Anarcho-Tyranny in the UK

Paging George Orwell:

A journalist with the London Telegraph has been visited unannounced at her home by police in the UK who told her they are investigating a “non-crime hate incident” over a tweet she posted a year ago.

...

Allison Pearson relates what happened on Sunday in an article, noting that police will not tell her which post is the subject of the investigation, nor will they tell her who her accuser is or what they feel offended about.

Well okay, then.  But the UK Plods seems to have forgotten the old saying to not mess with someone who buys ink by the barrel:

Way to shine a spotlight on your policy, dumbasses.  Streisand Effect much?

I've just caught up with this by @AllisonPearson. Fortunately, she is a member of the Free @SpeechUnion, but I hope the @Telegraph will also be vigorously defending her freedom of expression. The ‘non-crime hate incident’ industry is a malignancy.https://t.co/iLsuNX4MgQ pic.twitter.com/yf0Cr2f0Vr

— Adrian Hilton (@Adrian_Hilton) November 12, 2024

3 "Only Ones" arrested for theft

TSA agents stole money from passengers at screening points in Miami:

Three Transportation Security Administration agents who work at Miami International Airport were arrested on fraud charges.

According to investigators, Elizabeth Fuster, Josue Gonzalez and Labarrius Williams worked together to steal cash from passengers’ purses and bags while they were being screened at the airport, June 29.

The agents were removed after a TSA employee followed up on a complaint, watched surveillance video and shared findings with the police, who took immediate action and placed them under arrest on Thursday.

But remember, only government agents can be trusted with firearms.

Security guru Bruce Schneier has been saying for years that TSA is a total waste of money (c.f. the 90+% failure to detect phony bombs during testing), and that if he were put in charge of it he would give all the budget back to the treasury.

 

Online voting is a persistently bad idea

Via Cold Fury, PJ Media writes about Redo Voting's Internet voting system.

tl;dr: Oh Hells No.

Longer discussion: it's QR codes on scratch off lotto style tickets, with a lot of crypto (SHA-2 512!) thrown in.  I haven't dug into the details but there are at least two glaring security holes here:

1. Your ballot seems to be stored unencrypted (you get a PDF file of your vote).  Sure, there's strong crypto (a SHA-2 hash of your ballot) to prove that it was your ballot, but anyone who gets into the data store will be able to post lists of who voted for whom.  If you think about California's Proposition 8 and how Brendan Eich was fired from his leadership role at Mozilla, this is very bad juju.  

Now maybe I'm wrong and the data is encrypted, but reading through their web site they don't say this at all.  This seems a really important item for a company touting "Unparalleled Security".

2. Their ballot counting software is, well a server.  Anyone who can hack the server can fiddle the results.  Duh.  When you think of Internet Security you have to think in terms of who the attacker might be and what their motivation might be.  Given the huge financial benefits of winning a US national election (not to mention the geopolitical implications) you have to assume that the threat isn't script kiddies or hactavists, but rather foreign state actors.  Or heck, domestic Three Letter Agency actors.

Do you think you can protect yourself against the NSA or the Russian FSB?  I don't think I can defend myself from them, and I don't think that Redo Voting can, either.  These attackers could easily justify funding tens of millions of dollars for a single attack - which could be as simple as bribing a system administrator to look the other way.

Game over, man.  Never mind that some more thought would almost certainly come up with more problems, this is enough.

So no, this is not a good idea.  It's actually a stupendously BAD idea, wrapped in crypto marketing fluff.  Maybe I'm being unfair to Redo Voting, but all I have to go on is what they say on their web site.  Quite frankly, it's very unconvincing.  What we need is not technology that helps centralize the voting process "for convenience"; we need distributed systems that need thousands of people to subvert.  Quite frankly, paper ballots are pretty hard to beat at this.

But if you like the fact that perhaps a quarter of the US population has serious questions about the integrity of the 2020 election, and if you would like to get that over 50%, then this is the bee's knees.  Otherwise, run away.  Keep running.  Don't look back.

You may be guilty of hacking

I've been working in computer and network security for literally decades.  During this career I've been at companies that did security research.  We did a lot to help improve the sorry state of Internet Security and you are better off for it.  Now that may about to become illegal, depending on how the Supreme Court rules on an upcoming case:

A US Supreme Court case that could expand the Computer Fraud and Abuse Act (CFAA) to include prosecuting "improper" uses of technology not specifically allowed by software makers will chill security research and could be used to punish other fair uses of technology, a group of nearly 70 vulnerability researchers and security firms said in a letter published on September 14. 

The Computer Fraud and Abuse Act is a 1980s era statute passed right around when I got into computer security.  It was passed to criminalize computer hacking - you know, breaking into someone's computer.  Simples, amirite?

Except nothing is simple, at least when the Legislature is in session.  Or when a District Attorney is prosecuting a case:

The original case that ended up at the US Supreme Court seemingly has little to do with election systems or even hacking. The case originates in the prosecution of Nathan Van Buren, a police sergeant in Cumming, Georgia, who had accessed the state records system to get information on a license plate in exchange for money. In addition to being found guilty of honest services wire-fraud in May 2018, the court also found him guilty of a single charge of violating the CFAA for accessing state and government databases for an improper use.

Now there's no doubt that Mr. Van Buren is a scumbag and a dirty cop.  But it's hard to see him as a computer hacker - he had a legitimate account on the computer system and he accessed it with his legitimate username and password.  Sure, he abused it once he was logged in, but this isn't at all what we think of when someone mentions the word "hacker".  Fraud, sure.  Probably other charges but hacking seems to be a category error.

But here's where Internet Security could be fatally crippled - legitimate security research by legitimate organizations could be made a criminal offense if the Supremes uphold the hacking charge:

A US Supreme Court case that could expand the Computer Fraud and Abuse Act (CFAA) to include prosecuting "improper" uses of technology not specifically allowed by software makers will chill security research and could be used to punish other fair uses of technology, a group of nearly 70 vulnerability researchers and security firms said in a letter published on September 14. 

This letter didn't come out of the blue.  It came in response to an Amicus brief filed to the court by Voatz, a manufacturer of voting machines and software.  Voatz has a, ahem, checkered reputation when it comes to security:

The letter — signed by computer scientists from the University of Michigan and Johns Hopkins University, as well as security firms Bugcrowd, HackerOne, and Trail of Bits, among others — is a response to a legal filing by e-voting firm Voatz in a case that could expand the definition of "exceeds authorized access" under the CFAA to include violations of user agreements and software licenses. While Voatz has participated in bug bounty programs granting participants legal protections, the firm also has reported a student researcher to state officials, dismissed serious vulnerabilities found by three researchers from the Massachusetts Institute of Technology, and even downplayed a third-party audit of their entire systems by security firm Trail of Bits that both confirmed the MIT findings and also found even more critical vulnerabilities. 

It's like a car company threatening criminal prosecution of Consumer Reports for publishing repair statistics they collected.  Sure, it may be embarrassing to the company, but is it criminal?  According to Voatz, the answer is "yes:

The letter took shape following a September 3 legal filing, known as an amicus or friend-of-the-court brief, in which Voatz argued that testing laboratories, security reviews, and bug bounties are all authorized forms of security testing and should be enough to guarantee security. Independent code reviews and penetration tests, the company claims, are not authorized and the CFAA's language "exceeds authorized access" should apply.

So this is the point that you should start wondering if you yourself are guilty of hacking*.  After all, you just merrily click "I Accept" without reading any of those boring old License Agreement notices, don't you?  That agreement specifies what is permissible use according to the software maker.  If you go beyond that, does that make you a criminal?  According to Voatz, the answer is "yes".  Especially if you publish security information that embarrass the company.

Know your place, peon.  Or do the time.

I've posted often about "Regulatory Capture", where large companies try to use government regulations to stymie dangerous competitive startups.  I've written at length about how this is very damaging to the economy, although it is financially advantageous to the company.  This is worse.  Not only will it stifle legitimate security research that makes companies (sometimes reluctantly or unwillingly) improve their security, but it will stifle security improvement in an area that is critically important for the health of the Republic - voting.

And besides, it might make you guilty of hacking.  I wish I had more faith in the intelligence and wisdom of the SCOTUS.

* Yes, yes - you only use your Powers for good.  I know that, but does the District Attorney?

Ten years ago on this blog

Yup

Actually, this explains a lot.

Postscript: It seems that on this day ten years ago, I posted six times.  Crazy kid ...

Sorry, the password must be a palindrome

Intelligence Agency "The Russians Hacked The Election" report is incredibly weak

Man, it seems like the report is really weak:

Sadly, the JAR, as the Joint Analysis Report is called, does little to end the debate. Instead of providing smoking guns that the Russian government was behind specific hacks, it largely restates previous private-sector claims without providing any support for their validity. Even worse, it provides an effective bait and switch by promising newly declassified intelligence into Russian hackers' "tradecraft and techniques" and instead delivering generic methods carried out by just about all state-sponsored hacking groups.

"This ultimately seems like a very rushed report put together by multiple teams working different data sets and motivations," Robert M. Lee, CEO and Founder of the security company Dragos, wrote in a critique published Friday. "It is my opinion and speculation that there were some really good government analysts and operators contributing to this data and then report reviews, leadership approval processes, and sanitation processes stripped out most of the value and left behind a very confusing report trying to cover too much while saying too little."

It's larded with basic n00b errors:

The sloppiness, Lee noted, included the report's conflation of Russian hacking groups APT28 and APT29—also known as CozyBear, Sandworm, Sednit, and Sofacy, among others—with malware names such as BlackEnergy and Havex, and even hacking capabilities such as "Powershell Backdoor." The mix up of such basic classifications does little to inspire confidence that the report was carefully or methodically prepared. And that only sows more reasons for President elect Donald Trump and his supporters to cast doubt on the intelligence community's analysis on a matter that, if true, poses a major national security threat.

It also doesn't discuss that while there are many linkages between these groups and the Russian government, the links are loose.

As Errata Security CEO Rob Graham pointed out in a blog post, one of the signatures detects the presence of "PAS TOOL WEB KIT," a tool that's widely used by literally hundreds, and possibly thousands, of hackers in Russia and Ukraine, most of whom are otherwise unaffiliated and have no connection to the Russian government.

All in all, this does not seem at all convincing.  It's not clear what exactly was hacked, it's very unclear who was behind the hack(s), and it is murky indeed whether this was state sponsored or just run of the mill Black Hat activity.

What IS interesting is that the Intelligence community would issue such Security Kabuki.  Your speculation is as good as mine on the motivations of those involved.

Quote Of The Day: From The Mouths of Babes Edition

Yeah, I know it's the second QotD.  This is excellent:

Today I learned that Stansted Airport security will make you put your child’s comforter through the Xray machine. And before you get it back, if the beeper goes off, ask him to stand still on his own to have a wand waved at him. 

My two year old boy sat down and screamed at the man. I was very proud.

Even a toddler knows that his is a useless waste of time for everyone.

How every network security project meeting works

Biker buddy Burt emails a pointer to this.  It actually describes every security project I've been involved with.

Damn Minnesota terrorists

Making trouble in Russia:

SOCHI, RUSSIAN FEDERATION – Just hours before the opening ceremony for the Sochi Winter Olympics, Russia has put out an alert for two potential terror suspects, referred to by security officials as “moose” and “squirrel.”

An outpouring of fear swept the tiny coastal town on the Black Sea as details emerged of the possible terrorist attack by the unlikely combination of two Americans, identified as Mr. Bullwinkle J. Moose and Rocket J. Squirrel. The two suspects are reportedly from Frostbite Falls, Minnesota, which Russian officials believe may indicate a connection to Canadian separatists.

Damn Canadians.  Jeez.

“We thinking this is classic lone-wolf, err– lone-moose type suicide bomber, world’s greatest no-goodnik,” said Boris Badenov, a Russian expert on security and espionage who announced heightened security measures to catch the pair. He was joined by Colonel Natasha Fatale of the FSB.

“Security is going so well darling,” Ms. Fatale told reporters, before adding, “until we get word of confounded moose and squirrel!”

Yeah, I'll bet.  Security always goes well until you see Moose and Squirrel.

(Via)

Have you hacked a Ford lately?

You'll be able to after a presentation at the DEFCON 21 security conference:

Automotive computers, or Electronic Control Units (ECU), were originally introduced to help with fuel efficiency and emissions problems of the 1970s but evolved into integral parts of in-car entertainment, safety controls, and enhanced automotive functionality. This presentation will examine some controls in two modern automobiles from a security researcherís point of view. We will first cover the requisite tools and software needed to analyze a Controller Area Network (CAN) bus. Secondly, we will demo software to show how data can be read and written to the CAN bus. Then we will show how certain proprietary messages can be replayed by a device hooked up to an ODB-II connection to perform critical car functionality, such as braking and steering. Finally, weíll discuss aspects of reading and modifying the firmware of ECUs installed in todayís modern automobile..

Charlie Miller (@0xcharlie) is a security engineer at Twitter. Back when he still had time to research, he was the first with a public remote exploit for both the iPhone and the G1 Android phone. He is a four time winner of the CanSecWest Pwn2Own competition. He has authored three information security books and holds a PhD from the University of Notre Dame. Charlie spends his free time trying to get back together with Apple, but sadly they still list their relationship status as "It's complicated".

Chris Valasek (@nudehaberdasher) is the Director of Security Intelligence at IOActive, an industry leader that offers comprehensive computer security services, where he specializes in attack methodologies, reverse engineering and exploitation techniques. While widely regarded for his research on Windows heap exploitation, Valasek also regularly speaks on the security industry conference circuit on a variety of topics. His previous tenures include Coverity, Accuvant LABS and IBM/ISS. He is also the Chairman of SummerCon, the nationís oldest hacker conference. He holds a B.S. in Computer Science from the University of Pittsburgh..

The smart money is betting that security wasn't an afterthought, it wasn't thought of at all.

"Secure voting" via credit card?

HAHAHAHAHA:

Former President Nicolas Sarkozy’s political party, already enfeebled by a chaotic national leadership election last year, faces further ridicule in a Paris town hall primary election which ends tonight.

An “online-primary”, claimed as “fraud-proof” and “ultra secure”, has turned out to be vulnerable to multiple and fake voting.

...


What was already shaping up as a tense and close election was thrown into utter confusion at the weekend. Journalists from the news site Metronews proved that it was easy to breach the allegedly strict security of the election and vote several times using different names.

To register their vote on-line, Parisians were supposed to make a credit-card payment of €3 and give the name and address of someone on the city’s electoral roll. Metronews said that one of its journalists had managed to vote five times, paying with the same credit card, using names, including that of Nicolas Sarkozy.

...

The narrowly defeated candidate,  the former Prime Minister, François Fillon, accused the winner, the party secretary general, Jean-Francois Copé of “fraud on an industrial scale”.

Man, that's one locked tight security system.  A veritable electronic Maginot line, even.

RIAA: All your computers are belong to us

The Entertainment industry wants the legal right to put trojans on your computer and hold your files hostage.  Srlsy:

The hilariously named "Commission on the Theft of American Intellectual Property" has finally released its report, an 84-page tome that's pretty bonkers. But amidst all that crazy, there's a bit that stands out as particularly insane: a proposal to legalize the use of malware in order to punish people believed to be copying illegally. The report proposes that software would be loaded on computers that would somehow figure out if you were a pirate, and if you were, it would lock your computer up and take all your files hostage until you call the police and confess your crime. This is the mechanism that crooks use when they deploy ransomware.

Because the RIAA would never make a mistake and think that a Grandmother was pirating rock 'n roll music:

On Friday, the Recording Industry Association of America withdrew its lawsuit against Sarah Seabury Ward of Newbury, Massachusetts, after the 66-year-old grandmother said she had never used or even downloaded any peer-to-peer file-sharing software. Bolstering her claim is the fact that Ward and her husband own a Macintosh computer, which is incompatible with the Kazaa file-sharing network they're accused of using to share more than 2,000 songs.

Another reason to run Linux, if that there law gets passed.

ITAR Kabuki

I was one of the guys who had this T Shirt:

Back In The Day, encryption was considered a munition, controlled under the International Trafficking in Arms Regulations (ITAR).  Actually it still is, but the interpretation is a little less stupid than it was: back then computer source code that could be compiled into a program that would encrypt data was considered a munition and export (including posting on the Internet) was forbidden by the Fed.Gov.

Then Phil Zimmerman wrote a program called Pretty Good Privacy (PGP) and all hell broke loose.

Zimmerman was criminally investigated for posting his source code.  The reaction was sort of a crypto-nerd version of the Streisand Effect, with people coming out of the woodwork to mirror the source code all over the world.  The T-shirt is a different flavor of mockery: it's 3 lines of PERL code that implements the RSA encryption algorithm.  It was in theory illegal to wear this shirt when you left the country.

After three years, the Fed.Gov gave up.  No charges were filed, and people freely downloaded PGP from wherever they wanted.  If you have a commercial product you still need an export license if it contains crypto, but there have been no more hassles about people posting technical documents since 1996.

Until now.  Tam goes into some depth about what ITAR means for firearms components, but my take is that none of this really matters.  It's Security Kabuki by the Fed.Gov.  They know that the Defense Distributed design is being hosted all over the world (I hear that it's up on Kim Dotcom as well as Bittorrent).  The folks at Defense Distributed have made their point and gotten their press, so it doesn't hurt them to take down their web site:

Wilson says he will comply with the order. But he points out that given the nature of the Internet, that doesn't mean it will be taken down off of all servers. In fact, it almost certainly won't mean that.

Despite taking down his files, Wilson doesn’t see the government’s attempts to censor the Liberator’s blueprints as a defeat. On the contrary, Defense Distributed’s radical libertarian and anarchist founder says he’s been seeking to highlight exactly this issue, that a 3D-printable gun can’t be stopped from spreading around the global Internet no matter what legal measures governments take. “This is the conversation I want,” Wilson says. “Is this a workable regulatory regime? Can there be defense trade control in the era of the Internet and 3D printing?”

But everyone knows that the toothpaste is out of the tube.  We know it.  The Fed.Gov knows it.  And we know that they know.  The Internet has already detected the censorship, interpreted it as damage, and in a millisecond was able to route around it. 

Or guns, it seems.  Mockery will infuriate the Empty Suits, inflaming them to still more idiocy.  Mock away.  It's Happy Culture Warrior time.

Repost: Government Data Mining FAIL

I do this infrequently, but this topic is so apropos to the previous post that I thought it worth reposting in its entirety.  I'd point out the unbelievable prescience shown in the dawn of this blog (only 100 days old at the time - still had that New Blog smell!), but it's really kind of obvious, isn't it?

--------------------------------------------------------------

Anti-terrorist data mining doesn't work

One of the biggest problems in Internet Security is getting the "False Positive" rate down to a manageable level. A False Positive is an event where your security device reports an attack, where there's no actual attack happening. It's the Boy Who Cried Wolf problem, and if it's too high, people turn the security off.

Apple had a hilarious ad that spoofed Vista's UAC security a while back. The security is so good that the whole system is unusable:



Surprise! Seems that identifying terrorists by mining a bunch of databases isn't any better:

A report scheduled to be released on Tuesday by the National Research Council, which has been years in the making, concludes that automated identification of terrorists through data mining or any other mechanism 'is neither feasible as an objective nor desirable as a goal of technology development efforts.' Inevitable false positives will result in 'ordinary, law-abiding citizens and businesses' being incorrectly flagged as suspects. The whopping 352-page report, called 'Protecting Individual Privacy in the Struggle Against Terrorists,' amounts to [be] at least a partial repudiation of the Defense Department's controversial data-mining program called Total Information Awareness, which was limited by Congress in 2003.

The problem is not so much one of technology, as it is of cost. Suppose you could create system where the data mining results gave you only one chance in a million at false positive. In other words, for every person identified as a potential terrorist, you were 99.9999% likely to be correct. This is almost certainly 3 or 4 orders of magnitude overly optimistic (the actual chances are likely no better than 1 in a thousand, and may well be much less), but let's ignore that.

There are roughly 700 Million air passengers in the US each year. One chance in a million means the system would report 700 likely terrorists (remember, this thought experiment assumes a ridiculously low false positive rate). The question, now, is what do you do with these 700 people?

Right now, we don't do anything, other than not let them fly. If they're Senator Kennedy, they make a fuss at budget time, and someone takes them off the list; otherwise, we don't do anything. So all this fuss, and nothing really happens? How come?

Cost. If we really thought these folks were actually terrorists, we'd investigate them. A reasonable investigation involves a lot of effort - wire taps (first, get a warrant), stakeouts, careful collection of a case by Law Enforcement, prosecution. Probably a million dollars between police, lawyers, courts, etc - probably a lot more, if there's a trial. For each of the 700. We're looking at a billion dollars, and this assumes a ridiculously low false positive rate.

There are on the order of a hundred thousand people in TSA's no-fly or watch databases. Not 700. If you investigated them all, you're talking a hundred billion bucks. So they turn the system off.

And that's actually the right answer. The data's lousy, joining lousy data with more lousy data makes the results lousier, and it's too expensive to make it work. How lousy is the data? Sky Marshals are on the No-Fly list. No, really. 5 year olds, too.

So the Fed.Gov sweeps it under the rug, thanks everyone involved for all their hard work, and pushes the "off" button.

As expected, the Slashdot comments are all over this:

I'd take their "no fly" list and identify every single person on it who was a legitimate threat and either have them under 24 hour surveillance or arrested.
The mere concept of a list of names of people who are too "dangerous" to let fly ... but not dangerous enough to track ... that just [censored - ed] stupid.

At least everyone's looking busy. The analogies to gun control pretty much write themselves.

Antivirus products poor at catching new malware

The only thing new here is that it's being reported in the New York Times:

Consumers and businesses spend billions of dollars every year on antivirus software. But these programs rarely, if ever, block freshly minted computer viruses, experts say, because the virus creators move too quickly.

...

A new study by Imperva, a data security firm in Redwood City, Calif., and students from the Technion-Israel Institute of Technology is the latest confirmation of this. Amichai Shulman, Imperva’s chief technology officer, and a group of researchers collected and analyzed 82 new computer viruses and put them up against more than 40 antivirus products, made by top companies like Microsoft, Symantec, McAfee and Kaspersky Lab. They found that the initial detection rate was less than 5 percent.

It's getting worse, and very likely will continue to get worse.  Antivirus programs are really only a half step away from being security kabuki.

Why police in schools is a bad idea

Short answer: it won't do anything useful, it will be expensive, and it will further the Police State.

Long answer: It's Security Theater.  Expensive, intrusive Security Theater.

The world is full of soft targets.  Someone motivated to shoot up a soft target has lots of choices.  There's nothing that we can do to change that.

But it gets worse.  If the proper reaction to the Connecticut school shooting is to put armed police in every school, then the obvious proper reaction when an evil nut job shoots up (say) a hospital is armed police in every hospital.  Then when nut jobs turn their sights on libraries, we put police there.  Then grocery stores, then Starbuck's, then gas stations.


We've seen this game before, played out by the TSA: terrorists take guns onto planes and so we have metal detectors.  Then they put bombs in suitcases and so all our luggage gets X-Ray'ed.  Then they take bombs in their shoes and we have to take our shoes off in security.  Then they use liquids and mothers can't take bottles of breast milk.

It's a stupid game and we should stop playing.  There literally is no end, either to the TSA's idiocy or to Wayne LaPierre's.  Actually I just lied - there is an end, and it's called a Police State.  No thanks.

The mistake that the War On Terror™ warriors make is the same as the mistake the gun banners make, which is the same mistake the NRA just made.  Sprinkling Magic Government Security Dust™ on something doesn't make anything more, you know, secure.

It's been said over and over that there are only two things that have made air travel safe in the 9/11 age: reinforced cockpit doors and passengers who know that they have to fight for their lives.  It's harsh to say a week after the kids were gunned down, but the same thing applies to mass shootings.  The school had locked doors, what was lacking was the ability to fight for their lives.  That applies to schools, hospitals, libraries, stores, and to all the other infinitude of soft targets.

Neither the gun banners nor the NRA are willing to talk about this.  And so they talk about pretty lies that are security kabuki,

It's a stupid game and we should stop playing, because lives literally are on the line.

I'm angry about the school shooting

"Angry" doesn't describe it, actually.

People's reaction to this atrocity enrage me:

• The Atlanta Falcons will have a minute of silence before their game on Monday.  This infuriates me, because it will do nothing to prevent this sort of thing in the future.  It's all preening - Look at me, I'm so sensitive.  Hey Atlanta Falcons, STFU if you're not going to do anything to prevent this in the future.  Just STFU.
  
• ESPN has told their employees not to tweet anything until Monday.  This infuriates me, because it will do nothing to prevent this sort of thing in the future.  It's all preening - Look at me, I'm so sensitive.  Hey ESPN, STFU if you're not going to do anything to prevent this in the future.  Just STFU.
• The Usual Suspects - I'm looking at you, Piers Morgan - are blathering idiocy about too many guns and the typical hand wringing.  This infuriates me, because it will do nothing to prevent this sort of thing in the future.  It's all preening - Look at me, I'm so sensitive.  Hey Piers Morgan, STFU if you're not going to do anything to prevent this in the future.  Just STFU.
• Politicians, School Boards, and Principals are intimidated by powerful lobbying interests, afraid to take common sense steps that would actually be effective in stopping this sort of thing in the future.  This infuriates me because these people take our coin, and are too scared to actually do what everyone knows needs to be done.  Our children are literally dieing because these people are too timid to do what needs doing.

What needs to be done is not more gun control. The UK banned guns after a horrific shooting at a kindergarten. Since that ban, gun crime has doubled in the UK, while it's plummeted here.  The Police didn't off the evil scum who shot those kids in Connecticut - he offed himself.  This is typical - the Police didn't shoot the Columbine shooter, or the Virgina Tech shooter.  No, we need a practical, common sense approach to school shootings.

We need armed teachers.

Right now, the only person with a gun in a school is an evil, criminal nut case.  Everyone is disarmed, by deliberate intent.  The nutcase will have maybe a half hour to work his evil before going out in a blaze of CNN.  Given the utter failure of the UK's almost complete ban on guns, this wouldn't change if we did the same here.

It would change completely if we had armed teachers.

#2 Son goes to a High School with 1,800 kids.  It has a lot more than 100 teachers.  If even 10% were armed, it would be simply impossible for an evil nut case to kill many kids before being dropped by the righteous return fire from a teacher.

And I am absolutely infuriated by all the people who are horrified by this suggestion, who instead cling to proven ineffective proposals like more gun control.  Infuriated, because these people either know better, or should know better, and instead choose to let our children bleed.  People who choose not to protect them.  People who refuse to trust our children's teachers, who rather take refuge in public displays of how sensitive they are.  People who flinch from confronting evil, even to protect children.

People who choose to enable evil, rather than confront it.  They dance in children's blood, to show how nice they are.  To show that they're better than we are.

It enrages me - makes me rage until my floor turns to lava.

UPDATE 14 December 2012 21:23: Omnia vincit amor. A calmer post that's worth your while.

And a prayer.  Amen.

UPDATE 16 December 2012 21:34: An outbreak of sanity:

A tiny Texas school district may be the first in the nation to pass a law specifically allowing teachers and staff to pack heat when classes begin later this month.

Trustees at the Harrold Independent School District approved a district policy change last October so employees can carry concealed firearms to deter and protect against school shootings, provided the gun-toting teachers follow certain requirements.

Of course sanity breaks out in Texas first.

How security really works

(Image source)

Flying with a sense of humor is prohibited

It seems that it wasn't the TSA that was the problem, it was Delta Airlines.  They didn't like it when a guy wore this t-shirt:

Quite a saga:

I was then questioned by TSA about the significance and meaning of the shirt. I politely explained that it was “mocking the security theater charade and over-reactions to terrorism by the general public — both of which we're seeing right now, ironically.” The agents inquired as to the meaning of the term “ZOMG” and who it was that I thought was “gonna kill us all.” As best I could tell, they seemed to find my explanation that I didn’t think anyone would be killing us all and that I was poking fun at overwrought, irrational fears exhibited by certain members of the flying public to be satisfactory.  And moreover, they clearly deemed my shirt to be no legitimate threat.

...

Soon afterwards, once the boarding process had commenced, the Delta supervisor pulled me aside again — this time accompanied by not only three TSA agents, but also multiple Niagara Frontier Transportation Authority transit police. I was questioned some more and my wife was also pulled out of line for additional questioning and screening. Our bags were searched, my shirt was photographed, we were asked multiple questions about the cause of our visit, how often we make it to western NY, and our drivers’ license numbers were taken and radioed in for what seemed to be a quick background check.

At this point, the TSA agents appeared satisfied we had nothing suspicious in our luggage and that we posed no threat. However, the Delta supervisor informed us the pilot had decided, regardless of the outcome of the multiple TSA screenings and my willingness to change shirts, that due to the discomfort my shirt has caused, my wife and I would not be allowed to board the aircraft. Passengers on the plane supposedly felt uncomfortable with my very presence on the flight. And the Delta manager went out of his way to point out that he wholeheartedly agreed with the pilot’s decision.

So how bad is Delta's overreaction?  They make the TSA look reasonable.  Yowzer.