The Hacker Factor Blog

By now, we have all heard about airlines charging for luggage and drinks. This is all supposed to be a response to the high costs of fuel.

Unfortunately, these cost-cutting measures are nothing more than a knee-jerk reaction that will not address the core problem. For example, few people will buy drinks if they cost $2. Instead, they will buy water in the airport for $1.50. Thus, the airlines will not only fail to generate revenue, they will also end up carrying more weight since a $1.50 bottle holds much more water than those little cups. Moreover, the airlines will still need to carry drinks "just in case" someone is willing to pay $2. Not only will the airlines not be making sales, they will end up carrying more weight on the planes!

Similarly, charging $15 - $25 per bag is going to have two impacts. First, everyone will have a carry-on. Since airlines began charging for checked baggage, I have not been on any planes where the overhead bins did not fill. Every flight ends up with gate-checked baggage. This means loading the plane is slower because gate checking take time, and the airlines miss out on the checked bag fee because you can't arbitrarily charge passengers just because they happen to get in line to board a little later.

However, the second issue is bigger: weight. The addition cost is supposed to cover the luggage's added fuel requirements due to weight. However, if I must pay $15 to check my bag, I'm going to be sure to use the largest bag available and fill it to the limit. This will give me the best cost benefit. Unfortunately for the airlines, my thinking is not unique. In my own unscientific observations, checked luggage seems bigger and heavier. People may be checking less luggage, but the checked luggage weighs more. I suspect that they are not turning any profit with even a $25 charge.

Lighten Up

Beyond the nickel and diming that really isn't benefiting the airlines, airplanes are trying to lighten the load. Lighter planes consume less fuel, making the flight less expensive for the airlines.

Some people have proposed charging by body weight. Fat people would pay more, right? Except that I can buy my ticket online and I don't have a scale hooked to the computer. And if they want to weigh me at the airport, then I'm going to wear a speedo since clothing adds 3-5 lbs. (And I'm one of those people who really shouldn't wear a speedo.)

Seriously though, wait until you see the purgers and starvation dieters who try to crash-diet in order to save cost. If you thought that passengers were irritated at the airlines now, wait until you load the plane full of starving passengers who don't want to pay $5 for a crappie box lunch...

A few airlines are making serious changes with regards to weight. They are trading security and safety for lower fares. For example, Air Canada's Jazz airline reduced personnel last month as a cost-saving move. This month, they have decided to remove life vests from their planes. (I'm not kidding.) They estimate that this will save a whopping one pound (0.45 kg) per passenger. A spokesman for Jazz reportedly said that Jazz doesn't fly over water, so life vests are not needed.

Of course if Jazz requested all passengers to not eat 24-hours before flying (offer a free cholesteral test for all fliers!) and to use the restrooms to... unload... before boarding, then 50 people could easily cut another 50lbs. Heck, why not change the name to Anorexic Airlines and only serve people who weigh under 100 lbs?

Then again, Air Canada has a pretty good track record. Since they rarely crash, why not remove the oxygen tanks? These are similar to the tanks used by hospitals and weigh around 10lbs. I don't know how many people a single tank can server, but I usually see them in every other overhead compartment. Let's say it serves 8 people. Then Jazz's 50-seater planes will need 6 tanks -- that's another 60lbs.

Besides, the oxygen is only needed while the plane is higher than 10,000 feet. If the plane looses pressure at 35,000 feet, the passengers won't die if the plane descends fast enough. The extra weight really isn't needed. Although I would recommend oxygen for the pilots, the passengers can suffer. I mean really, if the plane looses pressure that high up, "oxygen" isn't going to be the number one issue. And if the plane stays high too long, then the cold (hypothermia) will be just as damaging as any hypoxia -- and some airlines are currently charging for blankets.

But Wait! That's More!

Amazingly, this knee-jerk reaction isn't limited to the airlines. TSA recently announced a change to their security lines: they are adding colored stripes.

Black diamond or "Expert Traveler" lanes are for frequent fliers who know screening rules well.

"Casual Traveler" lanes, which are marked with a blue square, are for people who are familiar with airport security rules, but who don't want to be rushed.

Lanes that have a green circle are for passengers who are traveling with small children or who need assistance, according to the agency.

Will there suddenly be cases of road rage in the security line because someone in the black diamond lane should be in the blue lane? Will there be a red lane for terrorists or people carrying banned weapons? Right now, passengers can't even remember that they are carrying a bottle of water. Does TSA really think people will know which line to get into?

Then again, TSA also started the CLEAR system. This is the biometric system for speeding up check-ins (because pulling out your driver's license is such a hassle). This privilege only costs $128 for the first year. (There is no mention of the renewal cost.) And just ignore that isolated incident where a laptop containing CLEAR data was stolen, leading to the theft of personal and biometric data for 33,000 applicants.

Real Savings

The real way to cut costs is not to charge for minor services. The real way is to cut major expenses. For example, why is United still offering flights between Denver and Colorado Springs? Passengers must arrive at the airport two hours early so they can fly for 30 minutes? This $450 flight can be done cheaper and faster with a bus. The same goes for flights between Reagan National, Dulles, and BWI in the Washington DC area. In fact, most of these small puddle-jumpers can be cut and replaced with less expensive transportation options. Considering the human travel time, airports closer than three hours by car should not have transfer-shuttle flights.

If gas prices make flying prohibitive, then raise ticket costs. Don't charge passengers for necessities like the first suitcase or carry-ons. Cut fuel costs from idling at the gate by better organizing passenger loading. As an example, I recently flew on Southwest Airlines. This budget airline does not charge for checked luggage, not charge for drinks, and every seat has leg room. I was very impressed with their passenger loading system (line up the passengers in seat order! What a concept!) and even how they served drinks (take orders, then bring beverages; no cart in the aisle). Watching how the operation worked, I could only say "brilliant". No wonder Southwest has never entered bankruptcy.

Many airlines are hemorrhaging money, unable to keep up with operational costs, and charging convenience fees in the false belief that this will lessen their problems. They are wrong. These airlines are doing nothing more than flailing wildly as their revenue freefalls. I would not be surprised if airlines like United announced bankruptcy again.

Sometimes I think there are dots that may need connecting. Consider this:

On 13-Aug-2008, Denver police discovered a dead guy in a downtown hotel room. The guy reportedly had a pound of sodium cyanide. The medical examiner says he died from cyanide poisoning and had been dead for about six days. According to the news report, an expert told the Denver Post that the amount of cyanide is enough to kill hundreds of people.

There are a lot of unanswered questions here. For example, why was 29-year-old Saleman Abdirahman Dirie (Ottawa, Canada) in Denver? Why did he have a pound of sodium cyanide? And was this related to the Democratic National Convention being held a week later? One theory that is covered in the report is the possibility of a suicide.

The same report says that someone with the same name as the dead guy (Abdirahman Dirie) had posted a threat in an online forum in July (here's the posting, see the comment from July 11, 2008 @ 10:33 pm). The threat says:

Please don’t talk s**t , that man deserves what happened to him , simply because having the bible in one hand , and a bread in the other hand , is not a correct thing ,! Kill Them , Kill them , Kill them , that is my massage,!

Comment by Abdirahman Dirie — July 11, 2008 @ 10:33 pm

But then I read this story... On 16-Aug-2008 (three days after the dead guy was found in Denver), a group of public and private agencies ran a WMD disaster drill in San Francisco. The drill? "a terrorist with a backpack full of sodium cyanide--a chemical used in gold mining operations that quickly attacks and shuts down the human respiratory system--unleashed it inside" a building in the financial district.

Let's see... The same poison, a pound could easily fit in a backpack, both scenarios had hundreds of potential victims, and both used buildings in the downtown area. Considering that these drills are not planned at the last moment, someone must have known something like this has a high probability. But people shouldn't panic, as a Denver police Detective John White is quoted, "It's an isolated incident".

Also, the San Francisco drill had one other detail not found (or at least not reported) in the Denver case: the San Francisco scenario also included an improvised explosive device. And when asked if Dirie's death might be a suicide, FBI Special Agent Kathy Wright was quoted as saying, "It's a little too early to really say."

By now, we have all heard about the image manipulation during the opening ceremonies of this year's Olympics. The televised image of fireworks was actually a composite of real fireworks and computer graphics. The sequence took nearly a year to complete, and the artist was very happy with his work.

Personally, since the TV didn't say "LIVE" in the top corner and it does not skew any of the Olympic scores, I don't have a problem with this. In fact, I even approve of China's excuse: it would be unsafe for helicopters to be in the air during the fireworks. (It certainly isn't true: helicopters hover far above the fireworks, but it sure sounds like a good excuse.)

In fact, this year's Olympics has plenty of real-time graphics that are not upsetting anyone. For example, at the beginning of the track and field, and swimming competitions, the athlete's name and country are drawn on the screen. Cool: now I know who to cheer for. And those green lines that mark the world-record times are not ribbons being dragged by very small Chinese girls; no -- they are computer graphics.

However, other computer graphics seem more subtle and I'm not please with them. For example, did anyone else notice that none of the runners in the woman's marathon had belly buttons? Yup: all of them were gone.

New York Marathon: See Da Belly	Olympics: Sans Belly Button

Perhaps they just have very small pupiks that don't show up on TV, or maybe they wore them off while building up those abs. Seriously though, we know they exist because other photographers clearly show them:



But I just didn't see anyone with a belly button on the TV.

In fact, the only other sports so far with exposed midriffs are women's track and woman's beach volleyball. The closeups are usually from mid-torso up, skipping the belly button. A few closeups do show them, so I know they exist. But in volleyball, the belly button is frequently hidden behind the digital overlay that shows the score. In contrast, every distant view has players without navels.

I actually suspect that there is a "navel filter" with a size threshold. As the camera moves in, the belly button seems to appear out of nowhere. It is as if any navel smaller than a certain size is removed, but larger is kept.

Then again, I am sure that there are other computer graphics going on during woman's volleyball. For example, I am convinced that the black gunk on Kerri Walsh's shoulder is actually where the chromakey mask failed. (Nobody really has a body like that.)


I also wonder if there are other filters involved. For example, is seems like no athletes have zits. Most tattoos seem blurred. And I cannot help but speculate on whether nipple or butt-crack filters are in use.

All of this reminds me of the cartoon "Beetle Bailey". The editor didn't like Mort Walker drawing in belly buttons, so he would take a small knife and cut them out of the strips. Soon the editor had a box on his desk labeled "Beetle Bailey's Belly Button Box". Walker decided to revolt: he would give women extra belly buttons and place them everywhere. Eventually the editor surrendered. Perhaps our Olympians need extra navels...

In any case, since the Olympics are international, here is how to say "belly button" in different languages:

• Chinese: 脐橙 (dùqí)
  
• Japanese: ネーブル (ne-buru or neeburu) or へそ (heso) -- thanks akboss and Brett.
  
• German: nabel
  
• French: nombril
  
• Italian: ombelico
  
• Hindi: नाभि (naabhi) -- thanks to mayank
  
• Greek: ομφαλός
  
• Norwegian: navle
  
• Polish: pępka

(If you happen to know the English-phonetic spelling for the Japanese, Hindi, Greek, or other languages, please let me know and I'll post it here.)

Each year at the Defcon hacker conference in Las Vegas, there are various panel discussions. This year, the "Ask the EFF" panel started with a press conference about three MIT students who had an injunction against their presentation. (The Electronic Frontier Foundation is like the ACLU for technologists.)

This year's "Meet The Feds" panel started with their annual "Spot the Lamer" game. They recruited member of the audience and each of the different Federal agents asked questions in order to identify the lamest geek. "Do you live in your mother's basement?" "How many computers do you have?" This year, the best question was "How many members of the Skywalker family can you name?" The guy answering it didn't miss a beat and responded, "immediate or extended?" It was also very funny that Marcus Sachs was chosen as one of the lamer contestants. Priest (the big goon) simply called Marcus "Pretty Boy". I hope the nickname sticks.

Usually questions for the Meet The Feds panel vary from political to informative. But this year, they were getting dark and paranoid. After a half hour of this, I decided to have some fun. I went to the guy controlling the room's audio and asked him to kill the microphone when I started asking my question. He smiled and said "Sure!" After waiting in line for 10 minutes, I walked up and said, "My question is about the continual suppression of information about UFO *click*" The sound cut out right on cue! The entire audience erupted in laughter. When they turned back on mic, Jim Christy (retired DoD DC3) said, "You waited in line to ask that?"

Cyber Security for the 44th Presidency

Late last year, Marcus "Pretty Boy" Sachs became a member of the Commission on Cyber Security for the 44th Presidency (CSIS). This commission was created to advise the next President on online-related issues and will guide national policies.

While it would be ideal to have a President who is techno-saavy, that just isn't going to happen. (I doubt that any of the candidates can explain the difference between a port scan and an overflow.) Instead, the President relies on advisors, such as the CSIS, to explain the situation in terms that will not glaze over his eyes.

During Marcus' panel on "Cyber Security for the 44th Presidency", he asked what advise or policies the audience of hackers thought should be brought up to the President's attention. The responses were really varied...

• Some people wanted the CSIS to give really technical suggestions, like "require everyone to use a firewall" or "disable unnecessary ports". However, there are some problems with these suggestions. Although they are good ideas in general, would you like laws requiring a firewall? Everyday new protocols are created. The presence of a firewall could deter the next big thing. The same goes for disabling unnecessary ports -- who is to decide what is "necessary"? Also, tunneling protocols, like stunnel, PPTP, and ssh, virtualize ports -- which is better, one big hole or lots of little ones?
  
  
• A few suggestions were impractical (in my opinion). For example, one guy wanted to tell the next President to give incentives to companies that create secure software. The impractical parts comes from enforcement: is the software secure because it is secure, or has nobody taken the time to look? And what should be the punishment if something is found to be vulnerable after the company receives the incentive? Finally, are all vulnerabilities expected to be treated the same?

I had asked something that I thought at the time was a good question: Are we in a cyber war? Given all of the reported attacks against government systems, are these just random attacks or organized warfare? Pretty Boy didn't give me a direct answer. He asked me "The President declares war. Who declares Cyber-War?" "Uh, the Cyber-President?"

In hindsight, my question was poorly worded. Having thought about this for a week, I have come to the realization that there will not be a "cyber-war" with today's technology. Wars have long-term repercussions. They change national boundaries, alter power structures, and drive economic change. Cyberspace is not a war -- it is a battlefield. There are constant skirmishes and saber rattling, with big threats coming equally from foreign nations, hostile organizations, and even rogue individuals. The question becomes: at what point should a cyber threat drive a real-world response?

Having said that... During the CSIS panel, Marcus Sachs asked people: what message would they want the CSIS to take to the President. Here are my thoughts:

• Attacks from cyberspace cannot last forever; don't make a permanent response to a temporary threat. For example, most denial-of-service attacks last days. Some last weeks. None have lasted years. While there can be economic or strategic impacts, we should plan for contingencies and not use it as a reason for an invasion or physical counter-attack.
  
  
• The biggest threat is from information theft. We have already seen that wars are not won by might; a weaker army with better intelligence is more effective. We must take steps to better protect our own information -- we must increase our ability to detect possible attacks, take proactive measures to prevent attacks, and remove sensitive information from externally accessible systems. This isn't just for the government; this mentality of prevent, detect, and deter must be extended to the commercial sector.
  
  Notice how I only mention defensive steps and I do not mention offensive measures. I have little doubt that the United States is compromising foreign government computers in order to gain actionable intelligence. However, since we usually don't hear about it in the news, I suspect that our offensive measures are good enough to not be detected.
  
  
• We need to educate Americans about the need to protect ourselves and our right to privacy. Too many times I have heard people say that nobody would want anything on their computer, or they have no sensitive information. What most people do not understand is that information has value -- all information. If an attacker knows when you go grocery shopping, then they know when you are not home and can burglarize your home. If they know who your friends are then they can impersonate them online in order to win your trust. And if they know your family, then kidnapping and other threats can become very real.
  
  
• We need to educate members of congress and law enforcement about security. Taking precautions to protect yourself, with cryptography, with secure architectures, with intrusion detection systems, is not an indication of guilt. Just as it is not suspicious to lock the doors on your car or chain your bike to a tree, encrypting data and digitally signing messages should be the norm and not the exception.
  
  
• Steps must be made to hold critical infrastructures accountable for poor security practices. My first thought goes to the credit card industry, who take a reactionary response to attacks, years after the threat is known. (And don't get me started on the PCI DSS -- it is as effective than closing your eyes and hoping the bad guys go away.)
  
  
• We need to make better use of the resource we have. Organizations like the FBI's Infragard have thousands of highly technical and skilled experts, yet there is no plan for actually using them. Infragard members attend meetings but there is no plan for calling them to action as some form of cyber-militia; they run no drills, offer no training, and have no communication infrastructure. In fact, the Infragard membership form only asks for personal information and nothing about skill set or capabilities. Outside of a handful of technical government departments, "hackers" are viewed as a threat and not a resource. This must change. We, as a country, must better utilize the available resources.

If you have other suggestions, let me know. I'll make sure that Marcus Sachs sees them.

Presidential hopeful (and techno-idiot) John McCain recently denounced Russia's invasion of Georgia by saying, "in the 21st century nations don't invade other nations." Uh, what about the US invasion of Iraq, US overthrow of the Taliban government in Afghanistan, and China's recent re-invasion of Tibet. In fact, there are currently dozens of ongoing conflicts that include the invasion of independent nations.

However, McCain did get one thing kind of right. Physical occupation of a foreign nation may not be needed if their information is vulnerable. The impact and frequency of cyber-attacks are on the rise. We must prepare for the inevitable cyber-attack, we must protect and defend ourselves, and we must educate our population and our leaders.

I just got back from Defcon 16. Wow. I'll probably be blogging about it over the next few entries as things sink in.

A few quick notes:

Bigger

Defcon has been held at the Riviera for the last 3 years. Prior to that, it was at the Alexis Park -- but it outgrew that location. Defcon was so crowded this year that it seems to have outgrown the place. There were times when the whole aisle was crowded and not moving.

I also didn't see a bunch of people who I know were there. (I only saw Grifter on the last day, and didn't get to see his new kid, Twitch. But Grifter is definitely a proud papa.)

Many of the offbeat entertainment seemed subdued this year. This was probably due to a combination of the crowds (it's hard to pick the lock on an ATM when there are hundreds of onlookers) and the fact that at least half of the crowd were either feds or government contractors.

Safer

I picked up one excellent piece of advice from the MySpace security guru (during the Social Site Hacking QA session). The advice was unrelated to social sites; it was related to identity theft.

If you have a bank account or credit card that permits online management, then ENABLE THE ACCOUNT. Here's why: the bank/card is already configured for online management. If your card or banking information gets stolen, then the first thing the bad guys do is create the account. Then they change the billing address, request a copy of everything, and then change the address back so you do not notice. (Ouch!)

However, if you create the account first and give it a good password (not your dog's name or car license plate), then the bad guys cannot get in. Also, the bad guys have thousands of stolen identities. They are unlikely to spend time guessing your password when there are other ids that are easier to pilfer.

Top of the Top

I think the absolute best talk was by Nathan Hamiel and Shawn Moyer. Dressed as priests, they presented on social networking hacks: "Satan is on my Friends list: Attacking Social Networks".

Dan Kaminsky's talk on DNS was excellent, yet it was exactly what I expected. Basically, he found a new way to do an old attack. Having shown how to compromise DNS, he then discussed all of the implications. Every dependent protocol -- from web logs to email to SSL and more -- are vulnerable. If you are heavily into networking, then you knew this already. But most of the audience isn't that deep on the subject, so Dan did an excellent job bringing this problem into focus. ("Focus" is a loose term, considering the four beers he had during his presentation.)

One of the big controversies came when a trio of MIT students were barred by a Massachusetts court from presenting on vulnerabilities in the Massachusetts' transit authority's ride-card system. So my friend, Dutch journalist Brenno de Winter, filled the time with a similar presentation that discussed the same type of card system that is used by the Dutch. I had never heard him give a presentation before, and he is a very entertaining speaker. (Two thumbs way up.)

The surprise talk was a last-minute replacement. Alex Pilosov and Tony Kapela talked about BGP hijacking. Alright, this freaked me out. They were transparently redirecting all traffic from the conference network to New York. In the process, they were running a packet capture of all traffic. Totally transparent. No serious technology needed. Wow. Insomnia, here I come.

Well, I'll write more later, after I get a moment to think about the deeper impact of things.