TechMiso

I ran across an interesting article on TechDirt this morning about a couple of bloggers who were playing around with a microscope and the US Visa and Border Crossing Card. What they found was quite interesting. On the back of the card is a strip of tiny etchings of every U.S. president and all the state flags. Nothing overly exciting, right?

The label for the 6th president of the United States is actually printed as “John Quincy Adames” – yes, you read that correctly. There apparently is a typo on official U.S. government documents. An “e” was either accidentally or purposely added to our sixth presidents last name.

That seems like a pretty big mistake. However, some are suggesting that it was done on purpose. In the comments to the Notcot post, two specific theories are presented: the first is that JQA changed his last name to distinguish himself from his father. Doing some quick searches around various bios of Adams, however, shows absolutely no support for this one. Even the White House’s own page on JQA spells it Adams and makes no mention of such a change.

The explanation TechDirt proposes is that the misspelling is a form of fraud and/or counterfeit detection. This makes sense and is the most plausible reason for the “error” assuming this is not an error. On such a seemingly innocuous document there has to be a variety of counterfeit detection options, similar to how U.S. currency has a number of security features.

No matter what the explanation, it is interesting this has never been found until now. It is also intriguing to see the lengths our government will go to protect its very own products, even something as relatively unimportant as the US Visa and Border Crossing card.

Ever considered the thought that the U.S. government, such as the NSA, has the capability to break in to an SSL-encrypted session between you and your bank, and eavesdrop on that conversation? That idea alone should cause you to pause the next time you see the padlock icon in your browser light-up when you think you are browsing securely.

In a purely hypothetical example, the U.S. government can force a Public Key Infrastructure (PKI) to give them a publicly trusted certification for www.amazon.com. They then poison your DNS and route your traffic for www.amazon.com to a site they own that has the fake certification installed. Your browser then gives you that pretty green bar or little lock and you think everything is cool, safe and secure. Or… they can put a device between you and your target and then perform SSL interception.

Never put anything past the U.S. government and its intelligence gathering capabilities. I think that is a safe theory to operate under. Even though suspension of disbelief is required in movies like Enemy of the State and Deja-Vu, where the government employed nifty intel collecting techniques, something as simple as eavesdropping on SSL-encrypted communications should not be underestimated.

In fact, performing an SSL man-in-the-middle “attack” using a web proxy server and SSL decryption is not difficult at all. It is exponentially more believable in a corporate setting, where the IT guys control the operating system and web browser, however that does not mean it is unheard of elsewhere.

What is the point? Be careful who you trust when you are supposedly surfing securely. Educate yourself on the security techniques used by SSL and how they function. While in most cases there is nothing to be concerned with, it is important to understand that SSL is not the end-all be-all of network security. It has its own shortcomings as eloquently articulated in this article.

The Washington Post has a fascinating expose of the post-911 government after concluding an interesting two-year investigative journalism project.

To ensure that the country’s most sensitive duties are carried out only by people loyal above all to the nation’s interest, federal rules say contractors may not perform what are called “inherently government functions.” But they do, all the time and in every intelligence and counterterrorism agency, according to a two-year investigation by The Washington Post.

What started as a temporary fix in response to the terrorist attacks has turned into a dependency that calls into question whether the federal workforce includes too many people obligated to shareholders rather than the public interest — and whether the government is still in control of its most sensitive activities. In interviews last week, both Defense Secretary Robert M. Gates and CIA Director Leon Panetta said they agreed with such concerns.

The Post investigation uncovered what amounts to an alternative geography of the United States, a Top Secret America created since 9/11 that is hidden from public view, lacking in thorough oversight and so unwieldy that its effectiveness is impossible to determine.

I have not read through even a small percentage of the content available online so formulating an opinion on the subject matter is going to take some time. However, I have direct experience where contractors regularly act on behalf of the US government even though doing so is against the law. In most cases this is not malicious, but because the job has to get done and sometimes “acting on behalf of the US government” is so subjective that the answer could be debated for years.

Nonetheless, the Washington Post should be commended for the exceptional amount of time it took to amass all the data they have compiled and placed online for public consumption. This is the type of journalism we need, whereby the press performs those much needed checks against what our government is doing on a daily basis. These expose’s are an important part of democracy and will only serve to make America stronger in the longrun.

I came across this little gem of a post on IT security and can’t agree more with Mr. Bejtlich’s assessment. Here’s what he had to say on IT security and uncertified IT workers:

The myth is this: “If we just had a better trained and more professional IT corps, digital security would improve.”
…
Instead of spending money first on IT workers, educate their management, throughout the organization, on the security risks in their public and private lives.

The balance between security and business is common gray area that’s unlikely to go away in the near future. Differing ideals and philosophies towards security spread through all levels of corporate staffing and that difference in opinion often leads to security configuration extremes.

Perceptions of IT security range from paranoia to irresponsibility. Just as Richard Bejtlich blogs, the best case for striking a balance between the two is when all parties involved are educated and have a clear understanding of security and its necessity within the business.