I’ve ridden public transit, usually the subway (or, here in Chicago, the El) all over the globe. But based on this photo gallery, I’d say that the Moscow subway has to take the cake for things you’d see nowhere else.

Take for instance this guy:

I know, you’re thinking, There’s no way that guy is just sitting there with an assault rifle on the Moscow metro. And you’d be correct. Based on the safety goggles around his neck (more clearly in another picture which doesn’t feature the rifle as prominently), I’m guessing it’s an airsoft rifle.

But still, I’d probably be lucky if all I got was arrested if I hauled something like that onto the CTA. Some yahoo would probably decide to do something more than See Something, Say Something.

From Risks Digest:

A few days ago in Ekaterinburg city, in the Ural region in Russia, a man
deposited 2000 rubles ($74 USD) in an ATM. Sounds ordinary so far, however
the ATM credited his account with 2 billion rubles (yes, *billion*, with a
B). When he informs the bank of this error, the clerk responds that he
doesn’t care, he has other things to do!

The software error was probably quite unusual, hard to reproduce, and exceedingly rare. As a result, someone decided that it was an acceptable risk because if or when it occurred, the error would obviously be noticed and corrected during the bank’s normal reconciliation process. The reconciliation process, however, was obviously not being performed regularly enough (if at all). To make matters worse, when the account holder tries to activate yet another compensating control and explicitly flag the error, the bank still doesn’t react.

Now imagine if the guy had known anything about money laundering and wire transfers. He could have launched a series of wire transfers through the Baltics which would have put the money beyond the reach of the Russian bank and authorities in a matter of days. The poor operational processes and general lack of financial transparency and regulation in the post-Soviet countries mean that it’s still quite easy for large sums of money to effectively disappear–yet another compensating control that people assume must exist but in reality doesn’t.

I meant to do this a while ago, but I wanted to mention that Alex Hutton has started blogging about Information Risk over at http://www.riskanalys.is/, “A place for Risk Geeks.”

They’ve chosen FAIR (Factored Analysis of Information Risk) as their preferred methodology for evaluating the world and have launched a new Risk Management consulting group, http://www.riskmanagementinsight.com, which utilizes and provides training on FAIR as well.

I also heppen to really like his latest conclusion:

“Hands-On Technical Skills” without “Soft Skills” is simply gathering information. The process to turn information into data, and data into decisions are “Soft Skills”. Hands-On Technical Skills are useless without “Soft Skills”. Likewise, Soft Skills are useless without good information gathering and processing. If Information Risk Management as a discipline is ever going to even approach the sophistication of a para-science and move towards the credibility of Economics or even Meteorology then we’ll need to be very good at both.

I always thought the flow was that data gets turned into information, which in turn gets turned into decisions, but either way, I still agree with his point. If you consider yourself a Risk Geek, then by all means stop by and wish Alex the best of luck in his new endeavor.

I went to register for on-line access to my Amex card this morning and discovered that these are their account and password rules:

Your User ID should:

* Contain 5 to 20 characters - at least one letter (not case sensitive)
* Contain no spaces or special characters (e.g., &, >, *, $, @)

I can live with that. It’s a little irritating but I have lots of usernames that have just letters and numbers in them.

But then I get to the password rules…

Your Password should:

* Contain 6 to 8 characters - at least one letter and one number (not case sensitive)
* Contain no spaces or special characters (e.g., &, >, *, $, @)
* Be different from your User ID

I know that security practitioners love to pronounce the End of Passwords as a meaningful security measure, but I’d prefer if my (company mandated) financial institutions didn’t help things along.

I’ve seen various references to how this latest plot provides evidence that the composition of would-be bombers has expanded into the middle class. For example, according to the Wall Street Journal, the profile of potential terrorists has widened significantly thanks to the Liqui-bombers:

As British police piece together the alleged plot to down airlines over the Atlantic, emerging details point to a troubling — and growing — strain in Islamic terrorism in Europe: the involvement of women and middle-class, university-educated young men.

The origins of the plot date back to before the July 2005 London bombings, according to a person familiar with the matter, and involved a wide group of alleged plotters. At least three of the detainees rounded up last week are women, according to Hanif Qadir, who runs a youth group in east London, where many of the suspects lived. Most of the men were middle-class, many with jobs. One was a student and head of an Islamic society at a large London university.

They are a marked contrast to the stereotype of a homegrown Islamic terrorist as a disaffected young man on society’s fringes, such as Richard Reid, the British citizen who unsuccessfully tried to ignite a shoe bomb on a Miami-bound flight in December 2001.

(emphasis mine)

Given that we will never know if they were for real or not and that even in the UK, the odds of someone who is arrested being convicted of anything, much less terrorism, is only 2%, we don’t actually know if the profile of terrorists has changed or not.

What has really changed in our knowledge about the composition of the would-be-terrorist community? At this time, nothing.

Empirically, the population of proven terrorists seems to be composed primarily of disaffected, slightly unstable young men and men who come from old money.

I know I’m just catching up on my reading, but I just now got to Tom Ptacek’s take at Matasano Chargen on the Liqui-bombers:

After today’s events, you gotta figure al Qaeda is sitting around in their Pakistani safe houses trying to think of the next stupid thing they can get us to restrict.

Their problem now: it’s going to be hard to get them to top “fluid”.

I think Tom may be a Liqui-bomber himself since he almost made me snort coffee out my nose by reading that.

Note to NSA: Please don’t send Tom to Gitmo based on this accusation. He’s supposed to be at ChiSec next week and I’m looking forward to hoisting a pint or two with him.

So according to Craig Murray, former British Ambassador, the self-inflicted degredation-of-service attack on the airlines industry that started last week was based on arrests of guys who were barely out of the bragging stage:

None of the alleged terrorists had made a bomb. None had bought a plane ticket. Many did not even have passports, which given the efficiency of the UK Passport Agency would mean they couldn’t be a plane bomber for quite some time.

In the absence of bombs and airline tickets, and in many cases passports, it could be pretty difficult to convince a jury beyond reasonable doubt that individuals intended to go through with suicide bombings, whatever rash stuff they may have bragged in internet chat rooms.

What is more, many of those arrested had been under surveillance for over a year - like thousands of other British Muslims. And not just Muslims. Like me. Nothing from that surveillance had indicated the need for early arrests.

Then an interrogation in Pakistan revealed the details of this amazing plot to blow up multiple planes - which, rather extraordinarily, had not turned up in a year of surveillance.

…

We will now never know if any of those arrested would have gone on to make a bomb or buy a plane ticket. Most of them do not fit the “Loner” profile you would expect - a tiny percentage of suicide bombers have happy marriages and young children. As they were all under surveillance, and certainly would have been on airport watch lists, there could have been little danger in letting them proceed closer to maturity - that is certainly what we would have done with the IRA.

This implicitly tells us that one of two assumptions about terrorism no longer holds true. Either the assumptions of who could be a suicide bomber just effectively expanded to include parents of small children or the plot was bogus. Unfortunately, I’m afraid that the Bush & Blair administrations will choose the former, despite all the evidence supporting the latter and the opportunity to prove otherwise having been wasted by acting too soon.

Of course, when we consider how these arrests play out long-term, it doesn’t matter anyway. At this point in the so-called War on Terror, I wouldn’t be surprised if the reason they had to act right now was because the last intercept they picked up and deleted immediately after reading was one plotter saying to the other, “This whole thing is bullshit. It’s never going to happen and my wife is sick of me staying up all night IM’ing about it.”

Of the over one thousand British Muslims arrested under anti-terrorist legislation, only twelve per cent are ever charged with anything. That is simply harrassment of Muslims on an appalling scale. Of those charged, 80% are acquitted. Most of the very few - just over two per cent of arrests - who are convicted, are not convicted of anything to do terrorism, but of some minor offence the Police happened upon while trawling through the wreck of the lives they had shattered.

A 98% false positive rate for people under heavy surveillance up to and including phone & email monitoring indicates harassment, gross incompetence, or both. If you were to go through the life of any average citizen with a fine-toothed comb*, I’ll bet you’d come up with better than a 2% hit rate for criminal malfeasance. If that’s all they can get as a conviction rate on a population under this level of scrutiny, then these are probably better-than-average citizens who are simply being harassed for the intersection of their skin color and religious affiliation.

* This ignoring any British equivilent to Probable Cause–I’m pretty ignorant on its presence or lack therof in the British legal system, not that it seems to matter any more as soon as someone claims its for “Terrorism.”