Scenario 1: Terrorist operative “A” uses Twitter with… a cell phone camera/video function to send back messages, and to receive messages, from the rest of his [group]… Other members of his [group] receive near real time updates (similar to the movement updates that were sent by activists at the RNC) on how, where, and the number of troops that are moving in order to conduct an ambush.

Scenario 2: Terrorist operative “A” has a mobile phone for Tweet messaging and for taking images. Operative “A” also has a separate mobile phone that is actually an explosive device and/or a suicide vest for remote detonation. Terrorist operative “B” has the detonator and a mobile to view “A’s” Tweets and images. This may allow “B” to select the precise moment of remote detonation based on near real time movement and imagery that is being sent by “A.”

Scenario 3: Cyber Terrorist operative “A” finds U.S. [soldier] Smith’s Twitter account. Operative “A” joins Smith’s Tweets and begins to elicit information from Smith. This information is then used for… identity theft, hacking, and/or physical [attacks]. This scenario… has already been discussed for other social networking sites, such as My Space and/or Face Book.

Yeah, what the 304th Military Intelligence Battalion (which is so utterly well-versed in information technology that their security certificate doesn’t fit their URL) writes in their PDF report makes a lot of sense. And the PDF report likening all muslims to jihadist terrorists is tremendously coherent as well, after all, it’s what our media tells us, and our media is Always Right™.

I think my stupidity allergy is acting up, I’ll have to stop writing for now.

Via Matthias Gutfeld, who had it via Ugugu.

Update 08-10-30, 15:18: Meanwhile, Schneier has a post about this as well. Apparently, somebody on Slashdot commented:

Wait until they find out about email and chatrooms!!!!

Sarah Palin

Apart from her being rather incompetent (“cramming a lot of information”, as if, she just doesn’t find her way around the notes others have prepared for her), Sarah Palin apparently really likes fashion. And hairdressers. And makeup.

According to financial disclosure records, the accessorizing began in early September and included bills from Saks Fifth Avenue in St. Louis and New York for a combined $49,425.74.

The records also document a couple of big-time shopping trips to Neiman Marcus in Minneapolis, including one $75,062.63 spree in early September.

The RNC also spent $4,716.49 on hair and makeup through September after reporting no such costs in August.

Ah well. I refrained from posting about the US election so far, it’s just too hyped up even in European media, and the US voters seem to be less informed by the day, start being openly and no longer covertly racist again, but this is just silly.

Although, on second thought, maybe the money is better spent that way.

Via tou.ch (German).

Yes, that just was my meager tribute to today’s Talk like a Pirate Day

Ingame Map

Washington Map

It’s a fact that there’s 10 million WoW players (by official count), and that not all ingame chat is about the game itself. It’s also a fact however that some CIA folks have seen too many conspiracy movies. You might have heard about it: A Pentagon researcher gave a presentation early this month (via Wired, heise), where he alerted the world to the inherent dangers in such online worlds: Jargon! Coded messages! To the left, you see an ingame map, to the right the overlaid secret attack plan. Boo!

Now … yes. Of course, this is theoretically possible. Of course terrorists could forfeit encrypted mails, a private Ventrillo server, or some other secure means of communication, in favour of in-WoW chat. But it’s a prime example of a movie plot threat, a term coined by security expert Bruce Schneier. He clearly illustrates why defending against those is a very bad idea:

The problem with movie plot security is that it only works if we guess right. If we spend billions defending our subways, and the terrorists bomb a bus, we’ve wasted our money. To be sure, defending the subways makes commuting safer. But focusing on subways also has the effect of shifting attacks toward less-defended targets, and the result is that we’re no safer overall.

Seems those Pentagon researchers haven’t read that, though. Nor have they heard about his later movie plot threat contest (which made it to the NY Times), just you wait until they expand on more of those possible dangers – here’s a long inspirational list.

Terror in Lineage

I particularly like this broken toys post, where the blogger draws parallels in other popular MMOs.

Indeed, the point can be made that they only use the above WoW picture as a clever way to make even politicians realize that “emerging media” are something that has to be watched for potential terrorist attacks. But the main issue remains: However many movie plot threats you watch, however many communication channels you supervise, we’re gladly living in a not-quite-yet-1984 world, which has the downside that terrorists have plenty of communication alternatives.

And once again I’m quoting Schneier, in his brilliant analysis of the subject matter:

My guess is still that some clever Pentagon researchers have figured out how to play World of Warcraft on the job, and they’re not giving that perk up anytime soon.

I guess that’s the best explanation for all this.

RFID - How It Works

The Swiss government has decided that our passports, like a few before ours, should store data on RFID chips. Meaning, the following data would be stored in that chip:

• fingerprints
• a digital photograph
• all the data that’s also available in printed form (name, gender, date of birth, eye color, and so on)

All this data could then be read out via electrical readers (as pictured in the diagram to the right, labels German).

That in and of itself isn’t necessarily evil! The current proposal concerning regulations and technology lets it be implemented in ways that make it evil though. Let me lay out why that is.

About RFID

If you haven’t heard of RFID before, it’s high time you read up at Wikipedia – and even if you did, there’s quite intriguing things I haven’t read before in there too. Short version:

An RFID tag is an object that can be applied to or incorporated into a product, animal, or person for the purpose of identification and tracking using radio waves. Some tags can be read from several meters away and beyond the line of sight of the reader.

Additionally, the RFID chip can be passive – meaning, it has no energy source of its own and thus potentially lives forever. And as I’ll explain later more in-depth, you can’t track who obtains information from it. There are also active RFID chips, but since the ones used in passports are passive and there are no other fundamental differences beyond range between active and passive types, I’ll neglect active RFID chips for the rest of this post.

There are places where RFID chips make sense and most privacy concerns don’t apply (like race tracking, inventory systems, some kinds of animal tracking). But passports definitely aren’t one of them.

The Referendum

The referendum (a federal facultative referendum, that is) is carried from a surprisingly (in a very positive way) large number of independent political forces.

The referendum was launched because there is a vast number of unresolved issues that are introduced with biometric RFID passes (details see below).

Here is the RFID referendum website

If you’re Swiss, I strongly urge you to sign it within the next 10 days, if you haven’t already, and spread it among your friends and coworkers. Time is running out, the referendum only runs until September 22th, and apparently, over 30′000 more signatures are needed. Signature sheets are available on their site.

Privacy

It is not a coincidence that the RFID chip started out, originally, as an espionage device. Its passive nature and long life make it perfect for stealth placement and readout.

Accesses to the chip are not trackable, and while the chips in passports are protected by a metal mesh covering them that shields them against malicious scans, this (just like other things when it comes to RFID) doesn’t work as it should. Uncovered at the Blackhat 2006, a proof of concept showed:

The problem, according to Flexilis, is that the shielding does not fully protect passport against remote scans. Kevin Mahaffey from Flexilis says a medium powered scanner could detect a partially opened passport from four to six inches away. The theoretical maximum detection range is more than 10 feet, but Mahaffey said that would require a “huge amount of power.”

So, when you have such a passport, you’re trackable, identifiable, by anyone who has access to that kind of technology. Which is just about anyone who’s determined enough.

Furthermore, even “legitimate” (as per the legal text) kinds of tracking can go way beyond what we’re comfortable with. Airline companies, other companies with special permissions, your own and foreign governments, can and may track your every move. And once enough companies have your data in their databases, it’s bound to be stolen and out in the open eventually – data leaks do happen.

If you’re in the fortunate position to understand German, the StopRFID pages of the FoeBuD e.V. have way more info.

Security

There is a simple fact about RFID chips that no lobbyist will openly admit:

They are not secure.

You may have heard of MythBusters. It’s a Discovery Channel series that … busts myths. Often funny, like “can you surf on a wave created by a dynamite explosion”, but also stuff like “can you hack security fingerprint systems”. They tried to do an episode on RFID, and they were shut down by the industry. You draw the conclusions. References here: tom’s hardware, cnet news, the consumerist, all via Bruce Schneier.

“But”, I hear you say, “they’re meant to be made secure!” Well … yes. Read for yourself, in the federal Swiss decree:

Der Datenchip ist gegen Fälschungen und unberechtigtes Lesen zu schützen. Der Bundesrat bestimmt die entsprechenden technischen Anforderungen.

More or less, the chip is to be protected against malicious readouts, and details are to be determined by the executive.

But, there’s a problem with this: The same thing was meant to happen with the British passes’ RFID chips. And what happened? They were hacked a couple weeks after they were released. Read the details on The Guardian:

“The reader – I bought one for £250 – has to say hello to the chip and tell it that it is authorised to make contact. The key to that is in the date of birth, etc. Once they communicate, the conversation is encrypted, but I wrote some software in about 48 hours that made sense of it.”

More info on TechNewsWorld. Now, this was a white hat hacker. Who tells us that black hats have problems with what he achieved in 48 hours? We already know that it’s easy to access credit card numbers like that, why should full blown identity theft be made as easy as the (too easy) credit card theft?

Teleology

As we know, the main reason for adding those RFID chips in the first place is that the US wants everybody to do so. In their Enhanced Border Security and Visa Reform Act of 2002, we find:

Additionally, by October 26, 2004, in order for a country to remain eligible for participation in the visa waiver program its government must certify that it has a program to issue to its nationals machine-readable passports that are tamper-resistant and which incorporate biometric and authentication identifiers that satisfy the standards of the International Civil Aviation Organization (ICAO).

Why is it that the US government wants everybody to use those RFID chips in the first place then? Bruce Schneier has, yet again, brilliant vista:

The Bush administration is deliberately choosing a less secure technology without justification. If there were a good offsetting reason to choose that technology over a contact chip, then the choice might make sense.

Unfortunately, there is only one possible reason: The administration wants surreptitious access themselves. It wants to be able to identify people in crowds. It wants to surreptitiously pick out the Americans, and pick out the foreigners. It wants to do the very thing that it insists, despite demonstrations to the contrary, can’t be done.

This, of course, is speculation. I haven’t seen another reasonable explanation to date yet though.

The fun thing is that the US government keeps pursuing that course, despite even large independent bodies like the Smart Card Alliance (who actually represents RFID vendors, among others, and thus has it in their best economic interest that RFID chips are used) warning them from privacy and security dangers. If you have a long breath, you might want to read this extensive report from May 2006.

The future

Maybe some time in the future, the technology will be where it needs to be in order to make a private, secure chip that makes international travel easy without exposing its users to unnecessary risks. The proposed RFID chips certainly aren’t that technology.

Of course, even when we eventually do have the technology, other things like better tolerance and education would be more effective in preventing terrorism. But that’s an entirely different discussion.

Linear acceleration, circular boosting in 4 packets with pulses, further acceleration in the proton synchotron (a larger ring) and gain of mass, further energy addition in the super proton synchotron, and finally the LHC itself with 2 rings with opposite directions, which then allows the actual collisions. Really neat.

As for the black hole doomsday scenario that cookie mentioned wasn’t upon us just yet: It isn’t due until October 21st (source, via), so long they won’t do any collisions and just test the two individual rings. Also, it’s just one of many such scenarios, every one just as improbable as the next.

Random related tidbit, an Indian girl commited suicide because she was afraid of dying (via Arathor.net). Tragic, which doesn’t quite mean that I understand it -- as Ramuel in that thread put it so eloquently:

I really don’t get it. I mean if you were thinking about killing yourself and believed the end of the world was nigh, why not just save yourself the hassle and wait until you get sucked into oblivion?

Everybody’s celebrating, even Google, with one of their famous doodles (uhm … does “please do not use them elsewhere” mean I’m not supposed to show it here?):

Google LHC Doodle

Onwards, a few explanations why it’s just a little bang and not a big bang CERN is producing, and an explanation why there won’t be dangerous black holes, and a less science-ey one too. So, none of the other particle colliders will kill us any time soon, either.

Hopefully.

Update 13:41: Very nice site that answers all questions, via kuschti @ Twitter.

http://www.hasthelhcdestroyedtheearth.com/

Feel the source, Luke.

Update 14:02: For up to date news, follow CERN on Twitter.

Chrome Phone Home

Maybe you heard (I hear it was even on TV?) that Chrome loves E.T. and likes to phone home. Yes, it does, but not that much more so than other browsers: Google’s Matt Cutts has the details. (Yes, I added that link to the other post later on as well).

Selection mine, he has a few more points:

If you’re just surfing around the web and clicking on links, that information does not go to google.com.

If you are typing a search or url in the address bar, Google Chrome will talk to the current search service to try to offer useful query/url suggestions.

Google Chrome checks for automatic updates every 25 hours.

Every 30 minutes, Google Chrome downloads a list of 32-bit url hashes of urls thought to be dangerous (malware or phishing).

Essentially, the same as every other browser. And less than IE, who sends URLs to Microsoft for Malware checks if you opt in (and doesn’t have a malware filter if you don’t). Their Internet Explorer Privacy Statement reads:

If you opt in, addresses not on the legitimate list will be sent to Microsoft and checked against a frequently updated list of websites that have been reported to Microsoft as phishing, suspicious, or legitimate websites.

Terms of Use

Another outcry in the community (details here at TapTheHive) was about Google’s terms of use, in particular the lengthy part 11 which allowed Google to use all data anybody ever entered in Chrome, basically. They’re not the first ones with evil TOS, but the ones that were watched best I guess, with the paranoia that I partially share and all. They changed it, it now reads:

11. Content license from you

11.1 You retain copyright and any other rights you already hold in Content which you submit, post or display on or through, the Services.

The German version didn’t change yet, but the English version works retroactively for people who accepted the old one as well.

More, Way More

I guess everybody wants to see more objective data as to whether Chrome’s speed really is better than that of Firefox (let’s not talk about IE). It is, slightly: Speed tests! But the Firefox team is working on a faster JS engine.

Then, a funny little exploit to crash all of Chrome’s tabs (via der-link.de).

And finally, interoperability: Get the best of Chrome’s features in Firefox via, who’d have thought, plugins (I didn’t know a few of those). And, associative art with the Chrome logo – is there a hidden message somewhere (via Basic Thinking)?

Update 08-09-12 10:59: Yesterday’s news (well, actually, from the 8th), Google now anonymizes the 2% of traffic they log from Google Suggest after only 24 hours. And since this addition will send another trackback to the Google Blog, hello in advance