At CNN today, Schneier writes that security worked on Dec. 25, and that responses to the just-indicted undie fundie‘s thwarted bomb attack amount to over-reacting — something he parallels to other threats in society today:

We’re doing these things even though airplane terrorism is incredibly rare, the risk is no greater today than it was in previous decades, the taxi to the airport is still more dangerous than the flight, and ten times as many Americans are killed by lightning as by terrorists….

…Focus on the general risk of terrorism, and not the specific threat of airplane bombings using PETN-filled underwear. Focus on the general risk of troubled teens, and not the specific threat of a lone gunman wandering around a school. Ignore the movie-plot threats, and concentrate on the real risks.

On his own blog today, Schneier posits where security was poor:

To the extent security failed, it failed before Abdulmutallab even got to the airport. Why was he issued an American visa? Why didn’t anyone follow up on his father’s tip?

Elsewhere on his blog, Schneier has launched a design contest: help design a new logo for the Transportation Security Administration. Deadline’s Feb. 6. Here’s what’s at stake:

Winner receives copies of my books, copies of Patrick Smith’s book, an empty 12-ounce bottle labeled “saline” that you can refill and get through any TSA security checkpoint, and a fake boarding pass on any flight for any date.

Finally, here’s a shot of the recently completed prototype of the Bruce Schneier action figure, available for $99 at ThatsMyFace.com:

Clockwise from top left: Michele Bachmann, Jim Hagedorn, Lynne Torgerson, Al Franken, Bradlee Dean, Tony Sertich

From U.S. Rep. Michele Bachmann famously urging fellow conservatives to “slit our wrists” in opposition to health care reform to state Rep. Tony Sertich warning about “www.anybody.com” running wild at the Capitol, you have the Minnesota Independent to thank — or blame — for foisting these quotations on the world this year.

Our favorite ten quotes from 2009:

“What we have to do today is make a covenant, to slit our wrists, be blood brothers on this thing. This will not pass. We will do whatever it takes to make sure this doesn’t pass.”

– Michele Bachmann, member of Congress from Minnesota’s Sixth District, speaking to conservatives in Colorado

“The fruit of morality is Jesus Christ! That’s why we do high school assemblies.”

– Bradlee Dean, founder of You Can Run But You Cannot Hide International, purveyor of punk-rock assemblies to public schools

“If it’s somebody who designs their own Web site and comes down to the Capitol … we could be deluged with www.anybody.com walking through the door saying, ‘I’m the online media, let me have floor access.’ You think the House chamber is a ruckus … now, wait till all the bloggers get here and show up en masse.”

– Tony Sertich, majority leader, Minnesota House of Representatives, on floor-access restrictions for online media

“Until Paul Wellstone’s plane crash, DFL Trotskyites were confident the Senator would soar to victory over Norm Coleman … [emphasis his]”

– Jim Hagedorn, Republican candidate for Congress in Minnesota’s First District, in one of the quips scrubbed from his “Mr. Conservative” blog

“Keith Ellison simply is not a proper person to have in our federal government.”

– Lynne Torgerson, independent candidate for Congress in Minnesota’s Fifth District, on her campaign website

“We will be seated. And by ‘we,’ I mean me.”

– Al Franken, addressing young DFLers during the election-contest phase of his recount battle with former U.S. Sen. Norm Coleman

“I loathe, hate, despise and detest Franken and all of his supporters. I believe that this so-called hacking is just more dirty tricks by that dirtbag and his pals.”

– Gary Govro, one of the donors whose personal financial information was left unsecured at Coleman’s campaign website

“Complete and utter bullshit.”

– Bruce Schneier, technology expert, on the claim that Coleman’s online database breach didn’t compromise donors’ information

“When I think of Sarah I think of eagles.”

– Man waiting outside Mall of America book-signing event, holding photos he intended to give to Sarah Palin

“No need to poke me. There’s no need to touch me.”

– Staffer at U.S. Rep. Betty McCollum’s St. Paul office, where opponents of health care reform gathered for an impromptu “town hall” meeting

According to ThatsMyFace.com, crypto-groupies can “[b]uy Bruce’s lifelike head mounted on a 12-inch’ action figure body with pre-fitted clothes.” Options include “Casual Bruce” or “Smart Bruce” with “scalp” options that include his trademark ponytail, “bald” or “Cyborg” (for an additional fifteen bucks).

On his blog, Schneier — who weighed in for us in March on the breach of former Sen. Norm Coleman’s donor database — says he doesn’t get any royalties from sales. He says he’d like to see profits go to online civil liberties groups EFF or EPIC, but to do so would’ve raised the price even more.

“I’ve told them that at $100 no one will buy it, but at $40 it’s a funny gift for your corporate IT person,” he writes. “So e-mail the company if you’re interested, and if they get enough interest they’ll do a bulk order.”

Reached by email, he told MnIndy the notion of a Bruce Schneier action figure is “surreal.”

“It’s not as interesting as it might appear,” he added. “I don’t think they’re making them to sell.  I think they’re making them as a custom order when someone buys one.  That’s why the price is so high.”

So far the company doesn’t yet show a photo of the action figure (we’ll post one when it does). To promote the hundred-buck figures it displays a computer rendering of Schneier’s head — a resin version of which, it’s worth adding, can be purchased sans body for a mere $29.

Norm Coleman’s attorney, Fritz Knaak, stated Thursday that the campaign had “a high degree of confidence” that the late-January exposure of its unprotected donor database didn’t result in the loss of sensitive data. A day earlier, Knaak initially leveled the claim, noting that Secret  Service investigators looking into the database breach “did not discover that any individual had been able to obtain confidential, personal financial information.”

But this week’s news that Wikileaks.org had obtained the 4.3 gigabyte database casts doubt on that statement — and so does Bruce Schneier, the Twin Cities-based technology expert dubbed a “security guru” by The Economist. Reached by phone at a Washington, D.C., technology conference late Thursday, Schneier characterized the campaign’s claim as “complete and utter bullshit.”

“It’s impossible to make that claim,” he said. “Either they misunderstood what the [Secret Service] said or they’re out-and-out lying. How can you determine the absence of something happening?”

The Secret Service has confirmed for the Minnesota Independent that an investigation is under way but said it couldn’t comment on ongoing cases.

Schneier said he didn’t know that IT professional Adria Richards had uncovered the security flaw with no advanced tools, but after learning it from the Minnesota Independent, he said of the Coleman campaign’s tech security: “It sounds like they didn’t have any, if what you’re saying is true. That seems pretty sloppy.”

He noted that it’s correct to call the exposure of the database a “breach,” as the campaign has done. “When someone who’s not authorized does it, we’d consider it a breach.”

But he wouldn’t call what Richards did — find and take a screen capture of an unprotected public Web directory — hacking.

“It’s not like it’s skilled hacking,” he said. “If I walk into an open door and steal a purse, am I cat burglar? … It’s not in the fine tradition of hacking because it took not a lot of skill. I wouldn’t use the term, but others might.”

He acknowledged that the law surrounding online security is “squirrely.” For instance, he said he’s unclear on whether viewing the unprotected Web directory where, for a few hours on Jan. 28, the directory existed could be considered a criminal act or whether this reporter could be prosecuted for clicking a direct link to the database that was left in comments in January at Minnesota Independent. (For the record, I didn’t download the file.)

“This law is still evolving, and some of it is really stupid,” he said. “People have been convicted for this. … It’s possible you would’ve been prosecuted.”

The exposure of the donor information, which included credit card numbers and three-digit security codes for them, is big news, he said, mainly because it involves a former U.S. senator who’s now locked in a political battle to regain his seat.

But he says such breaches — and mistakes about security for sensitive information — happen all the time.

“Companies do this, governments do this again and again and again,” he said. “While they definitely should know better, we’ve learned repeatedly that organizations don’t know better. It’s not, ‘Oh, God, look what they’ve done!’ It’s more: ‘Oh. It happened again.’”

“This couldn’ve happened to anybody – and it does.”