Thursday, 30. July 2009, 17:13:41
terrorism, insanity, currentevents, photos
...
Four years ago, when the federal General Services Administration unveiled its plans for a new border-crossing station here in northeastern New York State, the design was presented as part of the agency’s campaign to raise the dismal standards of government architecture. Even many in the famously fractious architectural community celebrated the complex — particularly its main building, emblazoned with glossy yellow, 21-foot-high letters spelling “United States” — as a rare project the government could point to with pride.
...
Yet three weeks ago, less than a month after the station opened, workers began prying the big yellow letters off the building’s facade on orders from Customs and Border Protection. The plan is to dismantle the rest of the sign this week.
...
“There were security concerns,” said Kelly Ivahnenko, a spokeswoman for the customs agency. “The sign could be a huge target and attract undue attention. Anything that would place our officers at risk we need to avoid.”
-- At a Border Crossing, Security Trumps Openness
This story has been making all the usual rounds for a security-gone-mad story, from BoingBoing to Bruce Schneier. The article itself does a pretty good job of ridiculing the decision, so I won't have to do so much of that myself. It is interesting to see how an organization's subculture can develop enough inertia to stick with ideas that no longer make sense to anyone outside that subculture.
I was surprised that there aren't more photos of this building on the web in easy-to-find places. As a celebrated government project (the government gave the project a design award before dismantling the design) you might think there would be a gallery of public-domain photographs of it somewhere. But I haven't been able to find anything like that.
There's a concept drawing here.
The "Image Gallery" link at the bottom of this page makes it clear that some pretty neat photos exist, but they were hung on the walls of a gallery. Then someone took photos of the gallery and put those photos on the web. So even the virtual experience (looking at pictures of a sight you cannot actually see) is itself virtualized.
Maybe that's appropriate; after all, if The Terrorists are likely to attack the United States by targeting a sign that says "United States," there's no telling how meta they could get. They might target pictures of the sign as well. So we're safer this way. Right?
Friday, 17. October 2008, 18:50:45
terrorism, security, links
I couldn’t believe that what Schneier was saying was true — in the national debate over the no-fly list, it is seldom, if ever, mentioned that the no-fly list doesn’t work. “It’s true,” he said. “The gap blows the whole system out of the water.”
— The Things He Carried, Jeffrey Goldberg, The Atlantic Monthly
A great read on the sillier post-9/11 airline security measures that continue to this day, despite their uselessness. What a waste of money and time.
Tuesday, 19. August 2008, 17:19:05
security, links, computers, internet
Prolific and well-known blogger Jeff Atwood recently discovered the same malware site
I did the other day but has
rather more to say about it. I particularly like his term "FUI," for Fake User Interface (presumeably pronounced "phooey," as opposed to GUI, "gooey," meaning Graphical User Interface). Jeff believes the site's FUI is dangerously sophisticated, more so than others of its ilk. Perhaps he's right; I haven't seen too many sites like this before, so I have little basis from which to judge.
The browser FUI was convincing enough to even make me -- possibly the world's most jaded and cynical Windows user -- do a bit of a double-take. How do you protect naive users from cleverly designed FUI exploits like this one? Can you imagine your mother doing a web search on flowers -- flowers, for God's sake -- clicking on the search results to a totally legitimate website, and correctly navigating the resulting maze of fake UI, spurious javascript alerts, and download dialogs?
Oddly enough, the malware site in question isn't yet flagged by Opera's anti-phishing filter, even though I've reported it myself, as I'm sure many others have. Once again, a genuinely security-oriented mindset trumps rigid rules, mechanical systems, and other silver bullets.
Sunday, 17. August 2008, 05:34:07
security, computers, internet
Today I got re-directed from a legitimate website to a brand new malware site. I suggest you don't go there, but there's a detailed description of it
here, if you're curious.
The site "performs" an elaborate and entirely bogus "scan" of your computer, then tries to fool you into downloading and running some equally bogus "security" programs. That blue-and-orange
Luna-style dialog box would be pretty scary if you're using the blue Luna theme, I guess, but it looks like a cop in a clown nose if you're not.
Of course,
what I'm interested in is that gigantic padlock icon. With black-and-yellow safety tape! Wow! This site must be
double-dog secure!
Except it's not. There's no padlock in the Opera address bar, where genuinely encrypted sites are indicated. If you look at the page properties, Opera knows the page isn't encrypted:
So now the good guys and the bad guys of the internet are doing the same thing; they're both showing meaningless padlock icons in their web pages to convince users the sites are safe. How do you fix something like that? If you changed the icon used in the browsers, the same people who spoiled the lock icon in the first place will probably just follow suit and spoil the new one too, by spamming the new one all over web pages.
This site is sort-of Opera aware. It does a bit of browser-sniffing to determine how to handle some things. Alarmingly, it detects Opera specifically. I had thought that with its very small (yet mighty) market share, Opera would be below the radar of these sorts of bad guys. Well, you learn something every day.
Wednesday, 6. August 2008, 16:36:59
browsers, security, confusion, gripes
Here's what a certain credit card company's website looks like in Opera 9.5:
Notice that there are two padlock icons on this screen.
The top padlock, inside the address bar, means that the connection to the displayed website is encrypted, providing some measure of actual security for your private financial information as it flits back and forth around the world. If the user clicks on this padlock, a window with more information about the encryption system and security certificate pops up.
The other padlock, next to the "Log In" button, means (I guess) the web-design people think padlocks look snazzy, and that everyone would really enjoy seeing another one. If the user clicks on that padlock, nothing whatsoever happens.
The phenomenon is widespread. Here's a bank's website in Firefox 3:
Firefox puts the important padlock at the bottom of the screen, but the principle is the same. Firefox's padlock means the connection is encrypted. The user can double-click it to view more details about the encryption and the security certificate. The padlock in the web page doesn't do anything.
Why do web designers choose to display these extra padlock icons? Does it give some users a (false) sense of security? Anyone can show a padlock icon in a web page. It's only a picture. (E-mail me your credit card number! 
Don't worry, there's a padlock! ) A browser can't guarantee that the people running a website are honest, but the browser's padlock icon at least means something. The padlock that's included in the web page doesn't mean anything at all.
I think the extra padlock icons are a bad idea. If one falls into the habit of trusting a web site because one sees a picture of a padlock in the page, one is just that much more susceptible to phishing schemes.
Perhaps I'm fretting over minutia. The average web-surfer may not be savvy enough to pay attention to either padlock, may not know what either one means, and may have much bigger security problems to worry about. Even so, the extra padlock icon isn't helping. And the obvious alternative of simply not showing such an icon would actually be easier for the web-designers, surely. It would mean one less graphic-design element to argue about in meetings, wouldn't it?
Showing posts 1 -
5 of 17.
(67%)
WIDGETIZE
