• Low-tech is very effective. Movie-plot threats -- terrorists with crop dusters, terrorists with biological agents, terrorists targeting our water supplies -- might be what people worry about, but a bunch of trained (we don't really know yet what sort of training they had, but it's clear that they had some) men with guns and grenades is all they needed.

• At the same time, the attacks were surprisingly ineffective. I can't find exact numbers, but it seems there were about 18 terrorists. The latest toll is 195 dead, 235 wounded. That's 11 dead, 13 wounded, per terrorist. As horrible as the reality is, that's much less than you might have thought if you imagined the movie in your head. Reality is different from the movies.

• Even so, terrorism is rare. If a bunch of men with guns and grenades is all they really need, then why isn't this sort of terrorism more common? Why not in the U.S., where it's easy to get hold of weapons? It's because terrorism is very, very rare.

• Specific countermeasures don't help against these attacks. None of the high-priced countermeasures that defend against specific tactics and specific targets made, or would have made, any difference: photo ID checks, confiscating liquids at airports, fingerprinting foreigners at the border, bag screening on public transportation, anything. Evenmetal detectors and threat warnings didn't do any good:

  "If I look at what we had, which all of us complained about, it could not have stopped what took place," he told CNN. "It's ironic that we did have such a warning, and we did have some measures."

  He said people were told to park away from the entrance and had to go through a metal detector. But he said the attackers came through a back entrance.

  "They knew what they were doing, and they did not go through the front. All of our arrangements are in the front," he said.

If there's any lesson in these attacks, it's not to focus too much on the specifics of the attacks. Of course, that's not the way we're programmed to think. We respond to stories and not analysis. I don't mean to be sympathetic; this tendency is human and these deaths are really tragic. But eighteen armed people intent on killing lots of innocents will be able to do just that, and last-line-of-defense countermeasures won't be able to stop them. Intelligence, investigation, and emergency response. We have to find and stop the terrorists before they attack, and deal with the aftermath of the attacks we don't stop. There really is no other way, and I hope that we don't let the tragedy lead us into unwise decisions about how to deal with terrorism.

1. The Sun-Sentinel newspaper in Fort Lauderdale accidentally republishes a six-year-old news story about the bankruptcy of UAL. It wasn't on the home page, but instead buried somewhere inside the web site.
2. Google's news crawler (an automated thing, remember) finds the story and incorporates it as part of its news feed.
3. Investors see the story, and immediately react. When UAL's stock plunged 76% to a low of $3, Nasdaq shut down trading. Eventually trading resumed, and the stock closed at just under $11, losing about 11%.
4. United blamed Tribune Company (the owner of the Sun-Sentinel) for "irresponsibly" changing the date on the story and demanded a retraction.
5. Tribune Company blamed Google, claiming they've had issues with Google's crawler "for months."

Who will blame be shifted to next?

Look -- if people haven't realized by now that the Internet pretty much lacks a delete function, then (IMNSHO) it becomes the requirement of each and every one of us to pay close attention to what we're reading, to use our own big brains and fine-tuned bullshit detectors to suss out whether something makes sense.

Since this is my blog, I'm going to parcel out blame the way I see it:

• United: 0%. If the concept of "negative blame" made any sense, then I'd actually write −∞ (that's a negative infinity, in case your character set is different than mine).
• Google: 5%. How can an automated crawler know that a newly-dated story isn't really new? Well, those folks over there at Google are smart. Certainly it shouldn't be that difficult to compare a "new" article against existing ones. Content hashes won't work as a comparison tool, because the date would be included in the hash computation, thus making the hashes different anyway. Full-text comparisons? Sure, it would take a lot of horsepower. Perhaps not every "new" story needs comparison, but at least the crawler could submit to the comparator any stories that ought to be verified (say those with the word "bankruptcy" in them).
• Tribune Company: 30%. Hey guys, you changed the date on the article. Don't go blaming someone else for your screw-up.
• Investors: 65%. If you're using an automated news aggregator (remember, an aggregator is not a source of news) to make major financial decisions -- decisions that affect the livelihoods of thousands (maybe millions) of people -- well, you're a moron. You should know that incorrect information can be just as instantly available as correct information. Verify potentially damaging claims before engaging in reckless behavior.

What's this got to do with security? I don't know, maybe nothing directly related. But it certainly raises the question -- what if someone intentionally wanted to cause nearly permanent damage to a person or a corporation? Malicious content, disguised as "news," certainly seems to have become a potentially successful attack vector this week.

Worried about a social engineering attack on a massive scale? I suspect that what happened Monday (8 September) was the largest social engineering attack in history -- although I wouldn't classify it as intentionally malicious. Just you wait until the idea spreads.

LAS VEGAS -- Last weekend, more than 9,000 hackers, freaks, feds and geeks gathered for the 16th annual DefCon, the world's largest computer security convention.

Wired.com brought you live coverage of the most newsworthy events at DefCon 16. Here are some photos from the lighter side of the conference.

Left: South Korean hackers compete in the Capture the Flag competition. The goal is to hack into and keep control of targeted servers.

Mr. Sinister and Dragon Cracker battle it out in a round of Guitar Hero -- one of DefCon's newest competitions.

Bringing-your-own-booze supply ensures optimal buzz at DefCon. Shortly after this picture was taken, hotel security escorted this backpack-hacker to his room.

Computer geeks from the National Institute of Standards and Technology set up a network secured with quantum encryption in a conference room at DefCon. The quantum-entangled photons are being used to encrypt a video stream across a line-of-site network.

A compact optical bench and an atomic clock (left) are used to secure a network with quantum encryption.

In the Lock Pick Pavilion, DefCon attendees Dustin, Jennalynn and Kunfoozball practice their lock-picking skills.

DefCon founder and organizer Jeff Moss, aka Dark Tangent, at the conference's closing ceremony Sunday.

A collection of black badges awaits the winners of the various competitions. These badges give their holders lifetime entry to DefCon.

One of DefCon's logos, the smiley-faced skull and crossbones, is welded inside a yellow sphere. The sphere is the primary stage of one of the most difficult competitions at DefCon: The Mystery Challenge.

Unbeknownst to attendees, this laptop is sniffing RFID tags and taking photos of their owners when they pass in front of the detectors. RFID tags are used in everything from building access to some credit cards.

At the closing ceremony, DefCon organizers turn off the lights while the attendees wave their high-tech badges back and forth.

does this surprise anyone:

A grisly slaying on a Greyhound bus has prompted calls for tighter security on Canadian bus lines, despite the company and Canada's transport agency calling the stabbing death a tragic but isolated incident.

Greyhound spokeswoman Abby Wambaugh said bus travel is the safest mode of transportation, even though bus stations do not have metal detectors and other security measures used at airports.

Despite editorials telling people not to overreact, it's easy to:

"Hearing about this incident really worries me," said Donna Ryder, 56, who was waiting Thursday at the bus depot in Toronto.

"I’m in a wheelchair and what would I be able to do to defend myself? Probably nothing. So that’s really scary."

Ryder, who was heading to Kitchener, Ont., said buses are essentially the only way she can get around the province, as her wheelchair won’t fit on Via Rail trains. As it is her main option for travel, a lack of security is troubling, she said.

"I guess we’re going to have to go the airline way, maybe have a search and baggage check, X-ray maybe," she said.

"Really, I don’t know what you can do about security anymore."

Of course, airplane security won't work on busses.

But -- more to the point -- this essay I wrote on overreacting to rare risks applies here:

People tend to base risk analysis more on personal story than on data, despite the old joke that "the plural of anecdote is not data." If a friend gets mugged in a foreign country, that story is more likely to affect how safe you feel traveling to that country than abstract crime statistics.

We give storytellers we have a relationship with more credibility than strangers, and stories that are close to us more weight than stories from foreign lands. In other words, proximity of relationship affects our risk assessment. And who is everyone's major storyteller these days? Television.

Which is why Canadians are talking about increasing security on long-haul busses, and not Americans.

• Open Scripting Architecture—Privilege elevation bug when loading plugins.
• CarbonCore—A stack overflow in handling long file names. Potential code execution.
• CoreGraphics—2 bugs, both code execution, one for malicious graphics the other for malicious PDFs.
• Data Detectors Engine—Engine may crash when parsing maliciously crafted content.
• Disk Utility—A local user may obtain System privileges.
• OpenLDAP—An ASN parsing bug can lead to a crash.
• OpenSSL—A range checking error from last September (Red Hat patched it in 2 weeks) can lead to remote code execution.
• PHP—5 different bugs, the worst of which can lead to remote code execution.
• QuickLook—A maliciously-crafted Microsoft Office file can cause QuickLooks to crash or allow remote code execution.
• rsync—Path validation errors, which were also reported in 2007, are resolved.

• Open Scripting Architecture—Privilege elevation bug when loading plug-ins.
• CarbonCore—A stack overflow in handling long file names. Potential code execution.
• CoreGraphics—Two bugs, both code execution, one for malicious graphics, the other for malicious PDFs.
• Data Detectors Engine—Engine may crash when parsing maliciously crafted content.
• Disk Utility—A local user may obtain System privileges.
• OpenLDAP—An ASN parsing bug can lead to a crash.
• OpenSSL—A range checking error from last September (Red Hat patched it in two weeks) can lead to remote code execution.
• PHP—Five different bugs, the worst of which can lead to remote code execution.
• QuickLook—A maliciously crafted Microsoft Office file can cause QuickLooks to crash or allow remote code execution.
• rsync—Path validation errors, which were also reported in 2007, are resolved.

A couple of weeks ago I was offered a free year membership in the Clear airport security program for registered travelers.  Though my home airports of Ft Lauderdale and West Palm Beach don't yet offer Clear access, I fly enough in airports that do like Denver and Regan that I thought for free, what do I have to lose.  I filled out the forms on line and last time I was in Regan airport I handed it in along with fingerprints, Iris scans, passport, etc.  This past week my Clear card came in the mail and I have been looking forward to using it.

I thought that with my background check and all, they knew that I was a low risk for terrorist or other type of activity and therefore would not be subject to the same scrutiny and testing that we all endure when we have to fly.  Turns out that I don't think that is exactly the case.  However what it does do is allow you to go right to the front of the line in security, much to the dismay of others waiting on those lines.

The experience was great.  I went to a special entrance for Clear members where I was met by a very helpful young lady.  She escorted me to a Clear machine where we inserted my card and did a fingerprint scan.  After that was done she escorted me to another young lady who walked me past all of the people waiting on line (and a long line it was).  At the head of the line, the Clear lady gave my boarding pass and ID to the TSA person.  The TSA person checked my id and pass, same as always and they passed me through.  Than my Clear escort brought me to a special metal detector line which had no one on it, just waiting for me.  Again skipping another line.  I put my computer and other metal objects in the same old grey bin, took off my shoes and went through the metal detector.  I thanked the Clear escort came out the other side, scooped up my stuff and proceeded to my gate.  The entire process took less than 3 minutes I bet!  That was great!  The looks on the faces of the people I bypassed on line also gave me a perverse pleasure as well, I will admit.

After finishing this though I sat down and thought about it.  What security did bypass?  They still checked my ID and boarding pass. I still went through the metal detector and took off my shoes.  In fact if anything security was added to my check in, as they now did a fingerprint match.  So fact is, with all of the background checks and everything, having the Clear program did not relieve me of any security obligations and tests. In fact it added to them.  What it did give me was a "first class" personal escort to the front of the line and than a first class que for the metal detectors.  Because I was willing to pay some money and have a background search, I got the first class treatment.

To me this is not a scalable solution.  As more Clear passengers come on board, having a dedicated person walking me through the security line is just not going to work.  Also, lets be clear (no pun intended), this is not about going through less security.  Why the background check and all?  This is about paying money and skipping the line, but still going through the same security procedures that everyone else goes through.  Just faster.  Hey, don't get me wrong.  I loved it!  But I was wrong to think this was about bypassing security, this is a "first class" traveler lane.  As long as you are "clear" with that, it is good by me!

A couple of weeks ago I was offered a free year membership in the Clear airport security program for registered travelers.  Though my home airports of Ft Lauderdale and West Palm Beach don't yet offer Clear access, I fly enough in airports that do like Denver and Regan that I thought for free, what do I have to lose.  I filled out the forms on line and last time I was in Regan airport I handed it in along with fingerprints, Iris scans, passport, etc.  This past week my Clear card came in the mail and I have been looking forward to using it.

I thought that with my background check and all, they knew that I was a low risk for terrorist or other type of activity and therefore would not be subject to the same scrutiny and testing that we all endure when we have to fly.  Turns out that I don't think that is exactly the case.  However what it does do is allow you to go right to the front of the line in security, much to the dismay of others waiting on those lines.

The experience was great.  I went to a special entrance for Clear members where I was met by a very helpful young lady.  She escorted me to a Clear machine where we inserted my card and did a fingerprint scan.  After that was done she escorted me to another young lady who walked me past all of the people waiting on line (and a long line it was).  At the head of the line, the Clear lady gave my boarding pass and ID to the TSA person.  The TSA person checked my id and pass, same as always and they passed me through.  Than my Clear escort brought me to a special metal detector line which had no one on it, just waiting for me.  Again skipping another line.  I put my computer and other metal objects in the same old grey bin, took off my shoes and went through the metal detector.  I thanked the Clear escort came out the other side, scooped up my stuff and proceeded to my gate.  The entire process took less than 3 minutes I bet!  That was great!  The looks on the faces of the people I bypassed on line also gave me a perverse pleasure as well, I will admit.

After finishing this though I sat down and thought about it.  What security did bypass?  They still checked my ID and boarding pass. I still went through the metal detector and took off my shoes.  In fact if anything security was added to my check in, as they now did a fingerprint match.  So fact is, with all of the background checks and everything, having the Clear program did not relieve me of any security obligations and tests. In fact it added to them.  What it did give me was a "first class" personal escort to the front of the line and than a first class que for the metal detectors.  Because I was willing to pay some money and have a background search, I got the first class treatment.

To me this is not a scalable solution.  As more Clear passengers come on board, having a dedicated person walking me through the security line is just not going to work.  Also, lets be clear (no pun intended), this is not about going through less security.  Why the background check and all?  This is about paying money and skipping the line, but still going through the same security procedures that everyone else goes through.  Just faster.  Hey, don't get me wrong.  I loved it!  But I was wrong to think this was about bypassing security, this is a "first class" traveler lane.  As long as you are "clear" with that, it is good by me!