Schneier on Security

I am

I am, too.

One little problem with that list: one of bin laden's aliases doesn't even show up.

Do this:
goto http://www.fbi.gov/wanted/terrorists/terbinladen.htm

Notice the alias Mujahid Shaykh

Run that one through the "watch list"

It won't come up. Anyone see a problem here or is it just me?

Two matches highlighted in red.

But this appears to be just a stunt by s3 to promote their own data mining software.

So to Soundex "George Bush" is a match to "Greg Bisheau"?

Wonderful work there, but I wouldn't trust them with a guest list to a kid's birthday party.

And even funnier is that John Smith is flagged... the most common name in the US or UK. :-)

I think what you all need to remember is that this doesn't flag you as a terrorist, it just flags names that could possibly from a country that could imply you need to be screened.

And all of you that just ran your name... you are now on the list.

2 for 2

http://www.fbi.gov/wanted/terrorists/teralzawahiri.htm

Abdel Muaz
Abu Muhammad
Abu Fatima
Abu al-Mu'iz

After a misleading headline, their description states this is a "demonstration" of how the No Fly list works. The fine print even states they obtained the names used in this list from published sources (not "the" No Fly List).

They are trying to sell an improved Soundex-like algorithm, of which there are many.

I believe Bruce fell for a hoax.

Soundex? Removing vowels and assigning number values? You mean gematria?

I am

@Geoff:
Why should UBL be on it? The FBI doesn't want him for 9/11... :->

I'm trying to find this fine print that others are mentioning, but I haven't found it yet. What I have found is:

"The results generated in this demonstration are a product of a compilation of the best available data regarding suspected and known terrorists"
[Ed: I'd suspect that fbi.gov's info "should" be in there]
...
"Publicly available terrorist names from various reliable government and non-governmental sources were merged to create a comprehensive list."
...
"Like the federal government's, this list of terrorists, integrated into the Soundex software believed to be used by the TSA, is constantly updated"

From what I gather from the above it means the db is live, but they're querying it with the "Soundex" method to prove what a joke it is in order to play up their own offering (TeraMatch). However, the db (from what I'm reading in those quotes) is indeed a live db.

Traditional Moslem names, as in the kind that someone who's angry with the West would maintain, aren't constructed in the typical western firstname-lastname pattern. Someone born in Persia, Magrib, Arabia or Hindustan (they don't like our country names either) may have seven names, several of which would commonly be used, either alone or in combination, to identify them. Compound this with the fact that there is no single recognized method for transliterating Arabic into English. Then consider that sneaky people sometimes have aliases.

By the time you enter a first name and last name of a Moslem terrorist into this system, you're as likely to get a match as if you entered random characters.

I wish John was right about this being a hoax, but I fear he's not. We're 18 days early for April Fools' Day.

I don't understand the list. Why all the names not shown in red? Richard Cheney. Richard is red, cheney is not. Why bother to show cheney then.

Interestingly my first and last names are red. My first, stephen, is covered by multiple red lines for variations. My middle Neal is red. My last is red. I guess that doesn't bode well for me should I ever fly. Haven't yet at 42 though so....

Well, off to Google my name and variations of terror and the like to see if I can find someone close in name.

When I wrote the Lingua::EN::MatchNames Perl module, I used Soundex as a last desperate attempt to match names, with an incredibly low confidence level. I found the Metaphone algorithm to be far, far more accurate.

Soundex sucks.

@Wim Coenen:
@Roenigk:

"...the federal government is using an algorithmic software product known as Soundex to search databases for potential terrorists."

"TeraMatch® matched with 96% accuracy compared to Soundex's 15%. Importantly, TeraMatch® only matched 4% false positives-innocent people incorrectly identified-to Soundex's 85%."

Are they trying to sell their software? Yes, but they have a very good point about the Feds using perhaps the stupidest approach available to implement their matching algorithm.

Nice... especially since people tying their names in also expose their IP address to the name they are searching.

Do the math.

Israel Torres

Let's say your surname is Laden, and your first name is Osama Bin. That's right, you're not on the list!
If you have a non-European name, moving your surname around shouldn't be that hard.

I call shenanigans! It looks like that system mathces first names to 'suspected' first names, and last names to 'suspected' last names, but doesn't compare the first/last pair to a list of 'suspected' first/last pairs. So "John Anything" compares to, wow, quite a few... So does "anon ymous".

@Johns,

> I believe Bruce fell for a hoax.

The preeminent security guru of our time? One of the leading lights on the internet? SURELY NOT.

The list is obviously broken. Osama bin Laden is on it, but so are Bob Dole, George Bush, and Al Gore.

It's a fun demonstration of Soundex, but that's all.

Only the most common names appear to be on the list.
So Maria, Mary etc are in nofly first names. Too bad if the last name also happens to be Smith or Lopez if the real database would be that plain ...

even "anonymous coward" is on the list :D

so half of /. posters wont ever be flying again....

I'm suspicious of this story; it looks like PR for a company that's trying to get the feds to buy their software. They claim, for example, that my name is a match, and I fly frequently enough to know that I'm not on the list (since I don't get hassled). They also claim to have a proprietary algorithm that will do better matching.

On the other hand, on one trip my daughter (6 years old at the time) was "randomly" selected for special screening on three out of four flights.

Every day I drive by the Minneapolis/St. Paul International Airport, and every day the lighted sign beside the highway informs me that the terrorism alert level is "Orange."

You people are missing the point. The purpose of any of these algorithms is to bring back more hits than an exact match search would find. A human must then examine the results to determine if any of the names matched are the one being searched for. The point here is that s3 has a database that contains names that would be expected to be on the no-fly list. If you find your name among the possible matches, you may want to have alternate travel plans ready. It might be a good idea to jump on an open WiFi for this particular site.

Okay, I know comedy can be a weapon, but why is Jon Stewart on there? Why???!

Funny how their software doesn't pick up Saddam Hussein. I guess he's not much of a threat any more. Kind of surprising though. I assumed once they had a name on there, that person was considered suspicious and so a threat for life. Not like you can unsubscribe from the no-fly list via email...

Heh, I meant for the life of the database, not the person. I doubt they go through death records and remove deceased individuals who were previously threats.

The following names are highlighted in red, the color of terror:

John Doe
John Smith
Richard Simmons
James Kirk
George Bush

no real surprises there. Surprises are in some of the names who aren't on the list:

Boris Badenov
Dick Cheney
Peyton Manning

I am, of course. With two exceedingly popular names, I was bound to end up on it.

Actuallly when referring to myself, "popular" is the wrong word. "Common" fits better. ;-)

Its a little disturbing that Jesus Christ and Mahatma Ghandi would get caught as baddies, but Adolf Hitler is free and clear.

I think I might be safe since my exacte match didn't occure, though my first name wasnt in the list I had several near maches, including my surname one vowal different (Johnsen/Johnson). I guess that qualifies for a second screening.

FWIW, 'George Bush' generates more matches than 'Osama Bin Laden'.

@ Annie Nomous

You're going to hop on open wifi to use this site, but then put in your real name? Doesn't seem so helpful.

Well, 'Israel Torres' is on the list. Now you appear to be at my IP address.
When the FBI agent shows up, I'll send him (and his National Security Letter hand-written on the back of an envelope) to schneier.com to get the real IP address...

Interestingly, the names:
Ben Kenobi, Luke Skywalker and Han Solo also return hits on the list.

Some of this data must be left over from a long time ago, stored on a server far far away...

Oh dear, multiple matches under various abbreviations and misspellings as well as an exact match.

Looks like I best turn myself in :-)

Fabulous. My name is "Frier." It matched "Ferrari" and "Furrow..." but not "Fryer."

That one director of poor films, Alan Smithee is on it too!

Also, Nancy Pelosi gets red flagged, but Vladmir Putin doesn't.

Both "Josef Dzhugashvili" and "Josef Stalin" get a pass. Well, to their credit, his IS dead.

@Geoff
Mujahid Shaykh isn't what you think it is. I suspect it's more a title than a proper name.

"Shaykh" means "Islamic scholar" -- http://en.wikipedia.org/wiki/Sheikh

"Mujahid" is the singular form of "Mujahideen"
http://en.wikipedia.org/wiki/Mujahideen

That, and if you search for only the last name "Mujahid" it appears. Some (many) cultures address themselves with their surnames preceding their given names.

Bruce said:
> I'm not. Are you?

You weren't until you typed your name into a form on that website anyway. =)

Wait, this is a security threat. Someone could type in names to find the ones he can use in order to fly. Someone tell the FBI/CIA or whatever.

Fortunately we're safe:

From the article "Publicly available terrorist names from various reliable government and non-governmental sources were merged to create a comprehensive list."

The no-fly list clearly doesn't use reliable data sources, so the data there is unlikely to match the realy no-fly list.

Which is just as well, since my name is apparently similar enough to "Marzouk Sammour" to cause suspicion.

This is the most ridiculous thing I've ever seen. Unless I am totally missing the point, you type in "mike", and it highlights these 5 first names "MAS MAX MOUSA MUGIKA MUSA" -- REGARDLESS of what last name I type in.

We are looking for suspicious people, not suspicious first names and suspicious last names. Searching makes no sense whatsoever unless you search for the first and last name in the same record. ?!

We need a coder in here to run a program against it that runs every combination of letters and makes a table based on "importance". Perhaps a pattern could be found that allows the creation of a name that runs clean, although it seems that random guesses are fairing pretty well here.

That algorithm is a joke... my first name (Mark) was fully matched, of course.. but for my second name it highlights one match that has only three letters equal of nine total, and misses two names later in the list that are only one letter away from the real name..

I am not surprised at all that names like "Mickey Mouse", "Jesus Christ", and "James Kirk" appear on such a list -- it is a quite reasonable example of CYA security. How likely is it that someone with honest intentions will claim that he is called "Mickey Mouse"?
And imagine what the media would do with the TSA if there would be any kind of incident in the future involving someone who was able to check in as "Darth Vader" ...

seems i could be watched, only one of my names is on the list

I entered my real name and even though it's on the list, it didn't highlight it?

Lame.

Interesting that all but one of S3's management team (http://s3.com/about/team.php) are flagged when run through the toy.

-CMA

...as well as all of Great Britain.

I put in Ted Kennedy, and Todd Kennett pops up red in both columns, even though Kennedy shows up below Kennett, not in red, and Ted shows up below as well, if you page down a bit. Fantastic matching. It's a wonder anyone is flying. I'm on the list, by the way, but my last name isn't red, whatever that signifies.

Next time you're in the security line, think of how much worse it would be if Richard Reid had concealed his explosives in a more proctolgical spot. Removing your shoes doesn't seem that bad now, does it?

I don't think this makes sense at all. All common first names are in red.

"Ignignokt Mooninite" brings up red flags on first and last names. The Boston PD was right! (Err's still sneaking under the radar - because he's shorter, obviously.)

After that discovery it just devolved into me typing in names of characters and titles of Cartoon Network shows. Oh, Madame Foster, how could you?

Mysql includes a soundex algorithm now. If you have a mysql database laying around you can use the "where field sounds like 'whatever'". I think by default it gives you more than the usual 4 characters, so you can somewhat control the match accuracy.