Going through the TSA patdown

As a semi-regular traveler I am always interested in the security aspects of it, especially since I started reading Bruce Schneier’s blog. I posted the following in our discussed thread on the AusGamers Forums having just gone through the controversial new TSA security process that involves millimetre wave bodyscans – to which I decided to opt out.

So I am currently sitting in a lounge at LAX on the way back from GDC in SF.

When in SF I was in the line waiting to go through TSA security. I had stacks of time before my flight and there weren’t many people in the line. I could see the TSA magical mwave scanners and all the people dutifully lining up and going through them and getting zapped.

It was amazing, once I was in the line, how fast I had simply acquiesced to the fate that awaited me – that of being scanned, considering that after reading this thread and all the other posts on the Internet had made me certain that, when presented with the opportunity, I would tell the TSA to go fuck themselves and have them scan me. But once you’re in The Line, and trudging slowly along with everyone else, you simply absorb their sheep mentality and just keep putting one foot in front of the other with a view of getting through this process as quickly as painlessly as possible.

Which is, of course, what they’re counting on – your obedience and willingness to submit yourself to this invasive level of security, because the alternative is an even more invasive one that will take longer and probably be a pain in the ass.

Once I realised my transition to sheeple had almost completed, I snapped myself out of it and mentally swore that I would opt out of the scanning and ask for the patdown.

i got to the front of the line, had my stuff going through the x-ray, and told the guy I would like to opt out, adding casually that “I hope this isn’t a pain in the ass” (knowing of course that it definitely was). Looking around though, I could see one TSA guy to my left watching the line and another two guys at the back just talking to each other, so I didn’t think this was a particularly onerous request – the line wasn’t that long and they clearly weren’t very busy as the herd was so docile. The guy responded, with the tinnnnnnnniest air of frustration, that “it takes longer”, to which I just shrugged.

So I was taken aside by the spare guy to my left. I assumed that, given he was standing there doing nothing, he would search me, but he simply herded me into a little fenced off area right next to the scanner and called for a male agent to come over.

I had to wait about 3 or 4 minutes before some guy came over. At no time did they express any interest into why I opted out; the dude just wandered over and walked me through the process very clearly, politely and succinctly, explaining exactly what he was going to be doing (“I’ll be running my hands up and down blah blah blah”).

He offered me a private room, but I declined, deciding that if I was going to get The Patdown, I would prefer to do it in front of everyone, both to remind them of the option, and also because I hoped (no doubt vainly) that it would perhaps encourage others not to so meekly submit to the whims of the TSA.

The search took probably no more than about another 3-4 minutes. At the end of it I decided that at no point did I ever feel like the guy was grasping any part of my genitals or trying to incite a tickle-frenzy; it was like a very polite masseur simply running his hands over most of my body.

The best part was at the end – he invited me to sit down, then ran his hands over the tops of my (shoe-less) feet. While he swabbed his gloves and ran the results through a scanner (presumably checking for explosives, drugs, or other things Americans don’t like much, like liberty, freedom, medical care for citizens, etc), I asked him if he was going to check the soles of my feet. He said no, to which I just shrugged acceptance, and then another TSA dude who had been watching the tail end of the proceedings said “no, we don’t do that any more because the TSA decided feet are dirty”.

I laughed dutifully thinking this was a hilarious joke made by the TSA at their own expense. Neither of the two guys laughed; the other just nodded and said “yeh, that’s right”, to which I choked down my laughter and just started staring depressed at the floor at the obvious security theatre that was going on around me – regardless of the truth of that statement.

I certainly feel like applying this level of security to every individual is an utter waste of time. While I was waiting in my little fenced off possible-terrorist-suspect area, I witnessed a dude breeze straight through the security check – a fellow passenger who wasn’t subject to the screenings or the pat-down, presumably some sort of frequent flier who had a first-class pass that entitled him to only cursory inspection walking through a metal detector. So presumably, if you were a real criminal or terrorist, you would just find out what mechanic they use (Google informs me that it’s probably CLEAR) and employ that to skip the onerous security checks.

Of course, that attack vector has long considered as boring and pointless by some security experts, who think that the two biggest improvements to flyer security since 9/11 have been the reinforced cockpit doors and the new passenger knowledge that if they need to act to subdue miscreants or else their lives are almost certainly lost.

So I certainly felt irritated by the process. All the agents that I dealt with were utterly, implacably polite and professional. Again, they were not very busy; there were not hordes of conscientious objectors like me fucking up their day, so they could take the time to have a relaxed approach – or maybe they’re just always like that at SFO because they hire a better class of citizen to help protect their airways, or something.

Anyway, that’s my story. I am not sure if I would do it again – it was almost creepy how strong the urge to “just do what everyone else is doing” was. But I think it’s important that people take a stand on security like this so that the focus can be shifted to mechanisms that really work and actually contribute to the security of all, instead of merely providing an appearance of security.

Troubleshooting GnuPG – gpg: no ultimately trusted keys found

My GPG installation (Windows binaries, some ancient version) has worked flawlessly for several years, but I just went to run my usual mail backup script after some minor changes – I installed enigmail for Thunderbird. This act, or some related act, appeared to mess up something in my keyring.

At first I thought it was that it had unsigned my keys, but a closer look indicated it was something to do with the trust database. I thought this would be a trivial problem to solve (ie, I’d be able to Google the error message and be given a nice, simple howto to follow), but I was surprised – there was a bunch of useless stuff.

Anyway, the warning appears to be related to there being no ultimately trusted key (funnily enough). That is, you haven’t specified a “root” key that you have declared as the one that you trust to make all other decisions (I’ve had 4 beers and might not be articulating the purpose of this well).

However, the fix is pretty simple. You just need to specify your key as “ultimately trusted”.

The easiest way to do this (assuming you are using GnuPG command line like I am) is to just edit your key and make it trusted:

1) gpg –edit-key [your key id]
2) select the key (I just typed ‘1’ and hit enter; you can confirm by typing ‘list’
3) type ‘trust’ to change the ownertrust
4) select option 5, “I trust ultimately”, then say ‘yes’ to the confirmation
5) type ‘quit’

…and you’re done.

ANZ on the Security of Email

A while back, ANZ offered me the opportunity to receive some of my statements as ‘e-statements’. While I fully approve of the move away from paper, I must confess I was slightly disappointed to find out that they’d be emailing me notices about these e-statements – one of the big reasons I think Australia (or at least, ANZ) has done well in the fight against phishing is because they’ve simply not ever sent any emails out, ever. Contrast this to a US bank (Wells Fargo) – within days of signing up I’d received a huge variety of emails, making it easy to see why so many US citizens get scammed so easily.

I typically ignore these emails but as part of my ever-growing interest in how email works and how people use it, I checked out my most recent one, and was interested to see the following disclaimer in the email footer:

ANZ does not guarantee the integrity of this communication, or that it is free from errors, viruses or interference. As email is transmitted via the Internet, which is an unsecure environment, ANZ cannot ensure that an email is not interfered with during transmission.

Clearly they’ve never heard of public cryptography! Of course, even if they had, and the email was encrypted and/or digitally signed, that last sentence wold probably still exist from a sheer cover-their-ass perspective.

Still, I’m looking forward to the day when my bank (and other sites) let me enter in my public key as part of my account settings so all correspondence from them can be encrypted. I’m continually surprised that so few sites do this. I’m keen to integrate something like this into AusGamers – not that we really need it, but just because I think it would be cool to do.

It should be noted though that their emails include /no/ links at all and are sent in plain text.

Event Cinemas/Birch Mobile Site (with XSS holes)

I went to www.birch.com.au the other day to look up some timetables and they’ve replaced it with a new loud glary site that I couldn’t get working instantly. I turned off Javascript and found they have a mobile site as well, which is at http://m.greaterunion.com.au – it offers a really simple interface to quickly get timetables for their cinemas all across Australia.

Except, as jadz0r points out, it appears to be subject to XSS vulnerabilities, so use at your own risk.

X Would Like To Recall The Message – But They Can’t

Ever got one of these? An email of the form “Person X would like to recall the message, [subject of the message goes here]”?

You’ll probably get something like this a few minutes after someone has just sent you an email you weren’t supposed to get. This happens semi-regularly – I’ll get a game press release that wasn’t supposed to be out in the wild yet, or someone has just sent a message to 300 people and put them all in the Cc: list instead of the Bcc: list… there’s a lot of great screw-ups I could refer to.

While this is, on the surface, just a hilarious artifact of newbs using computers, it actually is demonstrative of a pretty serious problem – controlling accidental information spread in an increasingly digital world.

A single mis-addressed email these days can bring down businesses and sway entire markets, and trying to control confidential information is something that companies are taking more and more seriously (but still probably not seriously enough to make a big difference).

Fortunately, open source has got you covered. Some clever students over at Carnegie Mellon University have created an extension for Thunderbird (the free, open source email client from the Mozilla team) that attempts to help control the spread of information by helping you make sure you’re sending emails to the right spot.

The extension, called Cut Once, learns who should be and shouldn’t be receiving emails that you’re sending (through some sort of document word count analysis). Once it has been trained, when you go to send an email it will check your recipients and advise you if there’s someone on there that perhaps shouldn’t be.

It will also suggest recipients that you might want to add – something which I feel would be less useful for my line of work, but possibly useful for others.