Schneier on Security

This just in: Authorities warn the public that buying soda may trigger a bomb.

It may have been possible for a bomb to be wired to the following systems, so the public is warned never to use them:

Soda machines, Red Box movie rental systems, parking meters, pay phones, and doorbells.

Did anyone ever think "Maybe the random phone guy will call back before I am far enough away from the bomb?" I would be sure to call someone on vacation that isn't going to return the call for a while.

As a "Terorist who had intentions to survive the explosion" I would not like to do this.

The random person I called might call back just as I finish wiring my phone in and befor/as I have the chance to place it.

A person who has no intention of surviving the blast would not bother with this...

So it's a bit of a silly idea one way or another.

@Clive and Joseph

I agree the "threat" is rediculous. But as a counter-measure to being blown up by an early call back a terrorist could install an "arming delay" on the device so it won't be armed until X minutes. Thus if the call came in prematurely, it wouldn't trigger until X minutes were up.

Or...he could just call his innocent person AFTER the phone is in place and AFTER he is clear of the device. All he'd have to do is spoof the caller ID. From what I've read....it's not that hard.

Sorry, I don't understand why this is a movie-plot threat. The government is tracking cell phone calls in an effort to catch the people who trigger bombs using cell phones -- we agree that bombs do go off this way, correct?

Now they're concerned that the trackback system will be compromised -- I'd say it's a given becaue of the scenario mentioned. Essentially, the police are asking people not to call back numbers they don't recognize, with the caveat that they will interrogate people whose calls trigger bombs.

Reminder to non-telephony folks: caller ID's can be forged.

I won't argue about whether the measure will be effective or not. Can it be circumvented? Are the Thai police stripping anonymity from cell phone purchases? And a hundred other question. But the bottom line is that calls trigger bombs, and they're trying to prevent explosions.

@Phillip:
At that rate you might as well just use your timer as the trigger. Keep it simple.

What I want to know is why someone would BOTHER to use a cell phone to trigger a bomb. What's the point? If you can't trust your suiciders to blow themselves up, what makes you think they're going to:
A: carry the bomb
B: go to the right place

If you want to drop a bomb to explode later, why not use a timer? Cheaper, simpler, just as likely to get caught, and you don't risk leaving a paper trail.

And so the next thought process to make its way into the vacuous skulls of lawmakers:

"omg! omg! Timers aren't traceable like cellphones! AHH! We must outlaw timers!!"

I agree with Moshe, I don't see why this is implausible. Bombers in Iraq already use various types of cell-phone triggers. This just seems like another variant on that. I don't know if it's possible to block cell calls from everybody but a whitelist of trusted sources but this might circumvent that nicely, especially combined with the easily forged caller-id system. Also if you do it enough, you weaken the trust the police (and juries) have in tracking cell triggered bombs.

This is classic.

The government institutes a huge, draconian registration program, which inconveniences a great many people and badly hurts anonymity, in the name of fighting terrorism.

Two weeks later, the government says, "remember that registration thing, and how it was supposed to cut back on terrorism? Well, there's a really easy way to get around it. Please try not to cooperate with this really easy way."

Why bother with effective security measures when highly-visible ones are so easy?

Definately plausible. All you have to do is clone a SIM card.

This seems like a non-issue to me. The reason? The terrorists have no reason what so ever to use this method.

If the intention is to simply blow up the bomb they might as well use a timer that can’t be traced and is less likely malfunction. There is little need to use a phone to call.

If the intention is to time and coordinate this system doesn’t work, as they have no way to be sure when/where/if the bombs are actually detonated.

If the intention is to confuse the authorities about the source of the attack there are far more effective methods.

In the end, there is probably another reason for this “security measure�.

However, what I first thought was that the terrorists were going to use the lack of a call to mobile phone to trigger a bomb. This gives more interesting effects, such as planting a bomb somewhere well hidden and having it detonate after the terrorist is arrested.

"Now they're concerned that the trackback system will be compromised -- I'd say it's a given becaue of the scenario mentioned. Essentially, the police are asking people not to call back numbers they don't recognize, with the caveat that they will interrogate people whose calls trigger bombs."

I think the odds your callback triggering a bomb, and therefor your odds of being interrogated, are so close to zero as not to make any difference, so that's not really a consideration.

However, I do think that this "security measure" will have exactly zero effect on terrorism in Thailand. It's a movie-plot threat because it tries to predict the minor details of a terrorist plot, rather than focus on the broad threat of terrorism.

after cellphones and timers are outlawed, the next frontier will be retro alarm clocks. when the alarm goes off, the little "wind alarm" key on the back of the clock turns around. just tie a string from this key to your bomb trigger. when alarm clocks are outlawed, only outlaws will get to work on time.

I agree with Bruce. This is ridiculous. There are already so many other ways of calling a mobile phone untraceably that are considerably more reliable (buy a pay-as-you go phone, or one on a stolen credit card, call the phone from a phone box) and can still finger someone else for the crime (steal someone's cellphone).

It's like Bruce is always saying: you've got to consider the cost vs benefit. In this case they're suggesting that the whole country not return unanswered calls on the minute chance that some villan might be dumb enough to use this technique rather than the other, superior ones open to him.

It's just not worth it. This is the thing: most of these movie-plot scenarios *could* possibly work, but that doesn't mean that we should act on them, as anybody with half a brain could come up with *hundreds* of them. We can't act on them all, we should only act on those whose cost/benefit ratio seems worth it.

Terrorists already have a very good, cheap, reliable way to trigger a bomb. They call it man.

No movie plot, but a book plot:

http://www.amazon.co.uk/exec/obidos/ASIN/0752827715/qid=1133288692/sr=8-3/ref=pd_ka_3/026-5032871-8097214

http://globalguerrillas.typepad.com/globalguerrillas/2005/11/journal_importe.html

Bombs in Thailand were detonated using cellphone and it's likly those terrorists will get more sophisticated.

@Tim

Well put. Just want to say I second your opinion.

Let me get this straight. The "terrorist" calls, I answer, they hang up. Why would I call back? I'd assume it was a wrong number and go on with life.

Really, if they wanted to exploit this as a trigger mechanism, they would hardly need the involvement of random individuals. Simply go buy 2 pre-paid phones, strap one to the device and call it from the other. Or steal 2 phones.

Although it could prove interesting under this "plan" if instead of Joe Random the calls that triggered the bombs came from political aids. It shouldn't be too hard to find the cel numbers of some low-level government officials.

Yes, bombs can be triggered via cell phones, but I can't see any other way to combat against it than turning the whole network down (or alternatively have the general public on a separate cluster and shut that down instead).

However, in an emergency, it can be argued that the good guys will benefit more if the network is up rather than down.

If someone's going to use cell phones as bomb triggers it would seem stupid to me not to rig it with secondary means of triggering it just in case the primary means go down (a timer perhaps? how about a motion detector to make it go off if anyone approaches it? or monitoring certain freqs for whatever RF?).

The possibilities are endless and it's impossible trying to defend against everything imaginable.

So let em get this straight. I am a terrorist who has risked life and limb to build a bomb, and has plotted for months to do so. I have selected a location to bomb, designed to get a maximum kill rate, thus earning high credibility for my cell. I have designed a sophisiticated trigger system based on the decision of a random person to return (or not) my random call at a time completely out of my control. Assuming the police don't find the package first, what guarantee do I have the return call won't come in at 4:00 a.m., effectively killing a hotel lobby and a stray dog? I would be the laughing stock of the terrorist world.

Those who point out that this is feasible are missing the point entirely. The real question is, "Would this advance the goals of the terrorists?". If it doesn't advance their cause, they are not likely to spend their time doing it.

Stupid. Let's say I'm a terrorist. I build a bomb and hook it up to a cell phone. I grab my personal cell phone and call my friend who could be anywhere. I tell him to find a payphone and call back the bomb number. But this has made me think. What if the cell phone companies agree to randomly call every cell phone at the same time? Just one ring then hang up. I'm sure the cell phone company could spoof any random number they want. Once the bomb triggering device becomes unreliable then it won't be used anymore.

Why is this a movie-plot threat? The idea that you should not call back when you get a call from an unknown number is stupid, of course, but in general, I'd view this more as an interesting way to "work the system" - a reason why increased surveillance and data accumulation will not actually make us safer (but rather lead to terrorists etc. coming up with new tricks again).

The worst part of all of these solutions to non-problems is that they blur the line between normal and stark raving lunacy. When people who are supposed to be in a position of authority are acting like this, the conspiracy theories start looking a lot more realistic.

The whole anti-terrorism frenzy reminds me of the movie "Brazil". We're spending a lot of time and money on creating larger government bureaocracies for everything. I wonder how long it will be before we start having things blow up - not from terrorists, but from disrepair and ignoring the most obvious maintenance due to everyone being sent off on fear driven tangents.

Every actual event generates a thousand ideas of what might happen that need to be defended against. If generating fear is the goal, the current system has a very good return on investment. Unfortunately, that's our opponents' goal.

"The worst part of all of these solutions to non-problems is that they blur the line between normal and stark raving lunacy."

Amen.

This is absurd. The point of using a cell phone as a trigger is to be able to detonate the bomb remotely and on demand as opposed to a pre-programmed time. (such as when you deem the crowd has reached the right size, there are many cars on the street, etc.)
If you are going to leave the timing to a total stranger, you might as well use an alarm clock and set the alarm randomly.

Sounds just the slightest bit risky, not knowing whether the call will be returned before you've got clear, or maybe never...

Hmm... there is another angle...

From the point of view of the anonymous callee, if I believed in this threat I think I'd try to be sure to be ready to call back as quickly as possible...

It's a stupid threat because you don't know when the bomb will go off. It is extremely rare that just having the bomb go off is okay without any regard to timing. Obviously, to place the call from the cell phone, the bomber and bomb must be very close, and if someone where to ring the phone, they'd kill the bomber. As said before, a timer is easier, cheaper and safer for the bomber.

Second, cell phones are easily stolen, and most can be activiated without much identity info.

And why wouldn't the bomber just call the phone using either a stolen phone or a public pay phone?

Problem:
How to trigger an explosive device.

Solutions:
* Mechanical on device (e.g., clocks, tamper triggers, fuses, etc.) - advantages of simplicity, disadvantages of granular control.
* Electromagnetic (e.g. radios, cell phones, 802.11a/b/g, bluetooth devices, microwave, etc.) - advantages of granular control, disadvantages of complexity.

Problem:
How to prevent a terrorist from setting off an explosive device

Solutions:
* Halt all access to bomb making materials
* Halt all access to potential targets
* Halt all access to trigger devices

No implementable solutions.

New Problem:
How to impair the ability of a terrorist to set off an explosive device

Solutions:
* Limit access to all bomb making materials
* Limit access to all potential targets
* Limit access to all trigger devices

All solutions present the same difficulties, namely:

* Limiting access requires authentication/authorization processes that are resource intensive.
* Limiting access requires full coverage for each class of limitation (it does little good to severely limit one set of chemicals that can be used to create an explosive if other, unlimited chemicals, can produce a suitable replacement explosive).
* Without full coverage of the class, you are implementing authentication/authorization processes that are expensive and simultaneously of limited value.

Assuming, for example, that it would be technically feasible to remove "cell phones" from the list of possible trigger devices, people who want to trigger an explosive device will simply find another trigger. There are 7 examples at the beginning of this post that represent a fraction of the possible ways to trigger an explosive device.

tangent ->

I agree with Michael Ash's sentiment above... what this article is really telling us is not "here's another threat!", but "our so-called solution to a threat stinks!"

@ Mike Sherwood
Quote "The worst part of all of these solutions to non-problems is that they blur the line between normal and stark raving lunacy."

This non-problem has killed about 1000 people to date chump.

The reason you get to dismiss other people's security measures out of hand is that you aren't concerned by addressing the security problem. If nothing at all was done by the Thai police this would be fine by you because you were not aware there was a problem in the first place and don't care if there is.

Just like how much I care if there are locks on the doors of you home. I don't.

The Thai police on the other hand do have a security problem to address and unlike you they are dealing with what they know about the attacks carried out to date.

If the only input people like you and the author of this blog have is "ID cards won't help" you really are only pretending to be involved in evaluating security measures and are of absolutely no use to anybody.

If they want to make cell phones bad candidates for bomb triggers, I like jammit's idea for the phone companies to randomly call all phones in their coverage. Doesn't have to be simultaneous, just as long as each phone gets called at a random time of day/night, at least once (or more) a day.

Then there's just the problem of someone gaining access to the procedure/algorithm for these "random" calls, and timing their attack between calls.

I'm curious how the police identify who placed the triggering call, though... is it possible to ensure the bomb renders the triggering cell/sim unidentifiable? Then there's just the time of call to go by, which is pretty circumstantial.

@ Tank

> This non-problem has killed about 1000 people to date chump.

Which "non-problem"? The inability to prevent remotely triggered explosive devices from being deployed? Or the ability to use cell phones to trigger such a device?

The train of logic you're implying here is: bombs have killed 1,000 people. These bombs were triggered with cell phones. Ergo, eliminating cell phones as a possible trigger device would have prevented those 1,000 deaths.

That's absurd on the face of it.

> The reason you get to dismiss other people's security measures out of hand
> is that you aren't concerned by addressing the security problem.

Define the security problem, and the solution becomes self-evident. In this particular case, the security problem's definition (IMHO) is pretty well stated in my earlier post -> Posted by: Pat Cahalan at November 29, 2005 06:41 PM

The problem is that there is *no* solution. If you spend resources limiting cell phone use as triggers, the only result is that terrorists will migrate to a different trigger device. This doesn't impede terrorists at all, it just limits our ability to use cell phones, or it wastes colossal amounts of resources implementing curbs on *one possible* trigger mechanism. These wasted resources would be better spent on virtually *anything*.

> If the only input people like you and the author of this blog have is "ID cards won't help"
> you really are only pretending to be involved in evaluating security measures and are
> of absolutely no use to anybody.

As opposed to the implementers of the Thai phone registry, who wasted money implementing a program to limit one trigger device, a program which is easily circumventable?

You may or may not be correct that my input (at least) has no value. However, my "no-value" input doesn't waste resources, so it's certainly of greater value than those who design silly nationwide cell phone registries.

@ Troy

> If they want to make cell phones bad candidates for bomb triggers, I like jammit's idea
> for the phone companies to randomly call all phones in their coverage. Doesn't have to
> be simultaneous, just as long as each phone gets called at a random time of day/night, at least once (or more) a day.

A single ring won't do it, you could rig the trigger to go off on the second or third (or N for whatever value of N you want) ring.

After three or four incidences of having my phone ring at 3:45 in the morning, I'd cancel my service.

Of course, so would a great many cell phone users, I'd imagine. Now all legitimate users of cell phones have dropped the service due to annoyances, so all the remaining cell phone users must be terrorists. Maybe it's not such a bad idea after all :)

Wondering since when a labor minister considered to be an anti-terrorist expert.

Yet returning missed calls from unknown numbers is actually a dumb idea anyway, besides those "terrorism" rubbish :)

While I agree this does in fact sound like a bad 80's movie, when you think about it some, its really not a bad idea and it is pretty clever. I mean, you have a couple factors to deal with here:

1) not everyone calls back numbers anyways, and even if they do, you cannot determine when they will. This could be countered easily by just increasing the number of people called, the more people called, the higher the chance of someone calling back/the higher the chance of someone calling back soon.

2.) Some people will answer the phone. This is good for them, simply start to say something important then hangup and wait for them to callback.

3.) In regards to everyone commenting on the inability of the person to stay alive. This is a foolish premise. In addition to ani's being easily spoofed, you then open up holes like 'call forwarding'. I know call forwarding was used quite a bit previously to avoid being traced, and I'd be surprised to find out it isn't still used a lot.

and finally

4.) I think this is them being paranoid, however they are also trying to stay one step ahead of the game- that said, i don't think this is really any safer than just buying two cellphones, attaching one to the bomb and the other to call with from a secluded location, thus even though this is possible, and clever to boot, it wouldn't survive long as there are easier/traditional and most importantly, more effective ways of doing the same thing.

As most people here noticed straight away, the supposed terrorist plan outlined by Sora-at Klinpratum (the Thai minister, hereinafter "SaK") is the work of an idiot. So one might wonder, why does SaK apparently believe it? Maybe, just maybe, the terrorists _are_ idiots* and it is true. But then, even more curiously, why is SaK trying to stop it when it is likely to reduce casualties whilst increasing the chance of a terrorist "own goal"?

Musing about this I chanced on a simple but much cleverer attack scenario which could be thwarted by SaK making this statement. If this speculation is true, then SaK's statement is a white lie designed to foil the plot without revealing the source of information about it. Moreover, the false statement would be effective at thwarting the plot even if everyone ignored it and continued to return missed calls at the same rate as ever.

Of course I am rather reluctant to publish the idea so I can't be sure if it is evilly brilliant or I am just going quietly mad. However the point is, I suppose, that just because someone says something foolish, doesn't mean he's a fool.

____
* It is of course a great danger to underestimate your opponents, and I am sure some members of the pan-Islamist grand coalition are quite clever. But AQ-and-affiliates _tactics_ often seem to me to be surprisingly INflexible at the foot soldier level, and I wouldn't be especially surprised if these devices were being made by some guy slavishly following a xeroxed, dog-eared recipe, and it has simply never occurred to him that there are other ways to do it.

This is not such a ridiculuous statement from the Thai authorities. What they're saying is that just because they find the person who triggered the bomb, and maybe he is a good match for a terrorism profile, this doesn't mean they have a prime suspect.

@jnf:
Maybe this isn't as obvious as I thought; a lot of apparently intelligent people are missing the yawning, jumbo-sized problem in the scheme. The problem isn't that it couldn't work; it could. The problem isn't (just) that it's dangerous to the bomber (although it is). The problem:

> 1) not everyone calls back numbers anyways, and even if they do, you cannot determine when they will.

Yes -- and this is the fundamental problem! The terrorist is using an elaborate, high-tech, forensics-rich solution to get a random initiation time! That's dumb: the point of using a cell phone is to get exact control over the device, right up to initiation. If the terrorist doesn't care when it goes off, he could do it with a parking meter reminder or an alarm clock or a smouldering cigarette or any of a dozen other cheap, simple solutions which additionally give him some time to get clear.

All talk of ANI spoofing etc is a red herring [1]; if they just used a timer they could get the same effect and yet guarantee the phone network would have no record at all.

> This could be countered easily by just increasing the number of people called, the more people called,
> the higher the chance of someone calling back/the higher the chance of someone calling back soon.

That doesn't solve the problem, just shifts it slightly. The distribution function for detonation time is replaced by its "extreme value distribution", a problem well known from reliability theory. Then by making N outgoing calls the terrorist [2]:
* decreases the average detonation time by a factor of N;
* greatly reduces the chance of total failure; but
* increases the odds of an "own goal" by a factor of N times.

> 2.) Some people will answer the phone. This is good for them, simply start to say something important then hangup
> and wait for them to callback.

If the terrorists did that, then with high probability the dupe will either call back immediately or not at all -- the two worst possible results (for the bad guys)!

___
1. ANI spoofing by VOIP by itself is probably _not_ good enough to stop them finding the terrorists; the police can figure which VOIP gateway they came through, then go after their IP logs. But in any case I seriously doubt that these killers are anything remotely like that sophisticated. And it's a red herring, the idea is still dumb even if they manage to perfectly conceal the origin of their call.
2. Assuming N is not extremely large, the call return time is exponentially distributed, and that the time the terrorist takes to get away is at least several times quicker than the average call return time. The second assumption is generally a good approximation. If the first or third assumption is false, the scheme is almost guaranteed to fail every time.

So it becomes patriotic to stop returning phone calls? That's the probable real agenda, somebody wants his boss to quit bugging him with phone calls.

Since other people's cell phones irritate me, how about this bonehead idea? Have the government buy up autodialers to repeatedly call all cell phone numbers around the clock, again and again, so as to trigger bombs prematurely? Sounds good, doesn't it? The newsies would love it -- if it bleeds, it leads. (And people would turn the damn things off, pleasing me to no end.)

"So it becomes patriotic to stop returning phone calls?"

You know, that would improve my quality of life immeasurably.

I'm doing a debate in school that cell phones should be allowed in school, and this is one of my "enemy's" defenses. Any ideas on how to convince others that this wont happen in a school?

me again. just letting everyone know i live in california and its only 9:27 here, not 11:27, so im not up too late:)

whats this red herring you speak of?

Outrageous! The chances of dying from these trigers is 1:1,624,927.000.And all the bomb threats at my school are triggers I bet.

Red herring is something to distract someone from the real issue.