Apparently, some researchers have discovered a major hole — more of a flaw, really — in Windows Vista. What makes this different than the usual patch-coming-Tuesday security issues is that it is based on a fundamental property of the Vista operating system.

In other words, fixing it could be impossible without a significant rewrite of Vista code.

Neowin.net has some more detail in an article “Vista’s Security Rendered Completely Useless by New Exploit.” Normally that’s hyperbole, but in this case there may be something to it.

Mark Dowd of IBM Internet Security Systems (ISS) and Alexander Sotirov, of VMware Inc. have discovered a technique that can be used to bypass all memory protection safeguards that Microsoft built into Windows Vista.

and

While this may seem like any standard security hole, other researchers say that the work is a major breakthrough and there is very little that Microsoft can do to fix the problems. These attacks work differently than other security exploits, as they aren’t based on any new Windows vulnerabilities, but instead take advantage of the way Microsoft chose to guard Vista’s fundamental architecture.

ZDNet wrote this:

Two security researchers have developed a new technique that essentially bypasses all of the memory protection safeguards in the Windows Vista operating system, an advance that many in the security community say will have far-reaching implications not only for Microsoft, but also on how the entire technology industry thinks about attacks.

Perhaps even more interesting (if that’s the right word) is what well-known (and well-regarded) security researcher Dino Dino Dai Zovi said:

[S]ince these techniques do not rely on any one specific vulnerability, Zovi believes that we may suddenly see many similar techniques applied to other platforms or environments.

Dowd and Sotirov presented details of their findings and their exploit at the 2008 Black Hat security conference on Aug. 7, but not much more has come out.

Following on the heels of the major DNS exploit last week, it’s been a busy time for security folks….

Somewhere, a Playmobile executive is looking at his rearview mirror and saying to himself, "Was that the deep end I just passed?"

"Playmobil Security Check Point." For real.

Big, big H/T to Gnomic!

I wondered — still wonder, actually — why the folks at Swiss Army Brands haven’t started to offer a carry-on-friendly "knife." I’m thinking of one without a blade, but with other useful tools that would get past those frakking TSA jerks security.

Oddly, it was Florsheim, the shoe maker, who ran with the idea. The company is now offering "airport-friendly" shoes that don’t have steel shanks and can thus don’t need to be removed.

H/T to, and a shot of the tag on the shoes at, bloginfosec.

Here’s a disturbing trend, and something to add to the long list of things that this country will have to undo when Bush is finally out of office: International travelers are looking for ways to avoid stopovers in the U.S. because of the frustrating, belittling, and bully-like treatment they receive at the hands of Homeland Security officials looking for possible "terrorists" (i.e., any kind of potential criminal).

Wikitravel even has a page devoted to the topic. An excerpt:

Anyone arriving into the United States or one of its territories (like Puerto Rico) and not covered by the Visa Waiver Program requires at least a C1 transit visa to transit the airport. This can be expensive and time-consuming to obtain, and you can be denied the visa: the requirements are the same as the full B-2 tourist visa. If you arrive without this visa and aren’t eligible for a waiver, even for a fuel stop or transit, you will be sent home and recorded as having been denied entry to the US.

The United States does not allow sterile transit, which means that even if you have an immediate connecting flight, you have to pass through Customs and Immigration. This is time-consuming and tedious (4 hours or more is recommended to be safe), and all travellers transiting in the USA using either a transit visa or the Visa Waiver Program will be photographed and fingerprinted.

You can see why people would want to avoid an episode of US Security Theater. Boing Boing had a story the other day about a Finnish folk band that was detained for the crime of having flown in from Amsterdam. From the Minneapolis Star-Tribune comes the details:

Erkki Maattanen, a filmmaker for Finnish Public Television who accompanied the musicians on the September trip, said his questioners seemed to think the entourage was smuggling drugs or intending to work without a permit. "I kept trying to tell them why we were here, but they’d just yell, ‘Shut up!"’ he said.

and

"They threatened us with severe punishments if we talk to each other," according to the complaint signed by musicians Ninni Poijärvi and Mika Kuokkanen, "Through the walls, I can hear officers yelling, screaming. They ask about the purpose of our trip — except we are only allowed to give yes-or-no answers. I try to talk about our plans to meet with Finnish-American folk musicians. Nobody listens. They interrupt me constantly and they yell, ‘You are a liar!"’

The sad thing is, none of these tactics help keep anyone more secure. All it does is tick people off, hurt business here, and make things tougher for everyone. Soon after 9/11 I flew. We all looked at the extra security measures as something understandable and appropriate. But now I realize how foolish and wasteful they are.

The fact is, if terrorists wanted to hit us again, it’s not going to be that hard. Heck, drive a small car bomb through the doors of a mall. Or open up with a hail of bullets outside an airport terminal.

The key point to remember is that the aim of terrorism isn’t to kill people — that’s just icing on the cake. The aim is to scare people. And it’s working.