BART has just posted a job listing for Executive Staff Assistant, Independent Police Auditor. The BART Police obviously are generating a lot of demand for independent audits, having killed at least two people recently.

Despite changing chiefs (following last year’s killing) the department is now facing the same heavy criticism from the public. They are accused of taking too long to explain events and details from this past July 3rd, when an officer shot and killed a man 25 seconds after confronting him.

One of the complaints I see is that a 250-member police force has been unapproachable and even refused witness testimony.

Some of the cops began asking if anyone had seen the shooting, she said.

Hollero said she told one police officer that she had, but she said it didn’t seem like the officer was interested in following up. She left the station without giving an interview to police.

In the days since, Hollero called the San Francisco Police Department, which is investigating the shooting, to report what she saw. She reached an officer Wednesday morning; when she identified herself as a witness to the shooting on Sunday, she said the officer asked, “What shooting are you referring to?”

When she told him, he answered that “this is sounding like a BART issue” and said she should call the BART tip line but he didn’t have the number. Hollero said that she then called BART [tip line: 510-464-7040], but only got an answering machine.

The auditor role appears designed to help with that and other important functions for running investigations such as processing and releasing information to the public more quickly.

5. Screens incoming calls, responds to questions and complaints from the general public or from departments; provides information based on knowledge of existing policies, procedures, programs, or services; reviews and investigates problems, and recommends appropriate action or referral; prepares summary reports as required.

6. Obtains essential information from complainants, witnesses, and others, including over the phone, in-person, or through written or electric correspondence, necessary for the Office of the Independent Police Auditor to initiate an investigation.

7. Receives visitors to the Office of the Independent Police Auditor, including members of the public and individuals from other BART departments, and determines how to address their requests, inquiries, etc.

8. Independently composes, compiles and prepares correspondence, reports and documents; reviews finished materials for completeness, accuracy and compliance with District policies and procedures.

I’ll let you draw your own conclusions from the released surveillance video.

What jumps out to me is the police draw and fire bullets yet the video indicates other passengers are not far away and that they sense no serious/station threat. They leave the area calmly without pause to assess the danger, which could explain why there have been no amateur videos or photos released.

The official police report says the victim raised a large knife above his head but he is too far away to be seen in the video.

The victim also is said to have broken a glass bottle near the more experienced officer, who then slipped and fell on the liquid. The knife may have been threatening but the sound/visual of a bottle being broken and an officer slipping and falling down sounds far more likely to have been what spooked the less experienced officer into firing his gun. Audio would certainly help…

The only audio so far is a recording of the officer with only 18 months experience calmly reporting that he (officer #41) has just fired shots at a man with a knife and needs a code 3 ambulance (emergency response).

Interesting to note the similarities in the Oscar Grant and Charles Hill investigations. Both were holidays (New Years 2009 and 4th of July 2011), both were late night reports of drunk and disorderly conduct, and both involved officers with less than two years experience firing bullets instead of their taser (although it’s not clear yet whether the officer firing bullets in the latest case was the one carrying a taser)

It’s a race to the bottom. Or, we learn how to improve from studying mistakes, ala target practice. Either way you look at it, Zuk offers an Android app with all the fixings.

Download the MoshZuk Application: contains the following vulnerabilities:

Stack Overflow
Heap Overflow
SQL Injection
Command Injection
Format Strings
Double Free
Directory Traversal
Race Condition
Hardcoded Passwords
Bad code habits
Overblown permissions
Bad file permissions

The best part is, we’ve specially constructed the vulnerabilities so it can be chained (extra points in this competition)

I look at it as the new Zuk standard for automated code analysis tests – the Zuk afikoman hunt. If a tool can’t find 100% it fails.

When the code is released it probably will be copied and used by developers who want to write apps but do not realize it was written to be vulnerable. The flip side is thus that attackers will create simple automation to quickly find and target apps ignorantly based on MoshZuk.

Data on ATM fraud in 23 countries has been released in the second European ATM Security Team (EAST) European Fraud Update for 2011.

Skimming attacks at ATMs continue with 20 countries reporting incidents. 8 countries reported increases in such incidents, and 2 countries decreases. 2 countries have reported a new variant of skimming device, and three countries that anti-skimming devices have been successfully over-ruled or removed by criminals.

This follows the recent EMV loophole investigations in Operation Night Clone (simultaneous arrest operations in Bulgaria, Italy, Spain, Poland and the USA involving over 200 police officers), as explained by Europol.

Organised crime groups are always looking for new criminal opportunities and for some time they have been targeting the vulnerability of payment cards with magnetic strips. Within the EU, criminals’ work has been made more difficult with the full implementation of EMV technology (chip and PIN), but criminals have since exploited a loophole in these security arrangements by making illegal transactions with EU issued cards in non-EMV compliant regions, including Africa and the USA. Payment cards in the EU are targeted for cloning, and the fraud committed in other regions which still accept payment by magnetic strip. This was the major feature of the criminal methodology used by the organised crime group in this case and is an increasingly common problem.

I suppose they would also consider on-line transactions or other card-not-present situations a “loophole”.