But in all that reading, research, study, training, and other learning, one of the coolest things I ever consumed was the OSSTMM project. Rather than try to explain this project, I’ll just snag the introductory text from the project home site:

The Open Source Security Testing Methodology Manual (OSSTMM) is a peer-reviewed methodology for performing security tests and metrics. The OSSTMM test cases are divided into five channels (sections) which collectively test: information and data controls, personnel security awareness levels, fraud and social engineering control levels, computer and telecommunications networks, wireless devices, mobile devices, physical security access controls, security processes, and physical locations such as buildings, perimeters, and military bases.

The OSSTMM focuses on the technical details of exactly which items need to be tested, what to do before, during, and after a security test, and how to measure the results. New tests for international best practices, laws, regulations, and ethical concerns are regularly added and updated.

The version I read when I first found this was 2.2.  It has been years since I used it, and I periodically check in for updates on the version 3.0 release.  I haven’t seen an update on the web site, and I’m not a team member/subscriber to the service, so I didn’t expect I would know unless I checked in on my own.  Well tonight, while catching up on email, I get this message from the project:

Hi,

Maybe you forgot us Six years is a long time to work on a single version of a project. That time is coming to an end and the OSSTMM 3 has been fully researched, completely re-written, and is nearly ready for press.

OSSTMM RC15, the Beta draft has just been uploaded for Silver Team members and OSSTMM RC20, the Alpha draft has just been uploaded for the Gold Team, partners, and team members.

All tests have been fully edited as well as most chapters. It contains the new, more usable format and descriptive content with greater explanations to make it easier to use. It also includes a full chapter
on Analysis.

Only a few chapters are missing. Chapter on RAV Calculations is still partially unedited and the Trust Metrics chapter is still incomplete. End chapters for templates and other extras are still incomplete. The unedited and incomplete chapters have been clearly labeled for completion.

We have a full color cover with an animal symbol ready to go, an OSSTMM security picture for the back cover, templates, and many graphics still to be added for the public version. Further examples,
graphics, and tips and tricks will go into the print version.

It feels so good to be so close to completing this version!

Sincerely,
-pete.

I’m really looking forward to getting this update. As a non-member, I know I will still have to wait. But as a consumer of all things open source, I expect it to be worth it. And I intend to review the final version and try to offer feedback, in the manner I hope most open source consumers at least try to do. Even if I have nothing to offer, I believe just making an honest effort to contribute is an important part of being in the community.  If I were still actively in security, I would probably subscribe, but it’s hard to justify the expense at this moment since I’m not doing security any more (but would like to – hint, hint)

If you are in to computer security at all, I can recommend the OSSTMM as a good resource for testing guidance.

Technorati Tags: OSSTMM, Open Source security, Security

“The bug is a buffer-overflow and the return address can be fully overwritten so a malicious attacker could use it for executing malicious code on the victim,” Auriemma said in an e-mail.

. . .

Auriemma said that Apple was not been notified of the flaw in advance of its publication.

When Apple updated QuickTime to version 7.3.1 on December 13, 2007, it fixed an RTSP buffer overflow bug (CVE-ID: CVE-2007-6166) related to the content-type/content-base header. The vulnerability Auriemma has identified relates to error message handling and remains unpatched.

I’m guessing Apple will get a patch out quite quickly for this one, but in the meantime, practice safe browsing and consider disabling Quicktime until a patch is available.

Run HealthCheck to get a scan of applications on your system along with checks for patches and updates to those applications. This should help you track down security problems that have fixes available. If you keep up to date on these patches, it should help significantly with avoiding your machines getting taken over by a ‘bot-network. The tool appears to have been developed or at least re-announced (I’m not familiar enough with HealthCheck and it’s history nor age to know which is the correct term) as a result of an F-Secure poll regarding application patching.

It appears that many people are uncertain if their computers are fully patched when there are third party updates involved.

Q — What can you do about it?
A — F-Secure Health Check.

Health Check is a free online tool designed to help consumers identify security updates needed on their computers.

I will point out that HealthCheck requires installation of an ActiveX control in your Internet Explorer window. I personally trust the eggheads at F-Secure to not do malice as a result of this, but you need to understand that installing an ActiveX control is a security risk which gives the control vendor pretty much full access to your operating system. While *I* personally trust the F-Secure worker-bees to not corrupt, control, nor destroy my system, you’ll have to make that decision for yourself.

After running the test, here’s a snip of what I got as a result:

In my case, I’m on a work computer without anti-virus and anti-spyware protection. Sadly, I am not allowed to correct this flaw. I make up for it by using the PortableApps version of ClamWin, and regularly scan my system. I also run Firefox for my browser (actually, I use the PortableApps version of this application, too) and stick mostly to web sites I know and trust. I save my home computer for more risky online activity.

If you are unsatisfied with your HealthCheck scan results and the problem turns out to be a browser security issue, can I suggest you update to FireFox?

Technorati Tags: security, healthcheck, scanning, vulnerability, patch, Windows, Internet Explorer, FireFox

However, the rules are still idiotic and worthless, and we can do so much better with security by spending money on things that actually help – things like, oh, I don’t know, training screeners better so they don’t miss nearly 100% of all explosives taken through security by people trying to get prohibited items through security.

Government investigators smuggled liquid explosives and detonators past airport security, exposing a dangerous hole in the nation’s ability to keep these forbidden items off of airplanes, according to a report made public Wednesday.

. . .

On March 23, a TSA screener would not let one investigator through a checkpoint with a small, unlabeled bottle of shampoo, even though it was a legitimate carry-on item. But the same investigator was able to bring through a liquid component of bomb that would start a fire.

Thank goodness that investigator wouldn’t be able to terrorize the plane with clean hair and bubbles. That’s a much greater concern than liquid fire. The TSA hand-waves away the problem by emphasizing the multi-layer approach to security in airports and air travel.

“While people think about us in terms of the checkpoints and they see us as the checkpoints, there’s a lot more layers of security,” she [spokeswoman Ellen Howe] said. In addition to the checkpoints, the TSA uses different technologies and has officials who check the validity of documents and observe people’s behaviors throughout the airport. “Just because somebody gets through one layer doesn’t mean they’re going to get through all of the layers.”

And that’s actually damn good to know and comforting. But our money needs pumped into the less visible security measures. Currently, to get through with contraband a determined attacker needs training on not sticking out more than anything else. That alone will make passing through screening nearly guaranteed, yet so much money is going into screening efforts that have repeatedly been proven ineffective (I’ve covered some, but by no means all, such issues in the past, and won’t link them again here).

Here, I’ll throw in a freebie for would-be attackers. If you want to carry in prohibited liquids, buy yourself a beer belly flask to transport your explosives or drinks. As it is right now, screeners are miserable at catching illicit items which someone is trying to take on, but nearly perfect in catching harmless things like the drinks people are consuming as they walk through the screening checkpoints (hint: if they are actively drinking it, it is either harmless to the flight or they already have ingested what they need to use to bring the flight down).

From the screeners link just above, here is what Bruce Schneier has to say.

When I travel in Europe, I never have to take my laptop out of its case or my shoes off my feet. Those governments have had far more experience with terrorism than the U.S. government, and they know when passenger screening has reached the point of diminishing returns. (They also implemented checked-baggage security measures decades before the United States did — again recognizing the real threat.)

And if I were investing in security, I would invest in intelligence and investigation. The best time to combat terrorism is before the terrorist tries to get on an airplane. The best countermeasures have value regardless of the nature of the terrorist plot or the particular terrorist target.

In some ways, if we’re relying on airport screeners to prevent terrorism, it’s already too late. After all, we can’t keep weapons out of prisons. How can we ever hope to keep them out of airports?

Far more insightful and accurate than all the words I’ve thrown out arguing against the money-drain our government has in place now.

EDIT: Accidentally left out part of the Schneier quote.

Technorati Tags: Airport stupidity, Air travel, Getting explosives on planes

A Japanese blogger who goes by the name Hamachiya2 has discovered a single line of HTML and CSS that crashes IE 6. The line is:

Ohhhh, the suspense is killing me.  I guess I’ll just have to read the article to find out how easy it is.

Technorati Tags: Security, Crash Internet Explorer, Browser vulnerabilities, Another kick in the nuts

The autorun.inf file is the key to getting your USB drive (or CD-ROM drive, for that matter) to perform certain actions automatically and customize it’s look in My Computer. The purpose of this article is to shed some light on how this can be done.

Topics covered are:

• Autorun.inf Structure
• Setting a Custom Icon
• Naming Your USB Drive
• Setting AutoPlay Options
• Adding Context Menu Items
• Changing Default Action
• Viewing a File
• School’s Out, Time To Play!

Unfortunately, the author doesn’t have anchors set at each heading, or I would link you directly to each section. Fortunately, the entire article is brief and pretty easy to follow, so this isn’t a big negative in the article layout.

USB key break-ins are a real security threat, and this kind of tutorial helps you make the security breach even easier if you are in to that kind of thing. Whether you depend on natural curiosity to cause the breach or use something like the above-linked tutorial to get a tool running and stealing what you need from your victim, the USB key is handy. This also means you should be aware that the bad guys are learning (or already know) these things and will use them to attack you some day.

So to end, the next natural question for you, the reader, should be “How do I stop this vulnerability from impacting my system/network/company?” now. Well, there are many places that have the answer. I haven’t found one that I would point out as The best way to do this – this Microsoft technet article has the necessary information if you already know your way around the registry, as does this more concise and clearer article. Other helpful points include this CD-Freaks forum post asking that question, as does this web site that seems to focus on autorun features/bugs/benefits. That last one is probably the clearest, so may be the one I point folks to in the future.

Technorati Tags: USB autorun, USB keys, Security, DIY, Daily cup of tech

It’s old, I know, but still funny. Especially the question about 2 people each with 3 ounces of liquids.

Technorati Tags: TSA, Security, Homeland security, Liquid security

Test the Secunia PSI (BETA) Technology Preview, an upcoming addition to the Secunia Software Inspector series, based on the proven Secunia File Signatures Technology.

The Secunia PSI detects installed software and categorises your software as either Insecure, End-of-Life, or Up-To-Date. Effectively enabling you to focus your attention on software installations where more secure versions are available from the vendors.

Needless to say, we are very excited about this new free service for the Secunia security community. We appreciate all feedback, thoughts, and ideas that you wish to share with us.

On the security side, Secunia is a good company, so I expect this tool will be good, too. As already noted, its currently in beta, but the final release will still be free for personal use. For more details on the tool, hit the above shortcut or look at the more detailed software information page.

Technorati Tags: Secunia, Personal Software Inspector, PSI, Security tools, Software checker

My latest experiment with TSA security happened by accident. I recently flew to Memphis on business, and while I was there I bought my wife a souvenir bottle of Vidalia onion salad dressing (pictured at left [well, not on my site when I rip his text]). Vidalia onions are one of the four food groups of the South, the other three being barbecue, fried foods, and gravy.

. . .

I took my time packing up my things, watching her wrap the bottle loosely in the paper and drop it into the trash barrel.

I looked around casually. There weren’t very many TSA agents servicing the area, and they were joking around, screening oncoming passengers, watching the X-ray monitor. Everyone’s attention was focused elsewhere. No one was watching me.

I moseyed over to the walkway and glanced in the barrel. It was filled with half-empty coffee cups and discarded water bottles. There, on top of the trash, wrapped in its protective paper, was my salad dressing.

. . .

Calmly, I reached down into that unstable barrel of atomic liquid and grabbed my salad dressing. Then I calmly boarded the moving walkway, and stuffed the salad dressing down my pants. The TSA lets you keep things there, apparently.

No one came after me. I have to be honest, it was almost like they wanted me to take it. The hardest part was returning a few minutes later to take these pictures on my cameraphone.

Mission accomplished, I suppose.  Read the full article for more details and the camera phone pictures that go along with the story.  This story has been covered by several of my favorite web sites/blogs/smarty-smart folks.  Schneier rightly points out that this probably isn’t a smart thing to brag about online and that he probably wouldn’t have been so glib had he been caught.  Boingboing, other the other hand, looks at this from the critique of DHS security standpoint:

The reason this “smuggling” technique works, of course, is that liquids aren’t dangerous. Everyone knows this — even the TSA. That’s why they don’t guard the barrel after they confiscate your wine, water, and salad-dressing. The point of taking away your liquid isn’t to make airplanes safe, it’s to simultaneously make you afraid (of terrorists with magic water-bombs) and then make you feel safe (because the government is fighting off the magic water-bombs). It’s what Bruce Schneier calls “security theater.”

So take your pick of viewpoints – probably unwise and overly risky or possible because everyone realizes liquids aren’t that risky.  Or both, which is what I think – he wasn’t doing himself a favor by doing this, but it wasn’t likely to be caught given how non-dangerous liquids are and therefore unprotected after “disposal” anyway.

Technorati Tags: Liquids on a plane, How to smuggle liquids onto a plane, That Zug guy

Bruce Schneier ran his 2^nd annual Movie-Plot Threat contest starting on April 1^st of this year. In early June, he posted the nominations for best movie-plot concepts. Now, he has announced the winner of the contest and posted their full concept.

First, some information about the contest:

Your goal: invent a terrorist plot to hijack or blow up an airplane with a commonly carried item as a key component. The component should be so critical to the plot that the TSA will have no choice but to ban the item once the plot is uncovered. I want to see a plot horrific and ridiculous, but just plausible enough to take seriously.

Make the TSA ban wristwatches. Or laptop computers. Or polyester. Or zippers over three inches long. You get the idea.

Your entry will be judged on the common item that the TSA has no choice but to ban, as well as the cleverness of the plot. It has to be realistic; no science fiction, please. And the write-up is critical; last year the best entries were the most entertaining to read.

If you want to see the other highly rated ideas, you can view the three semi-finalists. In the end though, it’s all about the butterflies and beverages conceptual threat.

It must have been a pretty meadow, Wilkes thought, just a day before. He tried to picture how it looked then: without the long, wide wound in the earth, without the charred and broken fuselage of the jet that gouged it out, before the rolling ground was strewn with papers and cushions and random bits of plastic and fabric and all the things inside the plane that lay like the confetti from a brief, fiery parade.

Yes, a nice little spot, just far enough from the airport’s runways to be not too noisy, but close enough to watch the planes going in and out, fortunately just a bit too close to have been developed. When the plane rolled over and angled downward, not even a mile past the end of the runway, at least the only people at risk were the ones on the plane. For them, it was mercifully quick, the impact breaking their necks before the breaking wing tanks ignited in sheets of flame, the charred bodies still in their seats.

. . .

“No,” Wilkes shot back, “we can’t ban everything that could be made of sodium metal. Or all the other water-reactives,” he mused aloud, thinking of all the carbides, anhydrides, and alkali metals that would cover. “Too many ways to hide them, too many types to test for them all. No, it isn’t the metals we’ll have to ban.”

“Naw, you don’t mean,” the NTSB man stared in disbelief, his eyes growing wide. “You couldn’t, I mean, it’s the only other way but it’s ridiculous.”

“No, it’s not so ridiculous, it’s really the only way. We’re going to have to ban water, and anything containing a significant amount of water, from all passenger flights. It’s the only way, otherwise we could have planes dropping out of the sky every time someone is served a beverage.”

And here’s the really, really, exceptionally crazy thing – this threat is easier to pull off and more feasible (thanks to Andrew Kantor for that quick link) than last year’s improbable liquid-explosive-to-bring-down-planes foiled plot in England. To actually prevent this, either ALL liquids or ALL metals have to be kept off the airplanes. As the story notes, the amount of metal in the frames of one person’s eyeglasses is enough to pull of this attack with a reasonable chance of bringing down a plane. That means no more in-flight bathrooms would be available, or that anyone who says they have to go to the bathroom would have to be monitored and use a restroom facility that operates without liquids.

So the question is, will our government ban ALL liquids, ALL metals, or do neither? Will preventative measures be put in place to stop an attack that would probably succeed and could be pulled off by a single person with a few hundred dollars? Of course not. But still we have to suffer through not taking lip balm, water bottles, breast milk, sunscreen, sodas, or practically any other liquids on a plane in order to stop an almost impossible attack that we have known terrorists knew about for over 20 years. I do hope some day we got someone in charge that actually knows something about security and probabilities and who is more interested in trying to achieve safer flights rather than security theater.

Technorati Tags: Movie-plot security threats, Schneier’s movie-plot contest, Actual security threats, Ban all metal now!

[youtube]EowKalRT3lc[/youtube]

Yes, this is not some surefire way to control the votes, since it is highly susceptible to getting caught.  Still, there are sure to be some places where this could be pulled off without anyone being wiser for it.  Security in electronic voting systems is not easy.  But until the vendors at least take the concept seriously, we’ll not have electronic voting systems worth using or trusting.

Technorati Tags: Controlling the votes, Electronic voting insecurities, Security, Hack-a-Day

The Slingbox Pro is not the only target of their investigations, but it is the most interesting to me. They also find privacy issues with the Nike+iPod Sport Kit and security issues with Microsoft’s Zune social relationships.

We analyze three new consumer electronic gadgets in order to gauge the privacy and security trends in mass-market UbiComp devices. Our study of the Slingbox Pro uncovers a new information leakage vector for encrypted streaming multimedia. By exploiting properties of variable bitrate encoding schemes, we show that a passive adversary can determine with high probability the movie that a user is watching via her Slingbox, even when the Slingbox uses encryption. We experimentally evaluated our method against a database of over 100 hours of network traces for 26 distinct movies.

Despite an opportunity to provide significantly more location privacy than existing devices, like RFIDs, we find that an attacker can trivially exploit the Nike+iPod Sport Kit’s design to track users; we demonstrate this with a GoogleMaps-based distributed surveillance system. We also uncover security issues with the way Microsoft Zunes manage their social relationships.

. . .

We test this algorithm on a dataset consisting of over 100 hours of network throughput data. With only 10 minutes worth of monitoring data, we are able to predict with 62% accuracy the movie that is being watched (on average over all movies); this compares favorably with the less than 4% accuracy that one would achieve by random chance. With 40 minutes worth of monitoring data, we are able to predict the movie with 77% accuracy. For certain movies we can do significantly better; for 15 out of the 26 movies, given a 40 minute trace we are able to predict the correct movie with over 98% accuracy. Given the simplicity of our algorithm, this indicates a significant amount of information leakage – a fact that is not immediately obvious to the users, who likely trust the built in encryption in the device to protect privacy.

Any transmission method whose characteristics depend on the content that is being transmitted is susceptible to the kind of attack we have described. As the world moves towards more advanced multimedia compression methods, and streaming media becomes ubiquitous, variable bitrate encoding is here to stay. Preventing information leakage in variable bitrate streams without a significant performance penalty is an interesting challenge for both the signal processing and the security communities. More broadly, a fundamental challenge that we must address is how to identify, understand, and mitigate information leakage channels in the full range of upcoming UbiComp devices.

The entire report is 23 pages, although a moderate portion of that is footnotes, citations, or images. If you are interested in indirect attacks on security, however, it is well worth the 20-30 minutes it will take to read for understanding.

Also, I realize that they had a significantly constrained data set, which eased their analysis and improved accuracy. However, the whole point of security vulnerability research is finding attacks that work in any manner. From there, attacks against static defenses will never regress – they either get better or stay the same if not worked on. In other words, this data problem has been shown on a limited data set. Given sufficient time and computational resources, it will still work against larger data sets, including the data set of all available streamed media. It might currently be infeasible to properly determine most of the possible data streams now, but computational power is ever increasing, storage space is expanding and getting cheaper, and the time necessary to analyze any stream will continue to go down.

This is a hard to solve problem for folks that are concerned about privacy, and one that I believe the engineers at Slingbox will continue working on. Their use of decent cryptography already shows an attention to security and privacy. I expect to see updates in the distribution system to reduce secondary data characteristic attack possibilities in the future. (via Freedom-to-tinker)

Technorati Tags: Slingbox pro security and privacy analysis, Attacks on secondary data characteristics, Interesting privacy and security research of gadgets

Rather than getting to read the full Ars story, however, I get the following block page (Click ‘More’ for image – click the image for a larger view).

Yes, I have been blocked from reading a story at a techie site because the word “porn” appears in the URL. This is a classic example of stupid filtering. What makes this so damn funny to me is that just a few minutes before trying to access Ars, I was reading commentary by Cory Doctorow on the ineffectiveness and dangerousness of internet filtering. I wanted to post an article about it here, but wasn’t sure what my lead-in would be. Even though I can simply post such stories as short notes for my right column Asides section, I wanted to say something about it to highlight the importance of bad internet filtering (for values of bad meaning all). Internet filtering is an ineffective technology. More legitimate content is blocked than is reasonable. Vast regions of the interpipes are left unblocked because the blocking databases cannot keep up and the automated analyzers fail so frequently. Needed web content cannot be accessed due to poor automated analyzers (e.g., at one point, AOL filtering blocked the word breast from chatrooms, which caused problems for the breast-cancer survivors group).

But saying something intelligent and compelling is difficult, because I’m operating from a different level of understanding of this technology than most folks. I know I can handle the web access my own children do, because I have tools to monitor what they are doing. My wife and I are with or near our children when they are online. In the future, it will be harder to prevent them from accessing things that we don’t want, but I can know what they are doing and deal with that when it is a problem. Most parents don’t have the technical and networking background I have so they can do the same. While I try to speak about technology in a manner that non-techies can understand, I think the fallacy of internet filtering software is something I would not be able to do justice and present in a non-technical manner. Since Cory has expressed some of the problems so well, however, I can take the fallback position of pawning my readers off on someone else for explanation.

People say bad things online. They write vile lies about blameless worthies. They pen disgusting racist jeremiads, post gut-churning photos of sex acts committed against children, and more sexist and homophobic tripe than you could read – or stomach – in a lifetime. They post fraudulent offers, alarmist conspiracy theories, and dangerous web pages containing malicious, computer-hijacking code.

It’s not hard to understand why companies, government, schools and parents would want to filter this kind of thing. Most of us don’t want to see this stuff. Most of us don’t want our kids to see this stuff – indeed, most of us don’t want anyone to see this stuff.

But every filtering enterprise to date is a failure and a disaster, and it’s my belief that every filtering effort we will ever field will be no less a failure and a disaster. These systems are failures because they continue to allow the bad stuff through. They’re disasters because they block mountains of good stuff. Their proponents acknowledge both these facts, but treat them as secondary to the importance of trying to do something, or being seen to be trying to do something. Secondary to the theatrical and PR value of pretending to be solving the problem.

. . .

The same companies that supply the world’s torturers and totalitarians are also supplying our schools, workplaces, and cities. I edit a popular website, Boing Boing, that is widely censored by these firms. One firm, SmartFilter, regularly classifies us as “adult” because less than one per cent of the tens of thousands of posts we’ve made over the years feature thumbnail-sized nudes, including Michelangelo’s David (Smartfilter maintains that any page containing David’s willy is a “nudity” page). Another, Dan’s Guardian, is employed by the City of Boston for its citywide network – it is so indiscriminate that it banned Boing Boing because we linked to a page of Google search results that had the “SafeSearch” option switched off, meaning that it might contain a link to an adult site. (Dan’s Guardian also banned downloads of my 2004 novel Eastern Standard Tribe).

There is more to the article, including more examples of filtering failures that block legitimate content and a commentary on why the companies producing this faulty software continue to do so. Head over and read the full story at The Guardian web site.

Technorati Tags: Internet filtering software is faulty and ineffective, Commentary on the failures of internet filtering

ORLANDO – During an updated version of one of the more popular sessions at TechEd each year, senior security engineer and Microsoft MVP Marcus Murray did attendees a major service by demonstrating that hacking into a network is not really an art, and in some ways, not even much of a science.

His “Why I Can Hack Your Network in a Day” session is actually something of a misnomer, as many of the tools he uses (including one written by SysInternals guru-turned-Microsoft fellow Mark Russinovich) can enable individuals to work their way to revealing the passwords of domain administrators in closer to 15 minutes.

Of course, this is just a case of technology allowing transfer of skill – one security expert figures out the vulnerability, encases it in a point-and-click tool, and shares with the world. But it is still interesting to see what is going on in the back-and-forth of improved security/improved breaking of security fight. As always, security experts will look at the exploited vulnerabilities, come up with ways to reduce or eliminate them, improve protocols, and release equipment with the improved protocols. This will be followed by the break-in experts analyzing the new protocols, looking for direct and secondary/side-channel attacks, determining weaknesses, exploiting those weaknesses, and releasing simple tools that allow less skilled attackers break the security. Around and around it goes, until the eventual heat death of the universe or until we all start communicating via telepathy (which will probably get hacked somehow, in which case evolution will create better telepaths, and so on).

Technorati Tags: Microsoft security engineer demonstrates wireless hacking tools

Safeguards in the fuel delivery grid greatly limit the amount of damage that can be done by intentional or accidental explosion/destruction/burning of any section of the fuel system. Additionally, jet fuel contains additives specifically designed to reduce the chance of explosion, increase the difficulty of catastrophic fire, and minimize spread of flames in general. Yes, the stuff burns, but it actually does not burn well enough to have very much of a chance of the spectacular destruction it seems the attackers had in mind.

Though Mr. Defreitas had lived in Brooklyn and Queens, he told the informant that his resentment of the United States hardened into hatred during his years as a cargo worker at the airport.

“He saw military parts being shipped to Israel, including missiles, that would be used to kill Muslims,” the complaint read. Mr. Defreitas, who was secretly recorded by the informant, complained bitterly that he “wanted to do something” and that “Muslims always incur the wrath of the world while Jews get a pass.”

Mr. Defreitas envisioned “the destruction of the whole of Kennedy” and theorized that because of underground pipes, “part of Queens would explode.” He boasted that in addition to a huge of loss of life – “even the twin towers can’t touch it,” he said – the attack would devastate the United States economy and strike a deep symbolic blow against a national icon, President John F. Kennedy, officials said.

Sure, it sounds scary and stuff, but the explosion he dreamed of just wasn’t going to happen. And given how much I’ve written about improbable attacks and the over-reaction of Americans to these things, I was planning on giving this incident a pass. I’m tired of wasting my time detailing the weaknesses of bad, weak, improbable and infeasible threats. You’ll note that I’ve not even taken the time to provide links backing up my claims on infeasibility and difficulty of any success. That’s because the whole plot was so ludicrously bad that I don’t want to waste more of my time pointing out specifics. You can spend a few minutes online and easily find reputable sources supporting what I’ve stated above. If you disagree, please post it in the comments and I’ll be glad to expand on the topic. But unless someone really thinks this attack was worth worrying about, I’m not going to waste more time on it. That is, unless the government does something else stupid to strip away our freedoms as a result. Then, you can be sure I’ll come back to bitch about the poor job our government is doing.

Technorati Tags: JFK explosion plot too infeasible to even waste time debunking it