steer you in the right direction to be more secure or save money.  If your QSA is a security professional first, they may be able to tell you how to meet a compliance requirement with a non-traditional technology. This may not be something you’re interested in, but using your QSA as a
trusted adviser rather than an enemy of the state can make maintaining
compliance easier throughout the year and passing your next assessment
much easier.  It may cost you slightly more in the short term but can have a long term return on investment.

These are all things you should be considering before you ever start talking to a QSAC and interviewing QSA’s.  Know what you want to get out of the relationship with them and it will make the process much clearer, or at least give you something to base your decisions upon along the way.  When you’re just looking for the piece of paper, go cheap and save your money for what really matters to you.  But if you want to use compliance as a means to becoming more secure, it’s going to change your whole process and how you’re going to frame questions when you interview your QSA before the choose one.  You are planning to interview a number of QSA’s, not just accept the one the company sends you after all, aren’t you?

2 responses so far

Oct 04 2011

Live tweeting the House Intelligence Committee

Last night I got an email from Jim Engineer at e-Rainmaker PR stating that Kevin Mandia from Mandiant would be appearing before Congress.  I’m always interested in hearing the leaders in our industry speak to members of Congress, because it reveals a lot not only about how the thought processes of the folks who are presenting to Congress, it also reveals what our Congressmen think about security.  This hearing was no different from most, in that it showed there are definite agendas at work,but it also showed that the biggest concern for our Congress is the threat of China to our businesses and intellectual property, in addition to attacks on government properties.  I live tweeted as much of it as possible and I’d like feedback in the form of comments if you found it valuable.  Or even if you didn’t. Any misquotes are my own and are attributable to trying to listen and tweet at the same time.

General Hayden impressed me the most of the three speakers.  His main message was that the issue of cyber-security is a not something we should be in a rush to come up with ‘the answer’ for, but that we should be looking at having long conversations about what needs to be done in a thoughtful, logical manner.  While he encouraged legislation, he made it clear he wants the goal to be outcomes, not just compliance.  He was level headed and clearly understood the difference between security and compliance, something Kevin Mandia also backed up.

I thought Kevin was underutilized in this conversation.  He had some very good, clear thoughts on the subjects at hand, but the members of the committee seemed to give his testimony less credence, since it didn’t directly feed into the narrative they were trying to lead to.  His strongest statement was, “You will be breached, the security compromise is inevitable.” He followed it by stating that “In our last fifty incidents, forty-eight of them learned of the compromise from external third-parties like the FBI”.  That’s a pretty damning statement about the state of detection in our industry today.

And then there was Art Coviello.  I’m not going to dig too deeply into Mr. Coviello, but he was being a good CEO while also being an intellectually dishonest security professional, if you could call him a security professional at all.  Statements like “Our advanced technology allowed us to detect and react to the attack in progress” and “We were within hours of being able to stop the compromise” and other comments about how ‘swiftly’ RSA responded to the compromise go directly against the timelines in the press and against the history of how RSA notified the public and their customers of their compromise.  Remember, they didn’t even have a Chief Security Officer before the compromise, there was no one at the C-level responsible for security.  I was very unimpressed with Mr. Coviello today.

Not much will come from this Committee meeting, but it was educational to learn what message the members of Congress wanted to put out and how businesses are willing to help them.  It was also a lot of fun to live tweet it and see what security professionals around the country think.  Marty Roesch from Sourcefire (@mroesch) was especially cynical and entertaining.  But there were a lot of people who had good feedback and questions, for which I’m thankful.

Feedback on live tweeting is very appreciated, leave comments and expect me to do the same next time I have time and opportunity.  And here’s the press release from Jim.

For your information, MANDIANT
CEO Kevin Mandia will offer testimony to the House Intelligence
Committee at the invitation of Chairman Mike Rogers (R-MI) tomorrow Tuesday, Oct. 4, from 10 a.m. to 1 p.m.
Kevin is available to comment on his testimony should you have an interest in pursuing.

To view the testimony please visit:

http://intelligence.house.gov/hearing/cyber-threats-and-ongoing-efforts-protect-nation#

“Cyber Threats and Ongoing Efforts to Protect the Nation” 10:00am – 1:00pm ET HVC-210

·         The Honorable Michael V. Hayden, Principal, The Chertoff Group
·         Mr. Arthur W. Coviello, Jr., Executive Chairman, RSA
·        
Mr. Kevin Mandia, Chairman and Chief Executive Officer, MANDIANT

Chairman Rogers on the Cyber Security Hearing:
“Examining the threat of cyber attacks against the United States is of
utmost importance. The threat of cyber attacks continue to evolve. What
started out as a kid in the basement hacking into a school computer to
change a grade, has evolved into entire nation states focused and
determined to exploit our nation’s cyber systems. The Committee will
review recent developments in the evolution of the cyber threat against
the United States by nation state actors and others. Additionally, we
will evaluate the status of the United States government’s efforts at
providing cyber security within the government, the status of cyber
security in the private sector, and the sharing of government
information, including intelligence information, with the private sector
to enable it to better defend and protect our nation’s most critical
private systems.”

Jim

PS>  I think I only heard the dreaded “APT” once, from Art Coviello.  Figures.

2 responses so far

Sep 03 2011

Is this really the ‘State of Security’?

Published by under General,Risk,Security Advisories

I’m not a big fan of opinion polls, especially when the people writing them present them as if they were facts, rather than simply opinions of the people polled.  There’s a huge difference between the reality we live in and the way we perceive that reality.  That’s simply a fact of life, not a criticism of anyone in particular.  But it has a huge impact on the real usefulness of data when it’s based on perception rather than a quantifiable measurement.  And in the information security field, we’ve been working on perception and intuition for far to long and need to start relying on real, measurable data instead.  I have been told I’m too hard on polls, since opinions are valid data points as well, but I’m not so certain.

That’s quite an opening statement for a look at the latest security survey by Symantec, but I wanted to get my own personal biases out of the way before starting.  It also help explain some of my skepticism of the value of the Symantec State of Security 2011 report.  It’s pretty, it’s glossy, it has nice pictures, but it’s still an opinion poll and I always have to wonder how much it’s been affected by the perception of the people who were surveyed, how much they were willing to answer honestly and whether or not they actually knew the answers or just made stuff up.  As I said, I’m not a big fan of opinion polls in security, in large part because I’ve filled out more than a few of them myself.

There’s a lot of white space, large type and big graphs in the the report.  Padding that should have been replaced with more analysis and discussion rather than being wasted.  Which tells me this was probably produced by the marketing department rather than someone in engineering or security.  Marketing might have gotten the analysis right, but the 19 pages would have been boiled down to 8 or 10 pages if it had been written by an engineer instead.  That’s not to say there isn’t some good information in the report, but it does mean there’s a lot of fluff to wade through to get to it.

One of the important tidbits is that, according to the poll, 41% of security professionals feel that security has become more important to their businesses over the last year as opposed to 15% who think it’s decreased in importance.  Given some of the high profile attacks that we’ve seen in the last year, I don’t find that surprising, but I’m still glad to see that what we do is gaining in awareness of management.   41% of respondents also feel that they’re being given more budget, which leads me to ask if the increase in awareness is leading to a greater budget or if an increased budget lead to a feeling of more awareness?  Given how long we’ve been underspending on security, it is good to see some positive movement on this front.

I found the trends that are driving security concerns a little confusing.  According to Symantec, mobile computing, social media and consumerization of IT top the list of concerns; this was explained to me as coming from the newness of the technologies, but I find that hard to swallow.  Smart phones aren’t new, social media isn’t new and consumerization certainly isn’t new.  I know I had to deal with consumer products in the workplace when I was a sysadmin and that’s been nearly a decade.  The first thing I’d point out is that there’s only a 4% difference between the top 6 items in the list and Symantec acknowledges a 5% margin of error in the survey.  Which means that nearly any one of those categories could actually be the biggest security concern.  I’m a little surprised they split different aspects of ‘cloud computing’ into various subcategories such as SaaS, PaaS, public and private cloud, but I mean that in a good way.  It’s so nice to see someone who actually realizes that the ‘Cloud’ isn’t one technology but a collection of very loosely related technologies and implementations. 

I would like know more about how the question concerning significant security threats was posed to the people polled.  Hackers top the list, but there’s also a category for hacktivism, criminals, industrial espionage, targeted attacks and state-sponsored attacks.   I see those all as potentially falling under ‘hacking’ which could mean that there was a flaw in the question asked that biased the results.  I’m also not sure how this perception actually gains us any understanding in the first place.

“71% of respondents saw an attack in the last year…”  Oh boy, that’s a loaded statement.  If only 71% of the companies saw an attack, what were the other 29% doing, because I’m absolutely certain they were attacked, even if it was simply a drive-by attempt.  Were they playing ostrich, with their heads buried in the sand and no detective measures on their network?  Did they have anti-virus and ignore the malicious code that found it’s way into their network or did they not have AV at all?  Were they actually looking at the logs from their IDS or were they ignoring those as well.  I’ve run into more than a few security professionals who’ve said their management didn’t want detective measures  in the environment because detection would mean they’d have to do something about it.  But even I have a hard time believing it was 29% of the companies. 

The one perception I find in this report that I find scary is the measure of what security professionals think they’re doing well.  52% of security professionals polled believe they’re addressing routine security measure effectively.  But that also means 48% of security professionals don’t think they are.  Close to half of us are willing to admit we aren’t doing a good job at the basics.  And that was the highest measurement amongst all the data points.  If half of us admit we aren’t even doing the basics well, is it any wonder that we’ve seen so many breaches in the last couple of years?  Do we even have a chance if half of us admit we don’t have the resources to do the basics?

The recommendations by Symantec are generic and could have come from nearly any security report written in the last few years.  Policy, process, buzzwords don’t help much.  What should have been highlighted is the need to get the basics right, rather than work on policies that most people in your company will never even know exists.  Yes, policy gives us a lever to pry money out of management from time to time, but it doesn’t address the real problems of just being aware of what’s happening on your network.  But that’s probably not what management wants to hear anyway.

Take a little time to read the report, it won’t take you more than 15 minutes to read every word in it.  As with any report there are some nuggets of knowledge to be gained, but question the analysis put forth by Symantec.  I wish they’d included more information about the specific questions asked, because that tells a lot about the biases involved.  I would also like to see hard data points about the points made, rather than just opinions.  But I guess a couple of years of hanging around people like Alex Hutton and Wade Baker, writers of the DBIR, make me value analyzing data over opinion.

12 responses so far

Mar 22 2011

Network Security Podcast, Episode 234

Martin, Rich and Zach are joined tonight by none other than Josh Corman from the 451 Group to talk about the recent RSA breach.  Actually, he was on more to talk about the industries reaction to the breach more than the breach itself.  The reality is that we still know almost nothing about what happened, though Rich has a little insight that goes beyond the press release, since he’s actually talked to folks at RSA.  Which means we know just a little more than nothing, which is not a significant improvement.

Another reason Josh wanted to join us was to talk about one of Rich’s recent articles, called Table Stakes.  We clarify what Rich meant in the original post as well as talking about some of the more touchy feely aspects of the industry.  Except Zach, who doesn’t do touchy feely so much.  And finally we end up with a little rant about those hacks over at the Southern Fried Security Podcast and how they’re always imitating us.  They even have they’re own Bizarro Zack, @jsokoly.

Network Security Podcast, Episode 234, March 22, 2011
Time:  42:06

Show Notes:

No responses yet

Mar 21 2011

Roundup of RSA breach articles

Published by under Hacking,Risk,Security Advisories

This group of pieces on the recent RSA breach is only the tip of the iceberg, but most of what you’ll read on the story is purely suppositional.  In other words, a lot of educated people are playing a game of “let’s pretend” and blogging about it.  No one who’s writing knows much about the details, almost everything that’s out so far is guess work about what might of happened to RSA.  And while there’s some value to running through possible scenarios, it’s probably not worth the screen time the story has been getting until we know something concrete.

So here’s three stories on the RSA APT.  The first is just the initial facts as they were known late last week, in a story from the Boston Herald.  The second is an analytical brief from NSS Labs, included as an example of some of the conjecture people are making based on what is known.  NSS Labs is known for having some good folks and this report is far from the most outrageous speculation that’s been made so far, but it’s also going to require a lot more information before we can really make a claim like “a string of breaches stemming from this event.”  Dave Shackleford does a very good job of dissecting just how little we know so far in this story and why the ‘A’ in APT is a misnomer.

And finally a story that may or may not have anything to do with what’s happening to RSA, Google is accusing China of messing with their stuff.  It’s kind of hard to trust your servers when you’re sending them to another country that has no compunctions about using any means necessary to ‘protect their citizens’. 

Update:  And moments after I posted this @N0b0d4 posted a very good post by Steve Gibson dissecting the potential risks of this compromise for people using RSA SecurID tokens.  I’m not usually one of Steve’s biggest fans, but he’s taken apart the issues pretty well this time.

2 responses so far

Dec 21 2010

Keep a copy of your TSA rights handy!

If you fly with any regularity, you know exactly how bad things have gotten with the TSA invading your space and your privacy.  Naked x-ray machines, intrusive pat downs and TSO’s who think their position gives them the right and responsibility to embarrass people who are simply trying to get to a destination.  All in all, flying is now one of the most stressful activities the average American has to deal with.  Hopefully pressure from the public will turn the tide on the current efforts by the TSA to ‘protect’ us at the expense of our basic liberties, but I don’t see it happening overnight.  In the mean time, you need to know what your rights are when dealing with the TSA.   Thankfully Saizai has created a two page PDF that explains what your rights are when dealing with the TSA and who to call if you think you’re rights are being violated.  This PDF is something you should have a copy of on your phone, on your computer and printed out so you can carry with you when you fly.  Seriously, it’s that valuable.  Saizai says he updates the document fairly regularly, but just in case I’m also making a static copy of it available just in case.  By the way, it also includes information about the photography rules of various airports around the nation, another good piece of information you may need to protect you from overzealous TSO’s who want to believe it’s illegal to photograph them at work (it’s not, at most airports)

No responses yet

Dec 12 2010

BayThreat was awesome, do it again!

You’d think that security professionals would get sick and tired of attending security conferences; RSAC, Black Hat, Defcon are the big ones that everyone tries to get to, plus a lot of mid-sized cons like Shmoocon and Toorcon. But the truth is, for most people, those are either business opportunities/obligations or so far away and costly that it’s nearly impossible to attend anything that requires travel, a hotel and several days away from work. Which is why smaller, local events like BayThreat, DojoCon and BSides are becoming so important to security professionals around the globe; the ability to go to a small, local event far outstrips the cost to value ratio of any of the big cons and it’s so much easier to actually see the speakers you want to see.

This last Friday and Saturday were BayThreat, and a huge thanks has to go out to @dewzi and the crew who organized the event.  Held at the Hacker Dojo in Mountain View, CA, the event was far enough from home for me that I had to get a hotel room.  But the majority of the attendees who live in the Bay Area were able to return home each night.  Considering that a airfare and the hotel are the majority of the costs of many conferences and that BayThreat only cost $45 to attend, this was a huge draw for most attendees.  And seeing the inside of Hacker Dojo was a plus as well.

I don’t know what the real count was, but the best guess I heard for attendees was somewhere between 150 and 200 attendees between Friday and Saturday.  The speakers where some of the same people you might see at a major event like Black Hat, folks like Dan Kaminsky, Moxy Marlinspike and Dino Dai Zovi, but also a lot of great local speakers like Jeremiah Grossman, Allison Miller and Sam Bowne.  I’m just hitting some of the high points, check out the list of speakers for yourself and you’ll see how many great presentations we were treated to this weekend. 

Two of my personal favorites in the speaker track were Mike Smith’s presentation about DDoS, with a lot of information about the current situation about Wikileaks, and Steve Adegbite’s presentation “Rage against Security: A different Scene Shift”.  Mike is giving the same talk at Dojocon after flying cross country last night, which may make the presentation more amusing, if not better.  That’s not to say there weren’t other great presentations, there were, but I kept getting distracted by the hallway track and meeting many of the people who were just a twitter handle to me until this weekend. 

I have to say that BayThreat is one of the first security conferences I’ve been too that’s left me wishing it was still going on when I headed for home.  There’s a lot to be said for having a conference that’s short and sweet and doesn’t leave you spending the next week trying to recover from the hangover and exhaustion.  But I still wanted more time to hang out with so many great people.  And I’m looking forward to having another great event next year.

Update:  Mike Smith’s DDoS slides have been uploaded to the BayThreat site.

No responses yet

Nov 21 2010

Who should you complain to?

I’m not going to weigh in on the whole TSA whine fest that’s going on; I agree that the TSA has gone too far and needs to have their collar yanked on to settle them down.  But a whole bunch of us complaining on Twitter isn’t going to do much, neither are lengthy blog posts.  Quite frankly most of us have too little exposure to be taken seriously on the national stage.  I got my own whining in early, so now I’m trying to gather some information on how to be effective.

But we do have people we can contact who do have some pull, starting with our federal legislators, who are easy enough to find and monitor on the Project Vote Smart site.  I didn’t notice a political slant either way to the site, it appears to just be reporting the facts and is easy to use.  Writing to your Senator (mine is Barbara Boxer) will be slightly more effective than Twitter, at least an intern somewhere will tally your complaint.  Two other places that you can write that I’ve been told will have slightly more impact is your airline and their lobbying firm.  Explain your position in terms of how it impacts your business and how it will impact their bottom line.  The SourceWatch wiki supplied me with contact information for United Airlines and their lobbyist firms.  I’ll let you know if I hear anything back from them.  I had a friend on Twitter explain this, basically you want to start any emails you send by talking about the money, then end with little side notes like ‘protection from unreasonable search and seizure.’  It’s easier for many people to understand money issues than those of Constitutional rights.

The TSA does have a way to report a complaint, though I don’t know of anyone who’s done it so far and what the results have been.  Personally I’d be afraid of getting added to a watch list.  What might be more helpful is to read the official TSA Blog.  For instance, did you know it’s actually allowable by TSA rules to photograph a TSO in pursuit of their duties?  That is if the state and local laws allow it, which they don’t in many states.  So far California appears to.

The current pat downs and back scatter x-ray’s are both issues that need to be addressed.  As is the over-reach of the TSA to grab power at airports.  But observing and talking about them don’t do much good unless we follow up with some sort of action.  If you have some better ideas of who to contact, please leave a comment.

2 responses so far

« Prev - Next »