Schneier on Security

Cheap!

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

In his blog:

I think the most important security issues going forward center around identity and trust. Before knowing I would soon encounter Bruce again in the media, I bought and read his new book Liars & Outliers and it is a must-read book for people looking forward into our security future and thinking about where this all leads. For my colleagues inside the government working the various identity management, security clearance, and risk-based- security issues, L&O should be required reading.

[...]

L&O is fresh thinking about live fire issues of today as well as moral issues that are ahead. Whatever your policy bent, this book will help you. Trust me on this, you don’t have to buy everything Bruce says about TSA to read this book, take it to work, put it down on the table and say, “this is brilliant stuff.”

I'm hosting Kip Hawley on FireDogLake's Book Salon on Sunday at 5:00 - 7:00 PM EDT. Join me and we'll ask him some tough questions about his new book.

I like this essay because it nicely illustrates the security mindset.

It was written in 1971, but this still seems like a cool book:

For an elementary illustration of tactics, take parts of your face as the point of reference; your eyes, your ears, and your nose. First the eyes: if you have organized a vast, mass-based people's organization, you can parade it visibly before the enemy and openly show your power. Second the ears; if your organization is small in numbers, then do what Gideon did: conceal the members in the dark but raise a din and clamor that will make the listener believe that your organization numbers many more than it does. Third, the nose; if your organization is too tiny even for noise, stink up the place.

Always remember the first rule of power tactics: Power is not only what you have but what the enemy thinks you have.

The second rule is: Never go outside the experience of your people. When an action or tactic is outside the experience of the people, the result is confusion, fear, and retreat. It also means a collapse of communication, as we have notes.

The third rule is: Wherever possible go outside the experience of the enemy. Here you want to cause confusion, fear, and retreat.

The fourth rule is: Make the enemy live up to their own book of rules. You can kill them with this, for they can no more obey their own rules than the Christian church can live up to Christianity.

The fourth rule carries within in the fifth rule: Ridicule is man's most potent weapon. It is almost impossible to counterattack ridicule. Also it infuriates the opposition, who then react to your advantage.

The sixth rule is: A good tactic is one that your people enjoy. If your people are not having a ball doing it, there is something very wrong with the tactic.

The seventh rule: A tactic that drags on too long becomes a drag.

[...]

The twelfth rule: The price of a successful attack is a constructive alternative. You cannot risk being trapped by the enemy in his sudden agreement with your demand and saying "You're right--we don't know what to do about this issue. Now you tell us."

The thirteenth rule: Pick the target, freeze it, personalize it, and polarize it.

Need some pre-industrial security for your USB drive? How about a wax seal? Neat, but I recommend combining it with encryption for even more security!

According to a report from the DHS Office of Inspector General:

Federal investigators "identified vulnerabilities in the screening process" at domestic airports using so-called "full body scanners," according to a classified internal Department of Homeland Security report.

EPIC obtained an unclassified version of the report in a FOIA response. Here's the summary.

To New Zealand:

United States Secretary of Homeland Security Janet Napolitano has warned the New Zealand Government about the latest terrorist threat known as "body bombers."

[...]

"Do we have specific credible evidence of a [body bomb] threat today? I would not say that we do, however, the importance is that we all lean forward."

Why the headline of this article is "NZ warned over 'body bombers,'" and not "Napolitano admits 'no credible evidence' of body bomber threat" is beyond me.

Why do otherwise rational people think it's a good idea to profile people at airports? Recently, neuroscientist and best-selling author Sam Harris related a story of an elderly couple being given the twice-over by the TSA, pointed out how these two were obviously not a threat, and recommended that the TSA focus on the actual threat: "Muslims, or anyone who looks like he or she could conceivably be Muslim."

This is a bad idea. It doesn’t make us any safer -- and it actually puts us all at risk.

The right way to look at security is in terms of cost-benefit trade-offs. If adding profiling to airport checkpoints allowed us to detect more threats at a lower cost, than we should implement it. If it didn't, we'd be foolish to do so. Sometimes profiling works. Consider a sheep in a meadow, happily munching on grass. When he spies a wolf, he's going to judge that individual wolf based on a bunch of assumptions related to the past behavior of its species. In short, that sheep is going to profile...and then run away. This makes perfect sense, and is why evolution produced sheep -- and other animals -- that react this way. But this sort of profiling doesn't work with humans at airports, for several reasons.

First, in the sheep's case the profile is accurate, in that all wolves are out to eat sheep. Maybe a particular wolf isn't hungry at the moment, but enough wolves are hungry enough of the time to justify the occasional false alarm. However, it isn't true that almost all Muslims are out to blow up airplanes. In fact, almost none of them are. Post 9/11, we’ve had 2 Muslim terrorists on U.S airplanes: the shoe bomber and the underwear bomber. If you assume 0.8% (that’s one estimate of the percentage of Muslim Americans) of the 630 million annual airplane fliers are Muslim and triple it to account for others who look Semitic, then the chances any profiled flier will be a Muslim terrorist is 1 in 80 million. Add the 19 9/11 terrorists -- arguably a singular event -- that number drops to 1 in 8 million. Either way, because the number of actual terrorists is so low, almost everyone selected by the profile will be innocent. This is called the "base rate fallacy," and dooms any type of broad terrorist profiling, including the TSA’s behavioral profiling.

Second, sheep can safely ignore animals that don't look like the few predators they know. On the other hand, to assume that only Arab-appearing people are terrorists is dangerously naive. Muslims are black, white, Asian, and everything else -- most Muslims are not Arab. Recent terrorists have been European, Asian, African, Hispanic, and Middle Eastern; male and female; young and old. Underwear bomber Umar Farouk Abdul Mutallab was Nigerian. Shoe bomber Richard Reid was British with a Jamaican father. One of the London subway bombers, Germaine Lindsay, was Afro-Caribbean. Dirty bomb suspect Jose Padilla was Hispanic-American. The 2002 Bali terrorists were Indonesian. Both Timothy McVeigh and the Unabomber were white Americans. The Chechen terrorists who blew up two Russian planes in 2004 were female. Focusing on a profile increases the risk that TSA agents will miss those who don't match it.

Third, wolves can't deliberately try to evade the profile. A wolf in sheep’s clothing is just a story, but humans are smart and adaptable enough to put the concept into practice. Once the TSA establishes a profile, terrorists will take steps to avoid it. The Chechens deliberately chose female suicide bombers because Russian security was less thorough with women. Al Qaeda has tried to recruit non-Muslims. And terrorists have given bombs to innocent -- and innocent-looking -- travelers. Randomized secondary screening is more effective, especially since the goal isn't to catch every plot but to create enough uncertainty that terrorists don’t even try.

And fourth, sheep don't care if they offend innocent wolves; the two species are never going to be friends. At airports, though, there is an enormous social and political cost to the millions of false alarms. Beyond the societal harms of deliberately harassing a minority group, singling out Muslims alienates the very people who are in the best position to discover and alert authorities about Muslim plots before the terrorists even get to the airport. This alone is reason enough not to profile.

I too am incensed -- but not surprised -- when the TSA singles out four-year old girls, children with cerebral palsy, pretty women, the elderly, and wheelchair users for humiliation, abuse, and sometimes theft. Any bureaucracy that processes 630 million people per year will generate stories like this. When people propose profiling, they are really asking for a security system that can apply judgment. Unfortunately, that's really hard. Rules are easier to explain and train. Zero tolerance is easier to justify and defend. Judgment requires better-educated, more expert, and much-higher-paid screeners. And the personal career risks to a TSA agent of being wrong when exercising judgment far outweigh any benefits from being sensible.

The proper reaction to screening horror stories isn't to subject only "those people" to it; it's to subject no one to it. (Can anyone even explain what hypothetical terrorist plot could successfully evade normal security, but would be discovered during secondary screening?) Invasive TSA screening is nothing more than security theater. It doesn't make us safer, and it's not worth the cost. Even more strongly, security isn't our society's only value. Do we really want the full power of government to act out our stereotypes and prejudices? Have we Americans ever done something like this and not been ashamed later? This is what we have a Constitution for: to help us live up to our values and not down to our fears.

This essay previously appeared on Forbes.com and Sam Harris's blog.

Kraken: The Curious, Exciting, and Slightly Disturbing Science of Squid. And a review.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

MobileScope looks like a great tool for monitoring and controlling what information third parties get from your smart phone apps:

We built MobileScope as a proof-of-concept tool that automates much of what we were doing manually; monitoring mobile devices for surprising traffic and highlighting potentially privacy-revealing flows

[...]

Unlike PCs, we have little control over the underlying privacy and security features of our mobile devices. They come pre-installed with locked-down operating systems that often restrict their owners from exercising meaningful control unless they're willing to void their warranty and jailbreak the device.

Our current plans are to release MobileScope in the coming weeks and allow interested consumers, developers, regulators, and press to see what information their mobile devices can transmit.

Funny.

All RuggedCom equipment comes with a built-in backdoor:

The backdoor, which cannot be disabled, is found in all versions of the Rugged Operating System made by RuggedCom, according to independent researcher Justin W. Clarke, who works in the energy sector. The login credentials for the backdoor include a static username, "factory," that was assigned by the vendor and can't be changed by customers, and a dynamically generated password that is based on the individual MAC address, or media access control address, for any specific device.

This seems like a really bad idea.

No word from the company about whether they're going to replace customer units.

EDITED TO ADD (5/11): RuggedCom's response.

We don't know much, but here are my predictions:

1. There's a lot more hyperbole to this story than reality.
2. The explosive would have either 1) been caught by pre-9/11 security, or 2) not been caught by post-9/11 security.
3. Nonetheless, it will be used to justify more invasive airport security.

This is a ridiculous overreaction:

The police bomb squad was called to 2 World Financial Center in lower Manhattan at midday when a security guard reported a package that seemed suspicious. Brookfield Properties, which runs the property, ordered an evacuation as a precaution.

That's the entire building, a 44-story, 2.5-million-square-foot office building. And why?

The bomb squad determined the package was a fake explosive that looked like a 1940s-style pineapple grenade. It was mounted on a plaque that said "Complaint department: Take a number," with a number attached to the pin.

It was addressed to someone at one of the financial institutions housed there and discovered by someone in the mail room.

If the grenade had been real, it could have destroyed -- what? -- a room. Of course, there's no downside to Brookfield Properties overreacting.

With all the talk about airborne drones like the Predator, it's easy to forget that drones can be in the water as well. Meet the Common Unmanned Surface Vessel (CUSV):

The boat -- painted in Navy gray and with a striking resemblance to a PT boat -- is 39 feet long and can reach a top speed of 28 knots. Using a modified version of the unmanned Shadow surveillance aircraft technology that logged 700,000 hours of duty in the Middle East, the boat can be controlled remotely from 10 to 12 miles away from a command station on land, at sea or in the air, Haslett said.

Farther out, it can be switched to a satellite control system, which Textron said could expand its range to 1,200 miles. The boat could be launched from virtually any large Navy vessel.

[...]

Using diesel fuel, the boat could operate for up to 72 hours without refueling, depending upon its traveling speed and the weight of equipment being carried, said Stanley DeGeus, senior business development director for AAI's advanced systems. The fuel supply could be extended for up to a week on slow-moving reconnaissance missions, he said.

Neat.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

This vendor is selling a tampon-shaped USB drive. Although it's less secure now that there are blog posts about it.

I suppose this sort of thing might be useful someday.

In Second Life, avatars are easily identified by their username, meaning police can just ask San Francisco-based Linden Labs, which runs the virtual world, to look up a particular user. But what happens when virtual worlds start running on peer-to-peer networks, leaving no central authority to appeal to? Then there would be no way of linking an avatar username to a human user.

Yampolskiy and colleagues have developed facial recognition techniques specifically tailored to avatars, since current algorithms only work on humans. "Not all avatars are human looking, and even with those that are humanoid there is a huge diversity of colour," Yampolskiy says, so his software uses those colours to improve avatar recognition.

I've often written about the base rate fallacy and how it makes tests for rare events -- like airplane terrorists -- useless because the false positives vastly outnumber the real positives. This essay uses that argument to demonstrate why the TSA's FAST program is useless:

First, predictive software of this kind is undermined by a simple statistical problem known as the false-positive paradox. Any system designed to spot terrorists before they commit an act of terrorism is, necessarily, looking for a needle in a haystack. As the adage would suggest, it turns out that this is an incredibly difficult thing to do. Here is why: let's assume for a moment that 1 in 1,000,000 people is a terrorist about to commit a crime. Terrorists are actually probably much much more rare, or we would have a whole lot more acts of terrorism, given the daily throughput of the global transportation system. Now lets imagine the FAST algorithm correctly classifies 99.99 percent of observations -- an incredibly high rate of accuracy for any big data-based predictive model. Even with this unbelievable level of accuracy, the system would still falsely accuse 99 people of being terrorists for every one terrorist it finds. Given that none of these people would have actually committed a terrorist act yet distinguishing the innocent false positives from the guilty might be a non-trivial, and invasive task.

Of course FAST has nowhere near a 99.99 percent accuracy rate. I imagine much of the work being done here is classified, but a writeup in Nature reported that the first round of field tests had a 70 percent accuracy rate. From the available material it is difficult to determine exactly what this number means. There are a couple of ways to interpret this, since both the write-up and the DHS documentation (all pdfs) are unclear. This might mean that the current iteration of FAST correctly classifies 70 percent of people it observes -- which would produce false positives at an abysmal rate, given the rarity of terrorists in the population. The other way of interpreting this reported result is that FAST will call a terrorist a terrorist 70 percent of the time. This second option tells us nothing about the rate of false positives, but it would likely be quite high. In either case, it is likely that the false-positive paradox would be in full force for FAST, ensuring that any real terrorists identified are lost in a sea of falsely accused innocents.

It's that final sentence in the first quoted paragraph that really points to how bad this idea is. If FAST determines you are guilty of a crime you have not yet committed, how do you exonerate yourself?

The reports are still early, but it seems that a bunch of terrorist planning documents were found embedded in a digital file of a porn movie.

Several weeks later, after laborious efforts to crack a password and software to make the file almost invisible, German investigators discovered encoded inside the actual video a treasure trove of intelligence -- more than 100 al Qaeda documents that included an inside track on some of the terror group's most audacious plots and a road map for future operations.