Schneier on Security
A blog covering security and security technology.
« Police Foil Bank Electronic Theft |
| UK National IDs »
April 5, 2005
Sandia on Terrorism Security
I have very mixed feelings about this report:
Anticipating attacks from terrorists, and hardening potential targets against them, is a wearying and expensive business that could be made simpler through a broader view of the opponents' origins, fears, and ultimate objectives, according to studies by the Advanced Concepts Group (ACG) of Sandia National Laboratories.
"Right now, there are way too many targets considered and way too many ways to attack them," says ACG’s Curtis Johnson. "Any thinking person can spin up enemies, threats, and locations it takes billions [of dollars] to fix."
That makes a lot of sense, and this way of thinking is sorely needed. As is this kind of thing:
"The game really starts when the bad guys are getting together to plan something, not when they show up at your door," says Johnson. "Can you ping them to get them to reveal their hand, or get them to turn against themselves?"
Better yet is to bring the battle to the countries from which terrorists spring, and beat insurgencies before they have a foothold.
"We need to help win over the as-yet-undecided populace to the view it is their government that is legitimate and not the insurgents," says the ACG's David Kitterman. Data from Middle East polls suggest, perhaps surprisingly, that most respondents are favorable to Western values. Turbulent times, however, put that liking under stress.
A nation's people and media can be won over, says Yonas, through global initiatives that deal with local problems such as the need for clean water and affordable energy.
Says Johnson, "U.S. security already is integrated with global security. We're always helping victims of disaster like tsunami victims, or victims of oppressive governments. Perhaps our ideas on national security should be redefined to reflect the needs of these people."
Remember right after 9/11, when that kind of thinking would get you vilified?
But the article also talks about security mechanisms that won't work, cost too much in freedoms and liberties, and have dangerous side effects.
People in airports voluntarily might carry smart cards if the cards could be sweetened to perform additional tasks like helping the bearer get through security, or to the right gate at the right time.
Mall shoppers might be handed a sensing card that also would help locate a particular store, a special sale, or find the closest parking space through cheap distributed-sensor networks.
"Suppose every PDA had a sensor on it," suggests ACG researcher Laura McNamara. "We would achieve decentralized surveillance." These sensors could report by radio frequency to a central computer any signal from contraband biological, chemical, or nuclear material.
Universal surveillance to improve our security? Seems unlikely.
But the most chilling quote of all:
"The goal here is to abolish anonymity, the terrorist’s friend," says Sandia researcher Peter Chew. "We’re not talking about abolishing privacy -- that’s another issue. We're only considering the effect of setting up an electronic situation where all the people in a mall, subway, or airport 'know' each other -- via, say, Bluetooth -- as they would have, personally, in a small town. This would help malls and communities become bad targets."
Anonymity is now the terrorist's friend? I like to think of it as democracy's friend.
Security against terrorism is important, but it's equally important to remember that terrorism isn't the only threat. Criminals, police, and governments are also threats, and security needs to be viewed as a trade-off with respect to all the threats. When you analyze terrorism in isolation, you end up with all sorts of weird answers.
Posted on April 5, 2005 at 9:26 AM
• 13 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
"“The goal here is to abolish anonymity, the terrorist’s friend,��? says Sandia researcher Peter Chew."
how about instead of abolishing anonymity to rid the world of terrorism, they abolish the idea of terrorism itself? Surely it would involve a similar workload (both near impossible). Heck, they may as well start abolishing CASH since that is also the terrorist's friend...
When a group abolishes anonymity, they destroy privacy. When privacy is destroyed, personal freedoms are threatened. When personal freedoms are lost...
I believe in our free Society, as you seek rights and privileges in that Society, then we have to know who you are. We're going to need to establish the identity of who you are as an individual. And then, for the greater good of Society, be able to determine whether or not you should be extended that right or privilege.
Derek Smith, ChoicePoint CEO
Hmmm... Identity vs. Anonymity... could it be that we don't have a clear definition of either the problem or the goals?
I've been thinking a lot lately about the need for a robust and reliable network personal identity (NPI), but my goal is not really to identify a person in the real-world sense, but more to authenticate that a user is the "same" as they were when they previously accessed a particular resource. I am interested in anonymity, but from a practical perspective "the net" needs some way to verify a continuity of ownership (or maybe mere interest) in certain resources or services.
The next big question is how to "anchor" such a network "identity", without abandoning real-world privacy, and to do it in a way that does at least remotely facilitate legitimate law-enforcement "interests".
"Who am I?"... "Who are you?"... "Are you XYZ?"... these are the compelling questions that the computer science community needs to tackle.
-- Jack Krupansky
Anonymity has only a limited role in the context of democracy. We walk into the voting booths and we say we vote anonymously. But we don't, really. The system keeps track of who votes; it has to do so, to make sure that everyone who votes is entitled to do so and to make sure that no one votes twice.
What we really want is unlinkability between votes and voters. Anonymity is not necessary to achieve this. We only need to have a way to create a form of information which is not linkable to its source.
I write here under a pseudonym, which is (to some degree) unlinkable to my real identity. This gives me immunity from consequences and allows me to be more blunt and frank in my analyses. Society benefits from the resulting openness.
But in the physical world, anonymity does not seem to provide similar benefits. The difference is that physical actions can be much more harmful than informational ones. Sticks and stones can break my bones, but words can never hurt me, not in a world where we recognize that the antidote to bad speech is more speech. Strenghtening anonymity in the physical world is only going to protect terrorists and criminals and reduce the quality of life for law abiding citizens.
Imagine a world where physical anonymity was perfect, in which anyone could do anything without fear of being identified. It would be chaos and anarchy, criminals would roam free and unchecked. This is not a goal that we should rationally seek.
Let us instead concentrate on unlinkability of information. It is the foundation of democracy and can strengthen our online discourse. As long as people are free to communicate and exchange ideas, as long as they are free to vote and express their will, our liberties will be safe and our lives will be protected. This is the direction we should be working for, not the illusory security of physical anonymity.
"Anonymity has only a limited role in the context of democracy."
Anonymity indeed has a limited role, but that role is vital. The availability of anonymity, however, is crucial to the advancement of new ideas in a "free" society. As Bruce pointed out in his comments, the utterance of certain ideas during the patrotic locomotive which left the station immediately following the attacks on the US was enough to uleash a fury akin to Mc Carthy days.
The absence of the availability of anonymity is a key componant in the successful maintenance of any totalitarian regime.
"But in the physical world, anonymity does not seem to provide similar benefits. The difference is that physical actions can be much more harmful than informational ones."
Comments like this are chilling. By this logic we should also wear ankel bracelts and be allowed to roam anonymously until something happens and then the government can examne who was were an use behavior patterns to access the potential pupetrator(s).
Anonymity is a requirment for privacy.
I agree with Jack Krupansky's comment about needing to define terms. In my work in automating access controls in application architectures, I've explored the nature of "identity" to some depth, and realized that most peoples' notions of this concept do not really work, at least in security matters. I would like to bring up some ideas that I was exposed to by the SPKI/SDSI (RFC2693) effort on the meaning of identity.
Elaborating on Rivest and Lampson's assertion in their SDSI paper that "all names are local", it has occurred to me that identity is very much in the eye of the beholder. Indeed, one dictionary definition of the word characterize it as the attributes of an entity that - collectively - are unique to it. Essentially, that works out to "everything I know (or believe) about you", or associate with you in some way. Particularly in the context of access controls, those attributes are such things as account numbers, balances, preferences, etc., primarily of interest to the party holding the information and controlling access, while public or official identifiers such as legal names and government ID numbers serve mostly as keys to various necessary partner applications - shipping, billing, credit checks, and the like.
The point is that none of these bits of information need be encoded in an ID card, but only an identifier that is owned by the querying party. Any other information is already known to that party, keyed by that identifier, which can itself be encrypted with that party's own secrets. In this way, a "casual" interloper with only (!) a high-gain antenna or a rogue card reader can't get anything useful, without having also compromised the authorized party's secrets.
This doesn't solve the problem of somebody, somewhere, always knowing where you are, but I don't think that one has a real solution, and I can't find a cogent rebuttal to Scott McNealy's famous "get over it" statement, however disconcerting and inflammatory it may have been...
Nice commentary. I think you will find more answers in Political Science, Economics and Philosophy, not to mention Anthropology than in Computer Science. You might also rightly expect Biology or even Zoology to provide the answers you are looking for. Computer Science is more likely to be the place, once you have the answer, to find a way to design, model and implement a simplified version for online consumption...
Initimation is tyranny's friend. When you choose to hide your face and name for fear of retribution, you have lost already.
In the long run the whole counter-terrorism is an economic problem coupled with an emotional problem. You can't defend the empire in every single spot against a truely motivated enemy. Let's say you cover all the airports with security, then the schools, the theaters, rock-concerts ... the list never ends. Finally you have half your population pn security duty - mainly wasting the time of the other half of the population. So nobody is productive anymore, everybody is living in a prison and you are still not completely safe. But the rest of the world does not have that problem and will advance economically, so you loose in the long run, your people get angry with the situation and it all blows up.
So what can you do since you can not defend ? Two options - 1) you make war on all the others so that their economy doesn't get ahead, 2) you stop making people angry at you.
OK, OK, you hate hearing pt.2. I can't help it, but there is only one country in the world that does what you do. Stop it.
"We need to help win over the as-yet-undecided populace to the view it is their government that is legitimate and not the insurgents," says the ACG's David Kitterman.
Is this individual seriously considered as some kind of counselor? The governments of the millennial muslim world are almost uniformly corrupt tyrannies, as they have been for a thousand years ~ or since their creation after World War I, whichever came later. "Insurgents" in these regions are commissioned by those in power, and as with heroin pushers in some U.S. jurisdictions, operate only under covert official license ~ "independents" are eliminated.
We have a tradition of mistrusting government ~ it's called the Bill of Rights, for starters. And with what passes for public scrutiny in America, we still have corruption, malfeasance, and pronounced tendencies toward dictatorial practices. Is it realistic at all to imagine that those who rule in the millennial muslim world have more legitimacy than we have in our own political institutions?
We ~ America ~ fostered al-Qaeda and Saddam Hussein. We ~ America ~ kept the Shah in power, promoting Khomeini, and then we ~ America ~ facilitated the Khomeini regime's consolidation of power in Iran via updated replacement of Israel's sale of dated aircraft parts and munitions in the Iran-Contra affair. We ~ America ~ have promoted insurgencies on the one hand while propping up the target regimes with the other. And in the face of this history, someone imagines we can convince the people in those regions that their governments are "legitimate"?
Get a clue ~ American officialdom has even less credibility with the people of the millennial muslim world than their own tyrants have.
We'll gain more security ~ and liberty ~ when we discard this kind of myopia.
This is very good idea IMHO :)
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.