Opsec for a world where the laptop ban goes global


#1

Originally published at: http://boingboing.net/2017/06/01/evil-chambermaids.html


#2

+1 glitter polish security!

Also I should point out that global and international are hardly the same thing.


#3

Filling your USB ports with epoxy would be a pretty desperate move. I’d rather just leave the damn thing at home.

I foresee laptop makers coming up with designs for easily-removable fixed storage. And with the increasing prevalence of small form factor solid state drives (M.2) it’ll be pretty painless to hand carry your important data.


#4

If nobody sells burner laptops, they will.


#5

Hand over your glitter photos, citizen! For t’is treason not to.


#6

Now you have me wondering how many companies providing cloud solutions are lobbying FOR this because on that burner laptop you’ve gotta set up software and get your files, all of which takes time.

Or you could connect a dumb box into a fancy connection with a lot of speed and storage. We’re back to mainframes, but with a different pricing model and more centralized in terms of ownership (which is very bad!).


#7

The proposal to ban laptops from the cabins of planes appears to be attempting to take advantage of the following logical fallacies and cognitive biases:

Remember that time they said they needed porno scanners? It turned out that the porno scanners do not detect weapons. They really only take nudie pictures. And, DHS upper management (Chertoff) got rich off the sale of the porno scanners. At this point, we should just assume that any proposed TSA change is simply another “make TSA/DHS management rich” scheme.

The TSA success rate at finding known weapons and explosives is 5%. IE, they only detect 1 out of 20. This means that the laptop change will not actually make a difference to the actual risk.

If they are worried that a well funded group will make explosives that look like a laptop, why does it make a difference where you put the laptop on the plane? For that matter, why wouldn’t an attacker make explosives that look like a suitcase? If they can’t find and explosive shaped like a laptop, they are not going to find an explosive shaped like luggage. That big of an explosion would take out the plane, and everything next to it. Are they going to make us stop checking luggage?

While we wait for the TSA’s analysis, lets review a few facts. Here are some reference pages on various types of death in the US:

So, your chance of dying of various things in the US is:

  • Heart disease & cancer in the US: (about 1 in 7 deaths.) For every terrorism death, there are 35,000 deaths by heart disease and cancer.
  • Dying in a motor vehicle accident: (about 1 in 100.) For every terrorism death, there are about 2,200 deaths by motor vehicle accidents
  • Drowning in the US: (about 1 in 1200) For every terrorism death, there are about 200 deaths by drowning.
  • Being killed by police in the US: (about 1 in 2300) For every terrorism death, there are about 105 deaths by police
  • Dying in a plane crash: (about 1 in 10,000) For every terrorism death, there are about 25 deaths by plane crashes
  • Killed by lightning in the US: (about 1 in 160K.) For every terrorism death, there are about 1 and 1/2 deaths by lightning.
  • US Citizen killed by terrorists from 2005 through 2014: (about 1 in 240K deaths.)

It looks like you could show a decrease in deaths by shutting down the TSA and spending the money on all kinds of other things. For example, you would probably extend thousands of lives every year, if you took the TSA’s budget and used that money to give a daily carrot to everybody in America.

Of course, the future of the CAD (Carrot Applied Daily) agency is not all shiny orange. There may be a surge in the carroticide (homicide by carrot) rate. But, we know that the only thing that can stop a bad guy with a carrot, is a good guy with a carrot. If everybody has a carrot, then all the bad guys should be stopped. However, once we start down this path, we are going to have to pay to outfit all the swat teams with assault rutabagas (swedes to you Brits.)

If the TSA is going to make a change, they must prove that the overall benefits justify the overall costs. The overall costs on this one are awfully high. There does not appear to be any actual benefit. Everybody should be opposed to this proposal. It appears to be a perfect example of CYA security.

The TSA/DHS have proved that they are incapable of acting rationally in the presence of a risk. Since that is their job, we should sack the lot of them.


#8

You’re right that the Rape-a-scan was nothing short of a scandal. The original IOT&E, circa 2008, provided TSA with clear demonstration of the pornoscanners’ inutility and easy defeatibility in field settings with minimal effort and little knowledge on the part of attackers. This report was buried and all participants were under virtual gag order because clearance and secrets. The TSA bought the systems anyway because Skeletor had pull and TSA management was scientifically illiterate.

The report you link to mentions a few things like shaping and positioning, which were well known six years before this report, but could not be publicized. The researchers did the public a solid by acquiring one of the machines on their own to produce a report that would not be under classification.

One of the reasons kids were eventually exempted from the scanner is that the manufacturers could never figure out any durable way to stop screeners from saving archives of nudie pics. Screeners in a closed room with the computer all day will figure out a way to make it do what they want.


#9

I suspect that most people tend to fear death due to things they can’t control or predict more than things they can, and fear things which are becoming more common rather than things which are becoming less.

There are actions which can greatly reduce your risk of dying from drowning or lightning or a plane crash.or by police.

Cancer and heart disease tend to work their mayhem over a long period, during which there are often relapses and the hope of fighting back.

Highway death rates are less than one-fourth of what they were when I was born, and still dropping.

It’s probably a good bet that if there were ten instances this year of a dozen or more people in a group instantly dropping dead of cancer, without any foreknowledge or the opportunity to put their affairs in order and say goodbye, it would be on the national radar in a big way.


#10

Amusingly, that makes it sound like we’d be safer if we did have terrorists on the planes. :laughing:


#11

When I reviewed those statistics, I realized that keeping those buggers alive is the most pressing duty of our civilization!

For every terrorist we keep from dying, we save:

  • 1 and 1/2 lightning victims.
  • 25 plane crash victims.
  • We stop 105 police deaths.
  • We rescue 200 people from drowning.
  • We redeem 2,200 people from fatal motor vehicle accidents.
  • AND we prevent 35,000 deaths from heart disease and cancer.

Just think of all the good we could do if we just breed terrorists, and as soon as they are ripe, we put them on extended life support in a secure facility. We could cure DEATH!!

Not that there is anything wrong with DEATH. Nice guy. Great sense of humor.


#12

Hᴇ hasn’t posted here much recently, though.

@Dᴇᴀᴛʜ, yo dude; you still around?


#13

“just buy another machine and swap in the drive” Someone has money to spare.


#14

I think I’ll just drive.


#15

I wonder whether forwarding yourself a SSD or a couple of USB sticks using, say FedEx, would be a workaround.

And yes, top marks for the glitter nail polish tip. I’ve been looking for an excuse to buy some for ages.


#16

Maybe Hᴇ is on vacation, his daughter, apprentice, and granddaughter are also unavailable and thus all those old men are able to just stretch their time madly.

On the other hand: might be busy elsewhere. Several places spring to mind. Most of them in rather warm, dry areas. A rather wet one also among them.


#17

If that’s the case, I hope Hᴇ got someone to look after his bees in his absence.


#18

I honestly suspect that the market for what y’all are describing is too small to be considered worthwhile.

As for what @doctorow & Gilmor describe, some of it may be practicable but most either isnt practical or only gives partial assurance.

  • In reality, most people traveling with a laptop dont have the option of or the desire to use a limited function OS or device configuration.
  • If one is very genuinely concerned about the physical access problem (excusing the tin foil hat user set) then honestly the only actual solution is to travel with zero value data on some removable media. Physical access by a threat actor is always game over and depending on hardware at destination is not a solution either.

#19

Thinkpads have been like this for ages. Just remove one screw from a small cover, pull the cover off, and slide out the drive in its carrier. Of course, there’s the separate issue of having the carrier, but they can be ordered if you want more than one.


#20

This topic was automatically closed after 5 days. New replies are no longer allowed.