As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

Edited to add (2/3): The rest of the story.

The VeriSign attacks were revealed in a quarterly U.S. Securities and Exchange Commission filing in October that followed new guidelines on reporting security breaches to investors. It was the most striking disclosure to emerge in a review by Reuters of more than 2,000 documents mentioning breach risks since the SEC guidance was published.

The company, unsurprisingly, is saying nothing.

VeriSign declined multiple interview requests, and senior employees said privately that they had not been given any more details than were in the filing. One said it was impossible to tell if the breach was the result of a concerted effort by a national power, though that was a possibility. "It's an ugly, slim sliver of facts. It's not enough," he said.

The problem for all of us, naturally, is if the certificate system was hacked, allowing the bad guys to forge certificates. (This has, of course, happened before.)

Are we finally ready to accept that the certificate system is completely broken?

Over all, there are now more people under "correctional supervision" in America -- more than six million -- than were in the Gulag Archipelago under Stalin at its height. That city of the confined and the controlled, Lockuptown, is now the second largest in the United States.

The accelerating rate of incarceration over the past few decades is just as startling as the number of people jailed: in 1980, there were about two hundred and twenty people incarcerated for every hundred thousand Americans; by 2010, the number had more than tripled, to seven hundred and thirty-one. No other country even approaches that. In the past two decades, the money that states spend on prisons has risen at six times the rate of spending on higher education.

[...]

The trouble with the Bill of Rights, he argues, is that it emphasizes process and procedure rather than principles. The Declaration of the Rights of Man says, Be just! The Bill of Rights says, Be fair! Instead of announcing general principles­ -- no one should be accused of something that wasn't a crime when he did it; cruel punishments are always wrong; the goal of justice is, above all, that justice be done­ -- it talks procedurally. You can't search someone without a reason; you can't accuse him without allowing him to see the evidence; and so on. This emphasis, Stuntz thinks, has led to the current mess, where accused criminals get laboriously articulated protection against procedural errors and no protection at all against outrageous and obvious violations of simple justice. You can get off if the cops looked in the wrong car with the wrong warrant when they found your joint, but you have no recourse if owning the joint gets you locked up for life. You may be spared the death penalty if you can show a problem with your appointed defender, but it is much harder if there is merely enormous accumulated evidence that you weren't guilty in the first place and the jury got it wrong. Even clauses that Americans are taught to revere are, Stuntz maintains, unworthy of reverence: the ban on "cruel and unusual punishment" was designed to protect cruel punishments -- flogging and branding -- that were not at that time unusual.

The author mentions the rise of for-profit businesses increasingly running prisons in the U.S., but I don't think he makes the point strongly enough. There is now a corporate interest in the U.S. lobbying for such things as mandatory minimum sentencing.

Abstract: This article argues that there is a 50-square-mile swath of Idaho in which one can commit felonies with impunity. This is because of the intersection of a poorly drafted statute with a clear but neglected constitutional provision: the Sixth Amendment's Vicinage Clause. Although lesser criminal charges and civil liability still loom, the remaining possibility of criminals going free over a needless technical failure by Congress is difficult to stomach. No criminal defendant has ever broached the subject, let alone faced the numerous (though unconvincing) counterarguments. This shows that vicinage is not taken seriously by lawyers or judges. Still, Congress should close the Idaho loophole, not pretend it does not exist.

1. TSA screener finds two pipes in passenger's bags.

2. Screener determines that they're not a threat.

3. Screener confiscates them anyway, because of their "material and appearance."

4. Because they're not actually a threat, screener leaves them at the checkpoint.

5. Everyone forgets about them.

6. Six hours later, the next shift of TSA screeners notices the pipes and -- not being able to explain how they got there and, presumably, because of their "material and appearance" -- calls the police bomb squad to remove the pipes.

7. TSA does not evacuate the airport, or even close the checkpoint, because -- well, we don't know why.

I don't even know where to begin.

Though they cannot prove it, Dr Dror and Dr Hampikian suspect the difference in contextual information given to the examiners was the cause of the different results. The original pair may have subliminally interpreted ambiguous information in a way helpful to the prosecution, even though they did not consciously realise what they were doing.

[...]

This one example does not prove the existence of a systematic problem. But it does point to a sloppy approach to science. According to Norah Rudin, a forensic-DNA consultant in Mountain View, California, forensic scientists are beginning to accept that cognitive bias exists, but there is still a lot of resistance to the idea, because examiners take the criticism personally and feel they are being accused of doing bad science. According to Dr Rudin, the attitude that cognitive bias can somehow be willed away, by education, training or good intentions, is still pervasive.

Those of you who ordered signed copies from me are likely going to have to wait a couple more weeks. My copies will arrive from the publisher eventually; then I will sign them and ship them on to you.

Reviews are starting to come out. I expect more in the coming month.

At the end of February, I'll be at the RSA Conference in San Francisco. In addition to my other speaking events, Davi Ottenheimer will interview me about the book at something called The Author's Studio. I'll be doing two one-hour book signings at the conference bookstore. And, and this is the best news of all, HP has bought 1,000 copies of the book and will be giving them away at their booth. I'll be doing a couple of signings there as well.

The Department of Homeland Security flagged him as a potential threat when he posted an excited tweet to his pals about his forthcoming trip to Hollywood which read: 'Free this week, for quick gossip/prep before I go and destroy America'.

After making their way through passport control at Los Angeles International Airport (LAX) last Monday afternoon the pair were detained by armed guards.

Despite telling officials the term 'destroy' was British slang for 'party', they were held on suspicion of planning to 'commit crimes' and had their passports confiscated.

There just as to be more than this story. The DHS isn't monitoring the Tweets of random British tourists -- they just can't be.

EDITED TO ADD (1/30): According to DHS documents received by EPIC, the DHS monitors the Internet, including social media.

In February 2011, the Department of Homeland Security announced that the agency planned to implement a program that would monitor media content, including social media data. The proposed initiatives would gather information from "online forums, blogs, public websites, and messages boards" and disseminate information to "federal, state, local, and foreign government and private sector partners." The program would be executed, in part, by individuals who established fictitious usernames and passwords to create covert social media profiles to spy on other users. The agency stated it would store personal information for up to five years.

[...]

The records reveal that the DHS is paying General Dynamics to monitor the news. The agency instructed the company to monitor for "[media] reports that reflect adversely on the U.S. Government, DHS, or prevent, protect, respond government activities."

[...]

The DHS instructed the company to "Monitor public social communications on the Internet." The records list the websites that will be monitored, including the comments sections of [The New York Times, The Los Angeles Times, the Huffington Post, the Drudge Report, Wired, and ABC News.]"

Still, I have trouble believing that this is what happened. For this to work General Dynamics would have had to monitor Twitter for key words. ("Destroy America" is certainly a good key word to search for.) Then, they would have to find out the real name associated with the Twitter account -- unlike Facebook or Google+, Twitter doesn't have real name information -- so the TSA could cross-index that name with the airline's passenger manifests. Then the TSA has to get all this information into the INS computers, so that the border control agent knows to detain him. Sure, it sounds straightforward, but getting all those computers to talk to each other that fast isn't easy. There has to be more going on here.

EDITED TO ADD (1/30): One reader points out that this story is from the Daily Mail, and that it's prudent to wait for some more reputable news source to report the story.

EDITED TO ADD (1/30): There's another story from The Register, but they're just using the Daily Mail.

EDITED TO ADD (1/30): The FBI is looking for someone to build them a system that can monitor social networks.

The information comes from a document released on 19 January looking for companies who might want to build a monitoring system for the FBI. It spells out what the bureau wants from such a system and invites potential contractors to reply by 10 February.

The bureau's wish list calls for the system to be able to automatically search "publicly available" material from Facebook, Twitter and other social media sites for keywords relating to terrorism, surveillance operations, online crime and other FBI missions. Agents would be alerted if the searches produce evidence of "breaking events, incidents, and emerging threats."

Agents will have the option of displaying the tweets and other material captured by the system on a map, to which they can add layers of other data, including the locations of US embassies and military installations, details of previous terrorist attacks and the output from local traffic cameras.

EDITED TO ADD (1/30): New reports are saying that customs was tipped off about the two people, and their detention was not a result of data mining:

"Based on information provided by the LAX Port Authority Infoline -- a suspicious activity tipline -- CBP conducted a secondary interview of two subjects presenting for entry into the United States," says the spokesperson, who notes that the CBP "denies entry to thousands of individuals" each year. "Information gathered during this interview revealed that both individuals were inadmissible to the United States and were returned to their country of residence."

This makes a lot more sense to me.

However, it may be difficult to write military doctrine for many aspects of cyberconflict that are truly revolutionary. Here are no fewer than 10 to consider:

1. The Internet is an artificial environment that can be shaped in part according to national security requirements.

2. The blinding proliferation of technology and hacker tools makes it impossible to be familiar with all of them.

3. The proximity of adversaries is determined by connectivity and bandwidth, not terrestrial geography.

4. Software updates and network reconfigurations change cyberbattle space unpredictably and without warning.

5. Contrary to our historical understanding of war, cyberconflict favors the attacker.

6. Cyberattacks are flexible enough to be effective for propaganda, espionage, and the destruction of critical infrastructure.

7. The difficulty of obtaining reliable cyberattack attribution lessens the credibility of deterrence, prosecution, and retaliation.

8. The "quiet" nature of cyberconflict means a significant battle could take place with only the direct participants knowing about it.

9. The dearth of expertise and evidence can make victory, defeat, and battle damage a highly subjective undertaking.

10. There are few moral inhibitions to cyberattacks, because they relate primarily to the use and abuse of data and computer code. So far, there is little perceived human suffering.