Schneier on Security
A blog covering security and security technology.
« NSA's Public Relations Campaign Targets Reporters |
| Fraudulent Amber Alerts »
October 5, 2007
Randomness at Airport Security
Now this seems to be a great idea:
Security officials at Los Angeles International Airport now have a new weapon in their fight against terrorism: complete, baffling randomness. Anxious to thwart future terror attacks in the early stages while plotters are casing the airport, LAX security patrols have begun using a new software program called ARMOR, NEWSWEEK has learned, to make the placement of security checkpoints completely unpredictable. Now all airport security officials have to do is press a button labeled "Randomize," and they can throw a sort of digital cloak of invisibility over where they place the cops' antiterror checkpoints on any given day.
Posted on October 5, 2007 at 6:52 AM
• 34 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
That's interesting. I've got to think about potential applications for information security.
Randomizing the security patrols is worthless, simply because the patrols accomplish nothing good to begin with. They are there to menace the public, to put a mean face (and canine fangs) on authority, and to threaten the people by firepower being in the hands of someone above the law who could at any moment go on a killing spree.
Terrorists planning an attack will understand that the patrols are their friends. By keeping people worried about the guards, guns, and dogs, the patrols distracting them from paying particular attention to fellow passengers who might be acting a little too calm.
The randomization will be apparent only to the people who work there. Anyone passing through -- which would be all of the passengers -- won't notice things are different today than they were yesterday.
"the patrols distracting them from paying particular attention to fellow passengers who might be acting a little too calm."
Define "too calm". I don't pay the least bit of attention to security personnel at airports. Does that deserve scrutiny? Should I be reported for indifference?
"Anyone passing through -- which would be all of the passengers -- won't notice things are different today than they were yesterday."
Don't you think someone trying to circumvent security at a particular location would spend some time observing the security at said location?
This is not new--at least not to people with theoretical computer science background. Using randomization to avoid consistently hitting worst-case scenarios or to reduce the adversary's probability of success to chance is a well-known technique.
"Security officials at Los Angeles International Airport now have a new weapon in their fight against terrorism: complete, baffling randomness."
The program sounds like a good idea. Newsweek's description sounds like TSA's current norms.
>>>"Don't you think someone trying to
>>>circumvent security at a particular location...."
In case you have noticed, ALL of the attacks or attempted attacks did not 'bypass' or 'curcumvent' security, they played by the rules that existed at the time.
I agree with Roy that these overt patrols just scare the public and even more importantly, scare away tourists.
Suggest they should follow the Israeli model, with well trained plane clothed 'undercover' behavioral observers.
I was worried that TSA forked out a ton of money for a glorified call to rand(). Then in the article I was pleasantly surprised that the people behind this software actually probably know what they're doing.
It is either an implicit admission that their other security methods are ineffective, or a smokescreen to conduct some sort of discriminatory profiling.
With random screening, if you check 1% of the travelers you will catch 1% of the terrorists (assuming that each check is effective enough to identify terrorists 100% of the time). Not very good, is it?
However, if you want to do some kind of discriminatory profiling (which could be anything from ethnicity to what websites you visit), "random screening" might be a good cover story for why all these checks are being made, as long as the discrimination isn't obvious and minimal records are kept.
Randomness can really be useful at customs as well.
If I was in charge of US customs, I'd install the "Mexican Traffic Lights", its a really good way to pick out some for additional screening in a "you can't be spoofed, you can't be corrupted" sort of way.
What astounds me is that this is a "problem that's already been solved". And for years, now.
It's taken them, what, 5 years to implement a reasonable and reasoned tactic that that has been talked about in security (and mathematical/logical) circles for some time; with easily available, public, and free (as in beer) discussion and research papers supporting this.
Maybe their line of thinking is: If it's outrageously expensive, it must be good; If it's free, it can't work.
Great work, there, Lou...
This raises an interesting attack vector... If you did want to perform some sort of activity and didn't want the security patrol getting in your way, perhaps you could attack the randomisation program itself - force it to generate some particular route that wouldn't affect your plans. It would look just as random as any other to the guards that would follow it.
If resources are limited, apparently-random deployment can help make them go further: I'm reminded of the "Premises guarded by man-with-shotgun 3 days a week: you guess which!" sign.
Combining this with yesterday's note on the Storm Worm, I wonder if it's hackable?
An interesting and potentially useful tool. But to determine is real effectiveness it should be tested in and setting that is know to statistically have a much higher level of incidents.
e.g. police patrols in a small / medium sized city with documented crime statistics.
What I find appalling about this is that they need a software program to administer this? I would like to know what this software cost the taxpayers. Even with this new program, all a terrorist has to do is is show up each day, and when the area of choice is unprotected, BLAMO. Any credible security director could establish a random pattern deployment on his own. But instead, since the DHS has no real terrorists to fight in the US, they have to do SOMETHING right? So lets throw up a hugh pile of money up in the air and let it fall into the hands of companies that produce useless or privacy invading, 4th amendment violation products. NOW we can feel comfortable depositing our paychecks!. I'm voting for Ron Paul, he will bring the 40 billion dollar DHS scam to an end.
Just be glad the randomness is only currently applied to the checkpoints. It won't be long before it's applied to the detainment and arrest of passengers.
I like this concept. I flew out of London to the USA and almost every white person was checked at the gate while only one Arab person was checked. That's not random at all. Let's make it fair, non-exlusive, and random so we can keep EVERYONE safe and not allow any loop holes.
mpd says "Don't you think someone trying to circumvent security at a particular location would spend some time observing the security at said location?"
Surveillance is so old school when you have the media to do it for you.
digitalcommando says "What I find appalling about this is that they need a software program to administer this?"
Given the pressures on airlines, law enforcement bureaucrats, and airport management, software is probably the only way to achieve truly random patrols. If it were up to TSA, the patrols would hover around checkpoints. If it were up to airlines, the patrols would leave the luggage handlers alone to avoid slowing down flights. If it were up to agency leadership, you'd never see the patrols pass through less-public parts of the airport. If up to airport management, the reverse would be true to improve passenger throughput.
So the only way to take all the 'players' out of the decision system is to use software to hide the fact that the decisions are being made to protect everybody.
From the article "Unconsciously, (security forces) develop predictable patrol behaviors"
Absolutely. The guards learn the easiest routes, which ones have shade as opposed to the sun in their eyes, appear to best cover the areas protected, most convenient to the donut shop, etc. Countering this is a major effort by supervisors and is one difference between going through the motions and decent physical security.
LOL, I can imagine them watching the enterprise engage the Borg using randomly tuned phasers looking for a weakness.
1) do they mean having a larger playbook and quickly & randomly cycling plays. Requires more procedues and training to be that agile, but effective
2) if every agent acts randomly won't that break down the important teamwork and the-whole-is-greater-than-the-some-of-its-parts? How do you implment best practice? That's why I thought of #1 above first. If this only applies to patrols, just be sure the computer isn't directing the patrols to achieve randomness. The attackers will just re-route patrols away from where they are/want to be.
3) this applies equally as well towards testing the security. Who's going to be applying "fuzzing" techniques by sending random inputs to the system? Uniform "normal" (nothing like that ever happens here) input into the process would seem to reduce effectiveness. Continual leaning would seem to have benefits.
Tanuki > If resources are limited, apparently-random deployment can help make them go further
Or *appear* to go further. Let's hope that this isn't used to excuse a further reduction of effective "boots on the ground" in an effort to reduce cost.
In response to the "Mexican traffic light" approach, I would point out that it doesn't work. My family smuggled raw meat into Mexico (kosher meat was unavailable in Cancun) through a random light-controlled customs lane. We approached customs as a family, but the lights apply to just one person. When one person got a red light, that person didn't pick up the bag with the meat; it was carried through when another person got a green light. The same kind of thing happened when my wife had SSSS stamped on her boarding pass for having an expired drivers license - the checkpoint personnel took her bags apart, but didn't touch mine; we would have simply switched bags had it been an issue.
Perhaps the biggest benefit to randomizing screening locations is that it may be difficult to have a single plan for evading them. Unless the randomization occurs on an hourly (not daily or weekly) basis, it can be thwarted by casing the airport the day of the attack and picking one of several (pre-made) plans that takes into account the actual position of the patrols.
Well, if they are going to drag computer science into it, my first question has to be, are they using genuinely random numbers?
I think this is an awesome idea. The squishy part of a security solution is the weakest. By randomizing security, the human security assets are shaken from routine.
I have heard of people who got hit by a train swearing the train wasnt there simply because the last hundred times, their brain was conditioned since there was no train there at the time.
As long as one continues to believe that the Department of Homeland Security is about security for the population of the United States rather than security FROM the population of the United States, little that it does seems rational. With the proper switch in perspective, it's Orwellian logic shines clear and frightening.
On the after right-of-boom side, having "random" responses to bombings to reduce the effectiveness of secondary devices has been discussed in public safety circles since at least the mid-90s.
I put random in quotes as there's only so many ways to vary the actions, and I don't know of any really good, practical implementations (although that type of stuff would be among the most sensitive and least shared).
The textbook example is a situation where the local protocols has the FD respond to bomb threats. Someone may call in a handful of scares to a target building, and watch the FD each time go to the same staging area. So when the real attack takes place, a secondary device are placed where the FD parks every time.
What the FD could do to counter that is have a protocol that some how psuedo randomly chooses different staging areas each time -- may the closest hydrant one time, the 3rd closest another, etc.
As a computer science student I'm happy to hear that the US govnmt spends tons of money on software and algorithms - but couldn't the same effect be created by having the security officers throw a few dice and then pick the patrol positions from a booklet accordingly? The dice results also can't be predicted by a terrorist hacker who might be able to hack into the digital system, or analyze its algorithm and find a flaw in it.
Just because it costs millions, supported by academia, takes years to develop and looks nice doesn't mean its better then the simpler solutions.
It is sensible to do this because the bad guys can't game the system with completely random checks. While most people will profess outrage if the random checks put grandma through a lot of inconvenience, the fact of the matter is that with sufficient time, any other approach can be gamed.
Think you need to only check certain ethnicities? Think again... Richard Reid and the other "white Talibans" who pop up on Jehadi videos now and then. Think only men? Suicide bombers have drawn from the ranks of men and women in Israel.
The only safe assumption is to make no assumption. Totally randomized checks seem to make no assumption. Now, for the sake of completeness... they need to make sure that they use a well regarded random number generator with the right seed, whose stream of random checkpoints is not predictable.
I took it for granted that airport security teams randomized their patrol schedules. I've had several friends work physical security (art museum private security in one case, military policy in another), and each has described how patrols are made to be somewhat variable in terms of route, schedule, etc. Otherwise, attackers can determine a time to attempt breaching that perimeter based on their observation of the patrol.
Now the article is talking about checkpoint placement, which is different than some roving patrol. I'm not sure how well this would work, as I personally prefer a secondary security screening at the gate (much like they do for U.S.-destined flights at the Schiphol Airport in Amsterdam), but if the necessary resources aren't available to implement gate checks, then a randomized distribution is probably the best way to go (and which can be tweaked by weighting more vulnerable or more significant gates or areas).
Regarding the comment about patrols scaring people, I would normally disagree. A visible police presence can be a great deterrent. Unfortunately, a police presence should be balanced by a firm respect for civil rights (which seems to be the case for most police in the U.S., but there are glaring and unsettling exceptions).
Unless there is super secret intelligence we don't know about, all of these games are just nice thought experiments.
However, is there actually any evidence that "bad guys" are really looking at airport security patrols for patterns? It seems like there's so many other weak points of entry. Get a job at the airport. Get a boarding pass to fly somewhere.
I have my doubts about their being any real intelligence about what, if anything, supposed terrorists are going to do. Secrets can't be kept in this country. It'd already be on the news.
1.) Randomly select the route of the patrols and check points to ensure that the adversary can't predict your movements --> Good, this works if the adversary has the possibility to move around randomly as well.
2.) Randomly pick passengers for further checks (body search etc) --> good, this works as well since you don't want to discriminate any group of people before others
3.) Assume that your randomness provides better chances of catching of terrorists --> Not necessarily. You may just spread your limited security resources randomly around without any intelligence.
Remember - the adversary is thinking, trying to find the easiest path into the target. He's even willing to take a risk if the chances are good.
A better approach would be to utilise something like a "penetration route analysis". I don't know the exact term in english, but the concept is old. Some of my study friends made a tool based on the basic theories around this issue. Just google for "tunkeutumisreittianalyysi". Sorry, it's not in english but maybe you'll catch the idea there since math is universal.
I don't see that random placement of checkpoints is going to make much difference to someone intent on getting contraband past the checkpoint. The attacker already knows he's got to get through the checkpoint sometime, whether it's right by the ticketing counters or at the gates doesn't matter much to him. He's got to get past it wherever it's located.
A better idea would seem to be randomly altering the types of inspections done at the checkpoints. Randomly varying the amount of a particular type of inspection: One day we randomly hand search 10-30% of bags instead of 1%; another day we randomly take 30% of bags; rotate then 90% and re-xray them; the next day we increase the number of people who get "secondary screening".
Pasi wrote: "Some of my study friends made a tool based on the basic theories around this issue. Just google for "tunkeutumisreittianalyysi". Sorry, it's not in english but maybe you'll catch the idea there since math is universal."
The tool is available in English also. Please check http://www.yhteisturvallisuus.net/...
The tool is called Estimate of Multiple Adversary Sequence Interruption.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.