When we boarded a little later, I asked for the ninny's name. He refused and hissed, "If you make a scene, I'll call the pilot and you won't be flying tonight."

The credit controller, from Gloucester, says he now suffers "appalling" abuse from the authorities and public who doubt his motives. The bus-spotter, officially known as an omnibologist, said: "Since the 9/11 attacks there has been a crackdown. "The past two years have absolutely been the worst. I have had the most appalling abuse from the public, drivers and police over-exercising their authority. Mr McCaffery, who is married, added: "We just want to enjoy our hobby without harassment. "I can deal with the fact someone might think I'm a terrorist, but when they start saying you're a paedophile it really hurts."

Israeli authorities are investigating why a Palestinian resident of Jerusalem rammed his bulldozer into several cars and buses Wednesday, killing three people before Israeli police shot him dead. Israeli authorities are labeling it a terrorist attack, although they say there is no clear motive and the man -- a construction worker -- acted alone. It is not known if he had links to any terrorist organization.

Turns out the ninja was actually a camp counselor dressed in black karate garb and carrying a plastic sword. Police tell the Asbury Park Press the man was late to a costume-themed day at a nearby middle school.

Amsterdam police say 15 camels, two zebras and an undetermined number of llamas and potbellied swine briefly escaped from a traveling Dutch circus after a giraffe kicked a hole in their cage.

This customer had a massive application written in ASP classic. Since it was in ASP classic it had massive numbers of SQLi vulnerabilities. Everything from Blind SQLi to the always fun SQL statements in the URL. The customer said this application was roughly 250,000 lines of code with SQL hardcoded throughout. The reason the customer had called WhiteHat is because they where working on a big deal with a potential client and this client was asking for a security report on the application. They where also in the early phases of rewriting the application in .NET (yeah) with an estimated completion date 1.5 years out.

After seeing our report (100+ SQLi and 300+ XSS) and after a protracted developer battle(yes XSS is not good) they where left with two not good options.

1. Lose the customer.
2. Stop the rewrite and spend a few months digging through old code to fix these issues

Now from a business point of view neither of those makes sense. At the time we where in the WAF hater camp but we saw that in this case it made total sense. The customer deployed a WAF, configured it using our vulnerability data, and was able to mitigate the risk in about 3 weeks.

Bottom line and what people continually fail it understand is that every current solution on the market today has its short comings. In security everything does. Is there one magic network solution that will prevent all network attacks? No. You have spent a ton of money protecting your network infrastructure. Let’s take a quick look at the list of things you probably have spent money on today:

1. Firewalls
2. IDS/IPS
3. Network Vulnerability Scanning
4. AntiVirus
5. Configuration and Patch Management
6. Database Scanning
7. Database Encryption

Guess what, none of that protects you from the rush of SQLi, XSS, and other web based attacks. All that money and you still have big gaping holes.

To properly attack the Web Application Security problem you should be doing all of these things:

1. Secure coding practices
2. Source code review
3. Black box testing
4. Web Application Firewalls
5. Developer Training
6. Configuration and change management

The reality today is that people underestimate the size of the problem and therefore do not have the budget to do all these things. You can stretch those budget dollars pretty far with an open source scanner and mod_security (software cost $0). WhiteHat is not that cheap but we are very cost effective, combined with mod_security you can go a long way. Need a more robust solution, WhiteHat + F5 can scale to 1000 of web sites in a very cost effective manner. WhiteHat and our WAF partners can knock items 3-5 off your list while you go work on getting your coding practices in place. Even after you get those practices in place you are still going to find vulnerabilities and having that “instant” mitigation ability is very comforting.

Robert over at cgisec sees the light as well. He has managed and is currently managing web site security for some of the largest most frequently attacked web sites on the planet.

Post from: Grumpy Security Guy

The Business Case for WAFs + Testing

But two weeks ago a jury in the civil lawsuit against that employer, NDS Group, largely cleared the company -- and by extension Tarnovsky -- of piracy, finding NDS guilty of only a single incident of stealing satellite signals, for which Dish was awarded $1,500 in damages.

"I knew this was going to come," Tarnovsky says. "They didn't have any proof or evidence."

The trial was years in the making, yet raised more questions than it answered. It came down to testimony between admitted pirates on both sides who accused each other of lying. Now that it's over Tarnovsky, who was fired by NDS last year, is eager to tell his side of the story.

Dressed in loose jeans, flip-flops and a T-shirt, Tarnovsky, 37, spoke with Wired.com by phone and in an air-conditioned lab in Southern California where he's been running a consultancy since losing his job. Surrounded by boxes of smart cards and thousands of dollars worth of microscopes and computers used for researching chips, he talked excitedly at lightning speed about his strange journey, which began in a top-secret Pentagon communications center, and ended with him working both sides of a heated electronic war over pay TV.

His story sheds new light on the murky, morally ambiguous world of international satellite pirates and those who do battle with them.

The stakes are high: Earnings in the satellite-TV industry reach the billions. In the first quarter of this year alone, U.S. market leader DirecTV announced revenue of $4.6 billion from more than 17 million U.S. subscribers. Dish Network earned $2.8 billion from nearly 14 million subscribers. Although satellite piracy has greatly diminished from its peak seven to 10 years ago when the events detailed in the civil lawsuit took place, the two companies lost millions in potential revenue, and spent millions more to replace insecure smart cards used in their systems and track down dealers selling pirated smart cards.

Those smart cards are at the center of the controversy over NDS, a British-Israeli company and a majority-owned subsidiary of Murdoch's News Corp. The company makes access cards used by pay-TV systems, most prominently DirecTV -- itself a former Murdoch company. Nagrastar, a plaintiff in the case and NDS's chief competitor, makes access cards used by Dish Network and other runners-up in the market.

According to allegations in the lawsuit, in the late '90s NDS extracted and cracked the proprietary code used in Nagrastar's cards, a fact that NDS doesn't contest. What happened next, though, is hotly disputed. Nagrastar says Tarnovsky used the code to create a device for reprogramming Nagrastar cards into pirate cards, and gave the cards to pirates eager to steal Dish Network's programming. Tarnovsky was also accused of posting to the internet a detailed road map for hacking Nagrastar's cards.

Nagrastar says NDS had an obvious motive for these antics: Their own chip, the so-called P1 or "F Card," had already been thoroughly cracked by pirates, and the company wanted to level the playing field with its competitors.

NDS denied the allegations at trial. The company declined to comment for this article or to confirm details of Tarnovsky's employment other than to say it was pleased that the verdict "ended in a resounding affirmation of NDS and its business ethics and proper conduct."

Tarnovsky began his pirating career in the '90s while serving in the U.S. Army. He had a top-secret SCI security clearance working on cryptographic computers in Belgium for NATO headquarters, and spent a year at Ft. Detrick in Maryland providing support to the National Security Agency for satellite transmissions to Europe.

In 1996, he was stationed in Germany when his colonel sold him a used satellite-TV system, along with two pirated access cards, neither of which worked. Tarnovsky began posting on online pirate forums, and developed contacts in the community, ultimately learning how to fix the cards to access English-language programs from Sky in the United Kingdom.

After leaving the Army and returning to the States, he got a call from Ron Ereiser, a Canadian pirate who'd heard about him through the grapevine. Pirates had found a back door in the P1 card and were vigorously exploiting it to get DirecTV content. But the cards kept failing. In a game of pirate pingpong, DirecTV periodically deployed electronic countermeasures, or ECMs, in the satellite stream that killed the cards in their set-top boxes. Ereiser needed someone to fix the cards.

There was serious black-market money on the line. In Canada, where pirating of U.S. satellite services wasn't considered illegal until 2002, syndicates of dealers did enough business that they could afford to chip in about $50,000 to hire a programmer to reverse engineer the latest cards. Pirate cards would sell for about $200 each, with the profit split between the investors and engineers. Tarnovsky claims Canadian pirate dealers could make $400,000 in a weekend; when Reginald Scullion, a notorious pirate in Canada, was raided in 1998, authorities seized $5.5 million from his bank accounts and safe-deposit boxes, though not all of it was from piracy.

Ereiser, who now works as a consultant to Nagrastar, concedes that the money from piracy was good, but insists that nobody became an overnight millionaire. "It was lucrative," he said in a telephone interview. "But to suggest that millions were being made in a month is an absolute crock."

DirecTV's countermeasures were a nagging drag on this lucrative trade. Every time an ECM was deployed, Ereiser and other dealers would be harangued by customers demanding to have the cards fixed and their TV programs restored.

Tarnovsky, who was known online as "Big Gun," says Ereiser offered him $20,000 to fix cards that were killed by ECMs, and he agreed. Each time NDS created a countermeasure, Tarnovsky would analyze the code and find a way to circumvent the countermeasure. He did it while working full-time as a software engineer for a semiconductor company in Massachusetts.

"I'd be at work and I'd check the IRC (channel) to see if they'd launched their Thursday countermeasure yet," he says. "It was like a chess game for me. I couldn't wait for them to do a countermeasure because I would counter it in minutes."

Tarnovsky suffers from attention deficit hyperactivity disorder, which he says helped with the detailed work.

"I think so fast," he says.

It wasn't long before NDS came courting. Tarnovsky had a contact at the company to whom he'd begun passing information about holes in its software, even supplying patches to fix them. NDS offered him a job earning $65,000 a year. By the time the company fired him last year, he was earning about $245,000 in salary and bonuses and had another $100,000 in stock options, he says.

The company set him up in a lab in Southern California equipped with a computer, some DirecTV set-top boxes, sample DirecTV cards and NDS source code. There was no fancy equipment at first, but his relationship with NDS and the lab grew over the decade he worked with them. Tarnovsky says the job was a dream come true. While living in Europe he'd once seen a news report showing an engineer at a French satellite company writing countermeasures, sitting in a lab with smart cards piled around him on his desk.

"I always thought it would be so cool to be that guy," Tarnovsky says. "Finally I got the chance."

Tarnovsky had two roles at NDS -- to find holes in its software and work undercover with pirates to discover what they were doing against NDS technology.

To conceal his relationship with NDS from pirates, few people at the company knew his identity. He used the name "Michael George" and for the first four years was paid through other companies, including, for about five months, HarperCollins, the Murdoch-owned book publisher.

"It was very hush-hush, because we didn't know who could be an inside informant," he says.

Part of his job was developing ECMs for NDS. He'd examine pirate NDS cards to determine how they worked, then send instructions to engineers in Israel to create a kill for them.

"I didn’t actually load the gun and pull the trigger but I got to make the bullet," Tarnovsky says.

Among the countermeasures he says he created was one known among pirates as the "Black Sunday" kill -- an elaborate scheme that destroyed tens of thousands of pirate DirecTV cards a week before Super Bowl Sunday in 2001.

Instead of being delivered all at once like other measures, the Black Sunday attack code was sent to pirate cards in about five dozen parts over the course of two months, like a tank transported piece by piece to a battlefield to be assembled in the field. "They never expected us to do this," Tarnovsky says.

The kill didn't last long before pirates found a way to jump-start the cards. But it holds an enduring position in pirate lore; for the first time, they could see a cunning mind at work on the other side.

While Tarnovsky was killing cards, however, he was also helping pirates fix them.

Days before Tarnovsky began working for NDS, the company began phasing in its latest-generation smart card, the P2, which was thought to be virtually uncrackable. But word reached the company that two Bulgarian hackers working for Ereiser had cracked the P2. On NDS's instructions, Tarnovsky met with Ereiser undercover in Calgary to get the code. When he got there, Ereiser offered him $20,000 to work for him fighting whatever countermeasures NDS and DirecTV cooked up to thwart their P2 hack.

NDS considered it a great opportunity for Tarnovsky to maintain his pirate identity, but DirecTV insisted on some controls. Under "Operation Johnny Walker," as they dubbed it, Tarnovsky gave Ereiser a program to create pirate NDS cards, but encrypted it so no one could copy it. The program worked only with a dongle attached to Ereiser's computer and created a limited number of cards that could be killed at any time.

But, according to Nagrastar, Tarnovsky wasn't just helping NDS fight piracy by working undercover and creating ECMs, he was also committing piracy against NDS's competitors to weaken their place in the market.

After NDS engineers in Israel hacked the Nagrastar code in the late '90s, Nagrastar says Tarnovsky created a "stinger" program that turned Nagrastar cards into pirate cards. He allegedly gave the program to a Canadian named Al Menard in 1999 who sold reprogrammed Nagrastar cards for $350 each. Then in December 2000, someone anonymously posted code and detailed instructions for hacking Nagrastar's card to two websites, one of them run by Menard, exposing Dish Network to even more piracy. It was estimated in court testimony that between 100,000 and 165,000 pirated Nagrastar cards were released to the market in the wake of this posting.

Nagrastar says Menard began sending Tarnovsky cash from the sale of the pirate cards. At the end of August 2000, authorities acting on an anonymous tip seized two boxes destined for a mail drop Tarnovsky rented in Texas. Inside, they found a CD and DVD player with $20,000 and $20,100 concealed inside.

The boxes were sent from a phony address for "Regency Audio" in Vancouver to C.T. Electronics at Tarnovsky's address. A customs form for a third package that wasn't seized indicated that it was sent from Menard to Tarnovsky and also contained electronic goods.

Tarnovsky was in Israel at the time, and says he didn't know anything about the packages until he was notified that they'd been seized. He thinks they were sent by someone in Nagrastar's camp who was trying to frame him. He says Nagrastar's accusations about the "stinger" program were baseless, and that he never gave Menard any software.

On Feb. 9, 2001, U.S. Customs agents appeared at his doorstep. On advice of a lawyer, he declined to let them search his house without a warrant. Tarnovsky was never arrested or charged with any crime, but suspicions against him were mounting. NDS gave Tarnovsky a polygraph test, but asked only two, self-interested questions that never touched on the Nagrastar accusations: Had Tarnovsky sold any modified NDS smart cards, or company secrets, since he'd been working for the company? Tarnovsky answered no, and passed the test.

He continued to work for NDS for six years. But then last year, Nagrastar confronted NDS with a sheriff's report showing that fingerprints lifted from the seized electronics equipment sent to Tarnovsky's Texas mail drop belonged to an associate of Menard, raising suspicions again that Tarnovsky might have sold pirate Nagrastar cards without NDS's knowledge. NDS fired him.

Tarnovsky says his termination proves he and NDS weren't conspiring against Nagrastar. Had they been, NDS would have done anything to keep him happy, and quiet. He says the fact that Nagrastar lost the case shows he wasn't pirating on his own either.

"I've never sold a single Nagra card, ever," he says.

Although he was angry at NDS for abandoning him, he told Wired.com before the trial ended that he hoped to work for the company again.

"I want to make sure that NDS wins this lawsuit because that will clear my name," he said at the time.

When it was suggested that someone might view this as motivation for him to lie on NDS's behalf, he disagreed.

"That's crazy. I could go to jail," he said. "I would never perjure myself for some company."

Since NDS fired him he's been consulting for two semiconductor companies and a manufacturer of dongle tokens, but he misses his life in electronic warfare. If NDS doesn't want him, he says he'd be happy to work for Nagrastar -- jumping sides once again.

"I could design a whole entire chip for them like I did for NDS," he says. "NDS thinks today that their technology is superior to everybody else's and it probably is, because they're 17 years ahead of Nagra technologically. But Nagra could catch up overnight if they used my services.

"I'm a very valuable asset as far as smart-card technology goes," he adds. "I know everything about (NDS) as far as their intellectual property models go."

He offered his services to the company last year, while the lawsuit was pending. Nagrastar declined.

• First, watch Dave Aitel beats the dead horse of academic security "research." Quote: "people who write papers in LaTeX two-column format end up saying the sky has a high negative trajectory." (other examples)
• I work for a vendor, but I am not "vendor scum." What is the difference? If you write a paper about a fake trend or about a non-existent phenomenon (that your marketing department created) with the sole intention of selling your product while masquerading your piece as "objective content", you will probably be called "vendor scum." Example: do you know why insiders are dangerous? Because of telnet and modems (no shit!) :-)
• Rich Mogul drop-kicks GRC. Then kicks it in the balls. Then steps on it. Fun read, for sure.
• Did somebody just utter "ROI"? Yeah - and that means katana blades sharpened, flamethrowers charged, pet trolls enraged :-) Yes, the beast is back - with a vengeance. Bruce Schneier hits it with +5 Flaming Blade, it doesn't die, it bites back ... again. If you love/hate ROI, read these. And Mike R comment here. Can we just replace the "R"-word with "economic measure of security" or "security efficiency?"
• Does anybody with at most half a brain believes that "almost one out of every three individuals who were informed of a data security compromise involving their personal data have ceased doing business with the company that experienced the incident" (source here and more commentary here)? Well, same people who believe FBI/CSI surveys, I guess :-) UFO? Spoon bending? Santa Claus anyone?
• NEWSFLASH!!!! Employees needs to be monitored!!! Wow!!! Reeeeally? Well, it is news to some people. Mike R makes good fun of them here.
• Harebrained paper about PCI and using cards (credit and debit), which serves as a perfect illustration of how some people perceive risk. Repeat after me: you are not liable for mis-use of your credit card, your bank is. Debit card? Very different story!
• So, risk, yes. A really good piece about risk is here. Then again, it is RiskAnalys.is? :-) More on risks of compliance stuff (also good) is here.
• Richard clearly, succinctly, brilliantly explains the "security chasm" here by commenting on Greg's article (featured in my previous FRoS): "The first camp spends more time talking about "enabling business" and "elevating the infosec conversation" while the second camp deals with the mess caused by the first world's ignorance of security problems."
• Security reading? Nah, fun security listening (that is, unless you are sick of hearing about RSA 2008 again), where we discuss - yes, you guessed right! - past RSA 2008 show.

Enjoy!

.text:00405C1B mov  esi, [ebp+dwLen]  ; Our value from packet
...
.text:00405C20 push edi
.text:00405C21 test esi, esi          ; Check value != 0
...
.text:00405C31 push esi               ; Alloc with our length
.text:00405C32 mov  [ebp+var_4], 0
.text:00405C39 call operator new(uint); Big values return NULL
.text:00405C3E mov  ecx, esi          ; Memcpy with our length
.text:00405C40 mov  esi, [ebp+pDestionationAddr]
.text:00405C43 mov  [ebx+4], eax      ; new result is used as dest
.text:00405C46 mov  edi, eax          ; address without checks.
.text:00405C48 mov  eax, ecx
.text:00405C4A add  esp, 4
.text:00405C4D shr  ecx, 2
.text:00405C50 rep  movsd             ; AV due to invalid
.text:00405C52 mov  ecx, eax          ; destination pointer.
.text:00405C54 and  ecx, 3

Dave asserts that publishing 16 commented assembly instructions makes this disclosure irresponsible. But look at the code — it’s completely generic, just a textbook example of what it looks like when you forget to check a return value after calling operator new. Sure, Core gives you the exact offsets into the executable, but so what? If I have the binary, then it’s not going to be too hard to find the vulnerability anyway. It’s not like Core is giving away a proof-of-concept exploit that generates the malformed registration packet required to trigger the DoS. What’s more, they provide a detailed timeline going back to January 30th of this year describing exactly how the disclosure process with the vendor transpired. This looks extremely responsible to me; I just can’t understand what is “not cool” here.

There’s another interesting angle to this, completely unrelated to Core’s disclosure process. The vulnerability itself is described in the advisory as follows:

Un-authenticated client programs connecting to the service can send a malformed packet that causes a memory allocation operation (a call to new() operator) to fail returning a NULL pointer. Due to a lack of error-checking for the result of the memory allocation operation, the program later tries to use the pointer as a destination for memory copy operation, triggering an access violation error and terminating the service.

This may bring to mind some recent discussions on whether callers of memory allocation functions should check the return value prior to use. To summarize, one camp says “caller should check”, the other camp says “callee should exit on allocation failure.” This is a gross oversimplification and if you want more detailed arguments, read the other blog posts that I linked to. In this case, if the “exit on failure” approach were taken, the DoS scenario might still happen, whereas if the caller were checking, the error could be handled more gracefully. More fuel for the debate!

Let me get serious for a moment here.  My niece Michelle Pearl in Colorado and her boyfriend Tim are involved in the Race Across America. I am putting this up to help them help these special kids. If you find this cause worthy, please help them help others!

Local Firefighter Needs YOUR Help! Tim Case, a professional firefighter for Boulder Fire Rescue, is racing his bicycle 3100 miles this June in the Race Across America to support Camp Odayin, a camp in Minnesota for kids with congenital heart disease. www.raceacrossamerica.org Tim is affiliated with Team Strong Heart, whose goal is to raise $100,000 for Camp Odayin.  Last year Team Strong Heart placed third in the Race Across America in the 4-man relay division. www.campodayin.com Tim is collecting tax deductible donations via the Team Strong Heart website. Tim is using Pay Pal, so your donation is secure. Please visit the team website to make your donation. www.teamstrongheart.blogspot.com

What is Camp Odayin? Each year 32,000 children are born in the US with cardiovascular defects. Children with heart disease are not often afforded the opportunity to attend camp due to health risk and insurance issues. Camp Odayin is a non-profit organization dedicated to providing the camp experience to these special young people. Camp Odayin runs soley on donation and only costs the familes a $25 dollar registration fee.

Contact info: tim@timcase.net http://www.teamstrongheart.com

Let me get serious for a moment here.  My niece Michelle Pearl in Colorado and her boyfriend Tim are involved the Race Across America. I am putting this up to help them help these special kids. If you find this cause worthy, please help them help others!

Local Firefighter Needs YOUR Help! Tim Case, a professional firefighter for Boulder Fire Rescue, is racing his bicycle 3100 miles this June in the Race Across America to support Camp Odayin, a camp in Minnesota for kids with congenital heart disease. www.raceacrossamerica.org Tim is affiliated with Team Strong Heart, whose goal is to raise $100,000 for Camp Odayin.  Last year Team Strong Heart placed third in the Race Across America in the 4-man relay division. www.campodayin.com Tim is collecting tax deductible donations via the Team Strong Heart website. Tim is using Pay Pal, so your donation is secure. Please visit the team website to make your donation. www.teamstrongheart.blogspot.com

What is Camp Odayin? Children with heart disease are not often afforded the opportunity to attend camp due to health risk and insurance issues. Camp Odayin is a non-profit organization dedicated to providing the camp experience to these special young people. Camp Odayin runs soley on donation and only costs the familes a $25 dollar registration fee. Each year 32,000 children are born in the US with cardiovascular defects.

Contact info: tim@timcase.net http://www.teamstrongheart.com

Rolling Stone has this excellent article on the topic, about the Joint Terrorism Task Forces in the U.S.:

But a closer inspection of the cases brought by JTTFs reveals that most of the prosecutions had one thing in common: The defendants posed little if any demonstrable threat to anyone or anything. According to a study by the Center on Law and Security at the New York University School of Law, only ten percent of the 619 "terrorist" cases brought by the federal government have resulted in convictions on "terrorism-related" charges -- a category so broad as to be meaningless. In the past year, none of the convictions involved jihadist terror plots targeting America. "The government releases selective figures," says Karen Greenberg, director of the center. "They have never even defined 'terrorism.' They keep us in the dark over statistics."

Indeed, Shareef is only one of many cases where the JTTFs have employed dubious means to reach even more dubious ends. In Buffalo, the FBI spent eighteen months tracking the "Lackawanna Six" -- a half-dozen men from the city's large Muslim population who had been recruited by an Al Qaeda operative in early 2001 to undergo training in Afghanistan. Only two lasted the six-week course; the rest pretended to be hurt or left early. Despite extensive surveillance, the FBI found no evidence that the men ever discussed, let alone planned, an attack -- but that didn't stop federal agents from arresting the suspects with great fanfare and accusing them of operating an "Al Qaeda-trained terrorist cell on American soil." Fearing they would be designated as "enemy combatants" and disappeared into the legal void created by the Patriot Act, all six pleaded guilty to aiding Al Qaeda and were sentenced to at least seven years in prison.

In other cases, the use of informants has led the government to flirt with outright entrapment. In Brooklyn, a Guyanese immigrant and former cargo handler named Russell Defreitas was arrested last spring for plotting to blow up fuel tanks at JFK International Airport. In fact, before he encountered the might of the JTTF, Defreitas was a vagrant who sold incense on the streets of Queens and spent his spare time checking pay phones for quarters. He had no hope of instigating a terrorist plot of the magnitude of the alleged attack on JFK -- until he received the help of a federal informant known only as "Source," a convicted drug dealer who was cooperating with federal agents to get his sentence reduced. Backed by the JTTF, Defreitas suddenly obtained the means to travel to the Caribbean, conduct Google Earth searches of JFK's grounds and build a complex, multifaceted, international terror conspiracy -- albeit one that was impossible to actually pull off. After Defreitas was arrested, U.S. Attorney Roslynn Mauskopf called it "one of the most chilling plots imaginable."

Using informants to gin up terrorist conspiracies is a radical departure from the way the FBI has traditionally used cooperating sources against organized crime or drug dealers, where a pattern of crime is well established before the investigation begins. Now, in new-age terror cases, the JTTFs simply want to establish that suspects are predisposed to be terrorists -- even if they are completely unable or ill-equipped to act on that predisposition. High-tech video and audio evidence, coupled with anti-terror hysteria, has made it effectively impossible for suspects to use the legal defense of entrapment. The result in many cases has been guilty pleas -- and no scrutiny of government conduct.

In most cases, because no trial is ever held, few details emerge beyond the spare and slanted descriptions in the indictments. When facts do come to light during a trial, they cast doubt on the seriousness of the underlying case. The "Albany Pizza" case provides a stark example. Known as a "sting case," the investigation began in June 2003 when U.S. soldiers raided an "enemy camp" in Iraq and seized a notebook containing the name of an imam in Albany -- one Yassin Aref. To snare Aref, the JTTF dispatched a Pakistani immigrant named Shahed "Malik" Hussain, who was facing years in prison for a driver's-license scam. Instead of approaching Aref directly, federal agents sent Malik to befriend Mohammed Hossain, a Bangladeshi immigrant who went to the same mosque as Aref. Hossain, an American citizen who ran a place called Little Italy Pizzeria in Albany, had no connections whatsoever to terrorism or any form of radical Islam. After the attacks on 9/11, he had been quoted in the local paper saying, "I am proud to be an American." But enticed by Malik, Hossain soon found himself caught up in a government-concocted terror plot. Posing as an arms dealer, Malik told Hossain that a surface-to-air missile was needed for an attack on a Pakistani diplomat in New York. He offered Hossain $5,000 in cash to help him launder $50,000 -- a deal Hossain claims he never properly grasped. According to Muslim tradition, a witness is needed for significant financial transactions. Thus, the JTTF reached out for Hossain's imam and the true target of the sting -- Aref.