Korean woman foils Japanese fingerpint system with tape.

Japan spent ¥4 billion (roughly $43 million USD) on a newfangled fingerprint security system to keep undesirables out of their country and it works great unless someone thinks to put tape over their fingers:

The biometric system was installed in 30 airports in 2007 to improve security and prevent terrorists from entering into Japan, the Yomiuri Shimbun newspaper said.

The woman, who has a deportation record, told investigators that she placed special tapes on her fingers to pass through a fingerprint reader, according to Kyodo News.

[…] The South Korean woman was deported in July 2007 for illegally staying in Japan after she worked as a bar hostess in Nagano in central Japan, Kyodo said, citing justice ministry sources.

She was not allowed to re-enter Japan for five years after deportation but the Tokyo immigration bureau found her in August 2008 again in Nagano, Kyodo said.

A South Korean broker is believed to have supplied her with the tapes and a fake passport, the Yomiuri said, adding that officials believe many more foreigners might have entered Japan using the same technique.

No word on if the “special” tape had false fingerprints on it or just obscured her own prints enough to fool the system, but it’s still an impressive flaw in an expensive system. Ooops.

ArsTechnica ponders if it’s time for Microsoft to force critical updates.

Meanwhile back in the Windows ‘verse all the anti-virus and system patches in the world won’t make a bit of difference if no one bothers to actually apply them to their systems. A new malware package known as Conficker has been making sudden gains on systems across the net taking advantage of a vulnerability in Windows that was patched months ago. This prompts Joel Hruska over at ArsTechnica.com to ponder whether critical updates should be forced onto systems:

Microsoft issued a patch for MS08-067 on October 23 and rates the severity of the flaw as “Critical.” for all previous versions of Windows 2000, XP, XP-64, and Server 2003. Windows Vista and Windows Server 2008 are apparently less vulnerable; Microsoft’s aggregate severity rating for these two operating systems is “Important.”

There’s a story within the rise of Conficker that I think is worth exploring. Microsoft appears to have dealt with this issue in textbook fashion; the company issued a warning, released a patch, and (presumably) rolled that patch into November’s Patch Tuesday. A significant amount of time—five to six weeks—has passed since Microsoft released its fix, yet PC World reports Conficker may have already infected as many as 500,000 systems.

It would be extremely fascinating to see data on how a patch spreads throughout the Internet once released by Microsoft as well as information on whether or not the severity of any particular flaw affects how rapidly users move to apply the patch. Events like this this raise the question of whether or not Microsoft should have the capability to push critical security updates out to home users automatically, regardless of how AutoUpdate is configured. I say home users for a reason; businesses and enterprise-class companies may still need to deploy the patch on a specialized timeline in order to ensure servers stay operational.

The idea of mandatory updates is unpopular with a lot of folks, myself included, but there’s a fair argument to be made here. Microsoft takes a lot of shit for having major holes in their OS, but a lot of those holes are patched within a reasonable time upon their discovery. Those patches don’t do any good if they’re not applied and the average PC user is not a technical support guy like me and probably won’t even be aware that he needs to apply patches, but he won’t hesitate to blame Microsoft if he gets infected. At the very least I could see an argument for setting the option for critical updates to be installed automatically as the default with the option to turn it off for folks who know what they’re doing. We already have a number of different software packages, mostly DRM systems, that update themselves automatically whether the user wants them to or not and a lot of folks seem to have no problem living with that situation (the rest of us just don’t use that software). I see a much stronger argument that can be made for Microsoft doing the same with critical updates than any DRM system.

The problem of unpatched systems has gotten bad enough that back in 2005 some ISPs started blocking infected systems from using their services and others have been breaking Internet protocols in controversial ways to try and combat the problem, but the best offense is a good defense and that means individual users keeping their systems patched and running current anti-virus software.  The question then becomes: Should Microsoft be allowed to at least force the critical updates on its users?

Seven facts on why you should have anti-virus running on your Mac.

The security through obscurity that Mac users have enjoyed for years is finally starting to crumble and even Apple is owning up to it. They recently put out a support advisory last month in which they recommended that Mac user start running anti-virus software on their machines. It’s long been a gloating point for Mac users that anti-virus software was unnecessary on their systems, but as Apple’s market share increases it’s getting a point where there’s a profit motive for malware authors to start writing for the Mac platform and some of them already are.

Still there’s a resistance to the idea that the Mac may be vulnerable to the same sorts of malicious software that Windows users are and that prompted Graham Cluley to ask in a blog entry Do you really need anti-virus on your Apple Mac?

It started with just a small pebble being dropped into a pond. Apple updated one of its support advisories on 21 November, informing its customers that they are recommended to run anti-virus software.

Most people would never have noticed this announcement. I didn’t at first. I only heard about it when I saw the guys from Intego mention it on their Apple security blog on 25 November. A couple of days later, recovering from a bout of man-flu, I blogged about a new piece of Apple malware and mentioned in passing that Apple were now recommending their customers run anti-virus software.

Today, however, that small pebble dropped by Apple has turned into a tidalwave of commentary – and we’re seeing lots of news stories about Apple urging Mac users to protect themselves with anti-virus.

So, do you really need anti-virus on your Apple Mac?

From there he goes on to list seven facts and the comes to the following conclusion:

So, back to my original question, do you really need anti-virus on your Apple Mac?

The answer is yes.

It’s worth noting that Mr. Cluley works for Sophos, a company that produces anti-virus, anti-spam, firewall software packages for both big and small businesses, so it’s possible he may have a conflict of interest in promoting anti-virus software on the Mac. The fact that Apple has recommended the practice and that Mr. Cluley has been active in anti-virus research for some time prior to joining Sophos should help balance that out. That and the seven facts he lists make a pretty good argument.

The threat for Apple users is still relatively small compared to what Windows users face, but if Apple continues to gain market share then it won’t take long for it to grow. Of course the best defense is being educated about the threats, but for a lot of people that’s a commitment they don’t seem to be able to make.

Grenades in your luggage? TSA says that’s A-OK!

Someone please explain to me why the TSA says that you can’t have a bottle of shampoo larger than three ounces in your luggage or a pair of fingernail clippers, but a couple of grenades is OK:

Federal airport screeners found two grenades in the luggage of a man set to board a JetBlue flight at New York’s Kennedy airport, according to MyFOXNY.com.

TSA specialists then determined that the explosives were inert and allowed the passenger to board the plane without ever informing police, the TV station’s Web site reported.

The TSA maintained that it’s up to their own personnel to determine when to call police, and said the agency was reprimanded for notifying authorities in a similar incident last month, MyFOXNY.com reported.

Seriously, who is the dumbass coming up with these rules? Regardless of if the grenades were inert, which scenario do you think would cause the most concern among passengers: The one where a guy stands up and threatens to trim the toenails of everyone on board the plane if they don’t do what he demands or the one where the guy stands up holding a couple of grenades that may or may not be real?

Is the TSA staffed entirely by people with the mental capacity of Cheez Whiz? Is there not one competent person amongst them that can see the difference in potential threat between hand grenades and bottles of shampoo? The first thing that needs to be done if Obama wins the election is a complete overhaul, or preferably a complete disassembly, of the TSA. At the very least they need to hire someone with more than a third grade education to come up with the rules about what can and can’t be carried onto a plane.

Survey says 88% of IT workers would steal data if fired.

I have to admit that this ArsTechnica article surprises and angers me:

A study conducted by security company Cyber-Ark indicates that a significant number of corporate IT personnel snoop sensitive data, and nearly 9 out of 10 would take company secrets and remote access credentials with them if they were fired. This could pose a serious security risk for many companies and expose them to industrial espionage and other dangers.

The results of the Trust, Security and Passwords study are based on a survey of 300 system administrators at the Infosecurity 2008 event in Europe. Of the study respondents, 88 percent admitted they would take sensitive data with them when leaving their current place of employment, and approximately one-third said that they would abscond with company password lists. That could be a serious cause for concern for companies that have complex and loosely secured technological infrastructure.

Cyber-Ark claims that one-third of companies participating in the survey experience data breaches and theft on a regular basis. Information is leaked to competitors through a multitude of vectors, including e-mail, portable devices, and USB thumb drives. More than a quarter are also the victims of internal sabotage.

I have worked for two of the Big Three automotive companies (Ford and General Motors) as well as a number of other companies where I had access to all sorts of sensitive data and information and not once did I ever consider stealing any of it. Not because of any possible consequences of such an action, but because it would be wrong to do so. I’ve worked at the General Motors Design Center in Warren where I saw all manner of prototype vehicles that car magazines would love to get the details on ahead of time as well as the Milford Proving Grounds where the prototypes were put through their paces. I worked in the Alpha Building at Ford Motor Company where literally gigabytes of data on whole car lines were stored on various PCs and network shares. When I was laid off from Ford, twice, I was seriously upset, but not once did I consider the possibility of taking anything with me.

Sure both companies had policies in place meant to make such thefts harder – certain workstations GM blocked writing to USB devices of any kind – but nothing that I didn’t have knowledge of how to circumvent and certainly nothing proactive enough to have stopped me had I wanted to take any data. I suppose I’m just too honest to think of such things. I have a sense of honor at the idea that I’m entrusted with the care and support of such data. It angers me that so many others would violate that trust because, at a minimum, it makes my job that much harder. Stupid and ineffective restrictions, like the blocking of USB devices, just end up getting in the way of fixing machines and just the fact that so many others are untrustworthy means I’ll be looked at with suspicion by association. Hell, it means I’ll be looking at my fellow colleagues with suspicion as well and that’s just not the sort of work environment I want to be in.

The fact that this survey was done by a security company probably means it’s somewhat inflated, but if it’s even remotely close to the truth it’s very upsetting indeed.

If you use Gmail you should enable the SSL feature right now.

The folks over at Wired.com have an entry up on how and why you should enable Gmail’s SSL feature that is worth a read:

Why? Because without it, anyone can easily hack someone’s account and in two weeks it is going to get even easier. Mike Perry, a reverse engineer from San Francisco, announced his intention to release his Gmail Account Hacking Tool to the public. According to a quote at Hacking Truths, Perry mentioned he was unimpressed with how Google presented the SSL feature as less-than-urgent. It is urgent, and here’s why.

The reason why is pretty simple. Without the SSL feature turned on Gmail only uses a secure connection for the initial login and then all session data is sent back and forth unencrypted. The problem with that is your session data includes your login information which kinda defeats the point of having it encrypted during the login. Someone sitting with a packet sniffer looking at your network traffic could snatch that info from the data stream and have full access to your account and all the archived emails. By turning on the SSL feature the entire session will be encrypted from beginning to end.

You can tell if your session is encrypted by looking at the address bar of your browser. If you see HTTPS: at the start of the address while reading your email then you’re encrypted. This feature is turned off by default so if you haven’t specifically turned it on then you’ll want to. You can do that by clicking on the SETTINGS link in the upper right corner of the Gmail screen and on the GENERAL tab (which should be the default that comes up) you scroll down to where it says BROWSER CONNECTION and click on the box for “Always use https.” Then just press Save Changes to update your account. You may need to quit and login to Gmail again to make sure it’s working.

You won’t notice anything different about how Gmail works from before, but you’ll be a little better protected.

Gulf War vet and professional pilot loses job because of “no fly” list. [UPDATED]

The terrorist watch list is such a fucking joke, except that no one who is on it is laughing about it. It’s not a bad idea in principle, but the fact that you aren’t allowed to know if you’re on the list (at least until you get yanked aside at an airport) and you have no means of challenging your inclusion on the list renders it ineffective and unnecessarily troublesome. It’s the sort of thing you’d expect of Soviet-era Russia and not the United States of America. All it seems to have accomplished so far is ruining the lives of innocent people.

Take, for example, this news item about an Gulf War veteran and professional pilot who’s about to lose his job because he’s on the list:

“We don’t know why they’re on the list. They don’t know why they’re on the list. The government won’t tell us why they’re on the list,” said Amy Foerster, an attorney with Saul Ewing, who is providing pro bono counsel and working with the American Civil Liberties Union of Pennsylvania and the Schuylkill County couple on the case, which was filed in U.S. district court.

The suit filed against the U.S. departments of Homeland Security and Justice and the FBI, among others, is “unique” because Erich Scherfen, a New Jersey native who converted to Islam in the mid-1990s, is a commercial airline pilot whose flight privileges were revoked in April, said Witold Walczak, the legal director of the state ACLU chapter. On Sept. 1, Scherfen will be terminated by his employer, Colgan Air, despite the airline’s cooperation.

“My livelihood depends on getting off this list,” Scherfen said. What list he is on and which government entity maintains it is unclear, Walczak said. The federal government has declined to acknowledge flight restrictions placed on the pilot.

Yes, the pilot is Muslim and his wife is Pakistani and the natural assumption would be those are the only reasons why they’d be included on the list. It’s entirely possible the government feels it has a valid reason other than his religion and his wife’s country of origin, but they won’t say what their reasoning is. The whole terrorist watch list needs to be seriously overhauled and that’s not going to happen if John McCain gets into office.

After reading this I stumbled across a similar story on CNN.com:

SAN FRANCISCO, California (CNN)—James Robinson is a retired Air National Guard brigadier general and a commercial pilot for a major airline who flies passenger planes around the country.

He has even been certified by the Transportation Security Administration to carry a weapon into the cockpit as part of the government’s defense program should a terrorist try to commandeer a plane.

But there’s one problem: James Robinson, the pilot, has difficulty even getting to his plane because his name is on the government’s terrorist “watch list.”

That means he can’t use an airport kiosk to check in; he can’t do it online; he can’t do it curbside. Instead, like thousands of Americans whose names match a name or alias used by a suspected terrorist on the list, he must go to the ticket counter and have an agent verify that he is James Robinson, the pilot, and not James Robinson, the terrorist.

“Shocking’s a good word; frustrating,” Robinson—the pilot—said. “I’m carrying a weapon, flying a multimillion-dollar jet with passengers, but I’m still screened as, you know, on the terrorist watch list.”

He’s one of three people with that name that get screened all the time at airports:

[T]here’s the James Robinson who served as U.S. attorney in Detroit, Michigan, and as an assistant attorney general in the Clinton administration; and James Robinson of California, who loves tennis, swimming and flying to the East Coast to see his grandmother.

He’s 8.

The third-grader has been on the watch list since he was 5 years old. Asked whether he is a terrorist, he said, “I don’t know.”

Thank goodness the government is keeping us safe from all those terrorist five-year-olds! I feel SO much safer now. Meanwhile I’ve vowed not to fly in this country until they get this shit straightened out.

The sad part is that all three of these people have found a way around the problem. Just change their name slightly:

although the list is clearly bloated with misidentifications by every official’s account, CNN has learned that it may also be ineffective. Numerous people, including all three Robinsons, have figured out that there are ways not to get flagged by the watch list.

Denise Robinson says she tells the skycaps her son is on the list, tips heavily and is given boarding passes. And booking her son as “J. Pierce Robinson” also has let the family bypass the watch list hassle.

Capt. James Robinson said he has learned that “Jim Robinson” and “J.K. Robinson” are not on the list.

And Griffin has tested its effectiveness. When he runs his first and middle name together when making a reservation online, he has no problem checking in at the airport.

So not only is the watch list making life difficult for non-terrorists, but it’s also easily bypassed by a slight change of your name. What do you think the chances are of a terrorist using his real name to get on a plane these days anyway? In the meantime the airlines and the TSA are busy blaming each other and nothing gets fixed.

Thanks President Bush! Your legacy will live on for decades I’m sure. Shame it’s not something positive.

Vista’s security is not quite totally useless after all.

Last Friday I wrote about a presentation on a new hack attack that was claimed to make Vista’s security improvements all but useless. A lot of tech related websites ran the story as though it were the apocalypse for Windows as an OS, but the folks ovet at ArsTechnica.com say things aren’t quite as bad as they might seem:

The work done by Dowd and Sotirov focuses on making buffer overflows that were previously not exploitable on Vista exploitable. These are buffer overflows that would be exploitable on Windows XP anyway; after all, there’s no need to defeat ASLR if an OS does not have ASLR at all. Furthermore, these attacks are specifically on the buffer overflow protections; they do not circumvent the IE Protected Mode sandbox, nor Vista’s (in)famous UAC restrictions. DEP, ASLR, and the other mitigation features in Vista are unlikely to ever be unbreakable, especially in an application like a web browser that can run both scripts and plugins of an attacker’s choosing. Rather, their purpose is to make exploitation more difficult. Microsoft has a solution for those wanting to make it impossible—use .NET. These protections are there for when that’s not an option, to reduce—but not eliminate—the vulnerability caused by such programming errors. Even with DEP and ASLR, the coding errors that result in buffer overflows still ought to be fixed; it is only through fixing the errors that the flaws can truly be eliminated.

Even with the attacks described in the paper, Vista has many worthwhile security improvements compared to XP. Internet Explorer on Vista runs in a highly restricted environment, so that even when it is running malicious code it cannot harm the system. Stories suggesting that Vista’s security is now irredeemably broken are far off the mark; the truth is merely that some of its automatic security protection is less effective than it was before.

They even have a few suggestions on how Microsoft may be able to reduce, if not eliminate, the effectiveness of these new exploits. The whole article is worth a read just for the overview of the security improvements Windows Vista has in place and what the problems are that allow this new attack to succeed. The upshot, however, is that Vista isn’t completely vulnerable to hackers as some sites have suggested.

A new attack method may render Vista’s security useless. May also work on other platforms.

If this article at SearchSecurity.com is correct then Vista’s security system has been rendered moot for folks who insist on using Internet Explorer:

In a presentation at the Black Hat briefings, Mark Dowd of IBM Internet Security Systems (ISS) and Alexander Sotirov, of VMware Inc. will discuss the new methods they’ve found to get around Vista protections such as Address Space Layout Randomization(ASLR), Data Execution Prevention (DEP) and others by using Java, ActiveX controls and .NET objects to load arbitrary content into Web browsers.

By taking advantage of the way that browsers, specifically Internet Explorer, handle active scripting and .NET objects, the pair have been able to load essentially whatever content they want into a location of their choice on a user’s machine.

Researchers who have read the paper that Dowd and Sotirov wrote on the techniques say their work is a major breakthrough and there is little that Microsoft can do to address the problems. The attacks themselves are not based on any new vulnerabilities in IE or Vista, but instead take advantage of Vista’s fundamental architecture and the ways in which Microsoft chose to protect it.

“The genius of this is that it’s completely reusable,” said Dino Dai Zovi, a well-known security researcher and author. “They have attacks that let them load chosen content to a chosen location with chosen permissions. That’s completely game over.

“What this means is that almost any vulnerability in the browser is trivially exploitable,” Dai Zovi added. “A lot of exploit defenses are rendered useless by browsers. ASLR and hardware DEP are completely useless against these attacks.”

I doubt that there’s truly little Microsoft can do about the problem, but the solutions involved might be unpalatable to their business goals (e.g. drop ActiveX altogether). The attack appears to rely on Internet Explorer specifically so one possible solution for Vista users is to switch to a different browser such as Firefox or Safari. Which, really, they probably should do anyway.

What’s more interesting is the conclusion of the article:

Dai Zovi stressed that the techniques Dowd and Sotirov use do not rely on specific vulnerabilities. As a result, he said, there may soon be similar techniques applied to other platforms or environments.

“This is not insanely technical. These two guys are capable of the really low-level technical attacks, but this is simple and reusable,” Dai Zovi said. “I definitely think this will get reused soon, sort of like heap spraying was.”

Unless those other platforms are running Internet Explorer and ActiveX I’m not sure how they’d be vulnerable, but then the article doesn’t go into great detail on exactly what the hack involves. Microsoft has said their aware of the presentation and are interested in looking at it more closely once it’s made public.

Study finds AMBER Alerts are great drama, but have few successes.

I don’t know if you folks in other countries have a similar system, but here in America we have something called an AMBER Alert which is used to get the word out about abducted children in hopes of someone phoning in a tip quickly before the child is harmed.  The word AMBER is a backronym for “America’s Missing: Broadcasting Emergency Response” as well as being the name of a little girl whose abduction and murder brought about the legislation that created the system. Most of the states, including Michigan, participate in the program in some fashion and when activated messages will go out on TV, radio, electronic highway signs, digital billboards, SMS text messages, and even in some places on lottery tickets. Details on the child’s physical appearance and (if the medium allows it) a picture will be included.

It seems like a good idea that should result in saved lives, but very few people have ever questioned if it actually works. Now at least one study says it often doesn’t make a difference:

The program’s champions say that its successes have been dramatic. According to the National Center for Missing and Exploited Children, more than 400 children have been saved by Amber Alerts. Of the 17 children Massachusetts has issued alerts on since it created its system in 2003, all have been safely returned.

These are encouraging statistics – but also deeply misleading, according to some of the only outside scholars to examine the system in depth. In the first independent study of whether Amber Alerts work, a team led by University of Nevada criminologist Timothy Griffin looked at hundreds of abduction cases between 2003 and 2006 and found that Amber Alerts – for all their urgency and drama – actually accomplish little. In most cases where they were issued, Griffin found, Amber Alerts played no role in the eventual return of abducted children. Their successes were generally in child custody fights that didn’t pose a risk to the child. And in those rare instances where kidnappers did intend to rape or kill the child, Amber Alerts usually failed to save lives.

[…] “Amber Alert is a victim of its own fantastically good intentions,” says Griffin. “If someone gets ahold of a kid and has sufficiently nasty intentions, in the long run there’s not much we can do.”

Defenders of the program reject Griffin’s argument. Some dismiss it as needless hair-splitting, while others question his data. And, considering the grim stakes, most see little point in criticizing a tool that saves any lives at all. “If an Amber Alert saves any child, don’t you think it was worth it?” says Terrel Harris, a spokesman for the Massachusetts Executive Office of Public Safety and Security.

What Amber Alerts do create, its critics say, is a climate of fear around a tragic but extremely rare event, pumping up public anxiety. Griffin calls it “crime control theater,” and his critique of Amber Alerts fits into a larger complaint on the part of some criminologists about crime-fighting measures – often passed in the wake of horrific, highly publicized crimes – that originate from strong emotions rather than research into what actually works. Whether it’s child sex-offender registries or “three strikes” criminal-sentencing rules, these policies, critics warn, can prove ineffective, sometimes costly, and even counterproductive, since they heighten public fears and distract from threats that are at once more common and more tractable.

“The problem with these politically expedient solutions is that they look good but do very little to solve the problem,” says Jack Levin, a professor of sociology and criminology at Northeastern.

The researchers go on to point out that there are some successes, even a couple of very dramatic ones, and they admit their results are preliminary at the moment, but the results seem to indicate that the system doesn’t play a huge role in the vast majority of cases. Still the fact that it does play a role in at least some cases is more than enough justification on the part of supporters to keep the system:

To supporters of the system, these arguments are at once misguided and dangerous. To say that only children snatched by unrelated child rapists are truly in danger, they argue, is setting the bar too high. Any abduction is deeply traumatic for a child, they argue, and a parent with a gun has certainly put that child in harm’s way.

“There’s an extremely high level of danger in violent domestic disputes,” says Robert Hoever, who directs the National Center for Missing and Exploited Children’s Amber Alert program.

But more generally, Amber Alert’s defenders take issue with the idea that a low success rate should be seen as a fault with the program. Just because the Amber Alert system doesn’t save more children than it does, they argue, hardly qualifies it as a failure.

“It doesn’t cost anybody anything,” argues Tyler Cox, operations manager for radio station WBAP, chairman of the Dallas/Fort Worth Amber Plan Task Force, and one of the people who helped create the original Amber Alert. “There’s no expense to operating an Amber Alert system if you’re doing it the right way.”

The authors of the study, however, say that there’s still a cost inherent in the program even if it’s more psychological than monetary:

“It creates a sense of paranoia, not only in parents, but in children themselves,” says James Alan Fox, a Northeastern University professor of criminal justice.

Historically, crimes against children have shown a particular tendency to inspire strong measures. The criminologist Kristen Zgoba, now a researcher with the New Jersey Department of Corrections, has looked at the genesis of Amber Alert and Megan’s Law (named after a raped and murdered 7-year-old, Megan’s Law established state registries for sex offenders). Zgoba argues that while the number of stranger abductions and murders of children has remained steady over the years, public fear around the issue has fluctuated wildly, cohering into national panics from time to time, as in the summer of 2002, when several high-profile disappearances led cable news channels to proclaim the “summer of abduction.”

In fact, according to Fox, stranger abductions remain exceedingly rare: In the United States, he calculates, the odds of a child being kidnapped by someone he or she doesn’t know are roughly one in a million. “We tell kids, ‘Don’t talk to strangers, they all want to abduct you,’ but if a child needs assistance, a stranger will generally help them, not hurt them,” Fox argues.

This is, of course, little consolation to parents who have lost children to kidnappers. But, according to Fox, if we want to save children’s lives, we’d do better to worry about loosely enforced bicycle helmet and seat-belt laws, or the safety standards of school buses – all of which are much more statistically dangerous but lack comparably high-profile systems for stoking public concern.

There are far too many laws on the books that were created because of strong emotions taking precedence over logic and reason and the results have been mixed at best. The idiocy of Zero Tolerance laws, for example, have made it impossible for someone who got onto a Sex Offender registry because they had consensual sex as a teenager with another teenager to find a place to live or a job or, even more ludicrous, resulting in some teenager being kicked out of school for carrying aspirin in her purse.

It’s fair to ask if the program actually makes a difference or if the time and effort involved could be better spent elsewhere. If it truly costs no money and it does help a fair amount of children then the AMBER system should be kept in place, but if it’s largely just making people paranoid for no good reason then maybe there are better ways to “think of the children.”