“Frontline” looks at how 9-11 led to today’s NSA

The problem has always been the creeping assumption of powers. From the founding days of our country, that has been our defining issue.

Today’s NSA is the most prime example our country has ever seen, but we haven’t seen the worst of it. Given how quickly we grant powers, and how reluctantly they are relinquished, we have got a fight on our hands.

People were concerned about the legality of the NSA’s actions from the beginning:

And he [Michael Hayden] says to the president, “But I’m worried about the legality of this.” And the president looks at him and says, “Don’t worry about it. We’re going to go forward with this. I’ve got lawyers working on this now and you don’t have to worry about the legality of this; I think I can do this on my own authority.”

Even the legal rationale was thin or nonexistent:

All they knew was that something had been signed by the president and the attorney general that authorized them to walk across the bright white lines that had been established by Congress in the 1970s. … It was and is, I think, the darkest-kept secret that the government has had in recent times.

And security professionals are particularly at risk, especially those who work within the NSA:

We tried for several years to do it [whistle-blowing] within the system and look what they did to us. Clearly Edward Snowden saw that and said, “That’s obviously not an option.” … And just to be a little more formal, there are no whistle-blower protections for any employee of the U.S. intelligence community. There [is] a modicum of protections for other government employees, but not inside the intelligence community.

Read the whole article and watch the video at:

* * *

Wireless Telephone Security: The New Frontier of Pen Testing

I’ve been working on the project to update ISECOM’s OPST (OSSTMM Professional Security Tester) curriculum, and it’s becoming more and more clear that pen testing curricula – ALL of them – neglect the area of wireless telephone penetration testing. Most of the phone tools are about forensics, not pen testing phones.

So should we just treat them as hosts? Maybe, but they run a lot of services and functions that few or no computer hosts run. How do we test them?

The starting point is learning the phone technology itself. There’s a decent introduction, circa 2007, at Simson.net:



John Pozadzides on “How I’d Hack Your Password”

Please, don’t take my word for it. I really don’t want to give you a slip of paper with your most intimate passwords on it. It’s just that I, and practically anyone, can do just that.

Instead, check out security pundit John Pozadzides’ article, “How I’d Hack Your Password.” In a couple of short pages he’ll make you squirm uncomfortably, because everything he points out is true: we all reuse passwords, and they aren’t that complex, and yes they are indeed based on our dog’s name, our birthday, our Social Security Number, all easily discoverable stuff. Go to

I’m beginning to regard a password management application as probably mandatory for everyone. Let me know what you’re using.