Schneier on Security
A blog covering security and security technology.
« What if Your Vendor Won't Sell You a Security Upgrade? |
| AT&T Assisting NSA Surveillance »
April 13, 2006
Social Engineering a Police Officer
Really nice social engineering example. Note his repeated efforts to ensure that if he's stopped again, he can rely on the cop to vouch for him.
Smooth-talking escapee evades police
Woe is Carl Bordelon, a police officer for the town of Ball, La. His dashboard camera captured (below) his questioning of Richard Lee McNair, 47, on Wednesday. Earlier that same day, McNair had escaped from a federal penitentiary at nearby Pollock, La., reportedly hiding in a prison warehouse and sneaking out in a mail van. Bordelon, on the lookout, stopped McNair when he saw him running along some railroad tracks. What follows is a chillingly fascinating performance from McNair, who manages to remain fairly smooth and matter-of-fact while tripping up Bordelon. The officer notices that the guy matches the description of McNair -- who was serving a life sentence for killing a trucker at a grain elevator in Minot, N.D., in 1987 -- observes that he looked like he'd "been through a briar patch" and had to wonder why he would choose appalling heat (at least according to that temperature gauge in the police car) to go running, without any identification, on a dubious 12-mile run. But he doesn't notice when McNair changes his story -- he gives two different names (listen for it) -- and eventually, Bordelon bids him farewell, saying: "Be careful, buddy." McNair remains on the loose. (Note: Video is more than eight minutes long but worth it.)
Posted on April 13, 2006 at 7:03 AM
• 49 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
In Florida most cars have the ability to run a name and get a picture back. I am sure that there is something like that in most states. If nothing else you can take a name and data of birth and see if the person is on record.
Not taking these small steps when you think there might be some chance you have an escaped murderer on your hands is a bad thing.
"to go running, without any identification, on a dubious 12-mile run."
I make a point of not carrying identification. It helps remind me (and occasionally others) that it's not required.
When I was a bit younger, I had the experience of living and working with a drug dealer trying to go, um, somewhat more straight than before. His entire family going back 3 generations were criminals of some sort or another. The advice he'd give me on how to deal with the cops was remarkably reminiscent of this: he'd say that no matter how improbable your story or how far you had to spin to try to fill in the holes in it, the most important thing was to never, ever, let your conviction in it falter. He said that most people are actually very uncomfortable calling someone else a liar, and cops even moreso than the general public since they take professional pride in their supposed objectivism. Of course, they only feel that compunction to the degree that you, the liar, are able to make it appear convincingly that you consider disagreement with your version *dishonorable*. What's more, given a truly intractable he said/she said problem, people invariably decide the truth "must be in between", which works greatly to the advantage of anyone trying to avoid having occam's razor applied.
If McNair had been African-American, the cop probably would have clubbed him first and asked questions back at the police lock up.
Knowing many people on both sides of the law over many years...
And being a computer professional I can tell you the problem. Normal people are NOT security or safety minded.
Security and Computer people ARE security and safety minded.
While many people think the police are required to "Catch Criminals" their jobs are really more focused on reporting crime. They write tickets, take pictures, collect evidence, etc all to collect the information so a criminal can be prosecuted later. The act of catching a criminal is a small part of the job and is probably not what most cops are focused on.
BUT... next time I go on a run I better take my license to be safe.
After watching the video, it was apparent that McNair seemed to have a surprising knowledge of the local geography (roads, businesses, etc.), he actually corrected the officer in one instance. This knowledge was probably a key factor in fooling Bordelon. Either that, or the officer didn't have a good understanding of the area.
I was a little surprised at Bordelon's interrogation/questioning techniques though, I thought police officers would have more training in this area. There were a number of "facts" that McNair gave that the officer could have easily verified, like calling the roofer he said he was working for part-time.
McNair also used techniques, like "... what's the name of that town just south of xyz..." and the officer starts giving out names until NcNair says, "ya, that's the one". This type of questioning is simple to thwart, the officer could just start giving town names that didn't exist, to see McNair's response. Or by intentionally misleading McNair by altering the questioning. Bordelon didn't even notice that McNair provided two different names, although, toward the end of the questioning, Bordelon made an interesting comment that if McNair was the escapee, he would have ran by now.
The cop went with his gut. He liked the guy so he figured he couldn't be an escaped murderer.
As somebody pointed out, it almost certainly wouldn't have played out like that if McNair was black.
I wonder whether the cop inadvertently saved his own ass. McNair seems twitchy in the video and it wouldn't surprise me if he had attacked the officer had he tried to arrest him.
The cop not only has the professional and human aspect of presumption of innocence, but also, who wants to find they are in a personal conflict with someone with a history of brutality?
Also, the crim seems to believe he has a moral right to be on the loose, not in the indignant 'you can't lock me up' way, but in the normal way which people respect.
Cops, just like the rest of us, know they work in a system which makes mistakes and has corrupt and inadequate elements.
Faced with a very difficult task of ID'ing and taking in an escaped murderer, we can only expect for them to do their best, and the guy seems to do a reasonable job, given that this is his job 24/7. It's not like he has been given the one mission of his lifetime, to bring in this one particular crim.
He probably has dozens of other tasks just like any other employee, and this event is just one.
I am not trying to defend either of them, people have a hard enough time making judgements in environments designed for that. It is not right to try to judge either of them, or the system behind them, based on this 8 minute clip.
I especially like the quote from the The Town Talk article, "Most men, Caucasian with a goatee, would fit the description"
It's the same "They all look alike" that non-Whites have had to contend with historically, but with opposite results.
It seems to me that there should have been someone, such as a prison guard, who personally knew McNair on the other end of the radio. Even better, if the car camera picture had been available to that guard, positive ID would have been easier. Further, if McNair had known that the video was available at the dispatcher, he may have been less likely to attack Bordelon.
The picture shown in the follow-up article was awful, but it sounds as though the description was detailed enough.
I'm happy that the cop placed a high standard on ID before arresting the guy, but we know that his tools can be improved.
I agree with what a lot of people are saying, defending the cop. But two things I'd like to point out:
1 - McNair gave to different names. The cop SHOULD HAVE caught that (and caused doubt in the cop's mind).
2 - The cop let McNair run the interview. The cop should be trained to ask objective questions, and form objective opinions; not have a casual conversation with the suspect. That allows the suspect to redirect the cop, which is why the cop forgot the first name he was given.
I'm not a cop, but I've worked with several. I think a lot of them fancy they have the ability to "spot" a criminal and to distiguish one from someone who is not. I remember one cop telling me how he knew the two guys who came from the Salvation Army to pick up a sofa he was donating were ex-cons "the minute I laid eyes on them." There is a kind of hubris in cop culture.
The most interesting part of the video for me is that when it's obvious the cop is going to let him go, the guy still goes on with the friendly b.s., talking about his dad the auxillary detective and his time in the army. The fact that he's in no hurry to leave is the polish on his performance that only confirms for the cop his opinion of him.
I would not be surprised to find out that this bit of social engineering would have worked on a majority of police in the same situation. I wouldn't single out this one officer.
Not having seen the video (I can't at work):
Why do people expect police to be able to catch such a criminal by doing things "like calling the roofer he said he was working for part-time"? Would you, if you were innocent, feel happy about being interrogated and then having your statements be questioned to the point that your employer is called? Hell, what if you were skipping work that day, and didn't want your employer to know? While possibly unethical, it shouldn't be the government's business to babysit for your employer.
Of course, somehow this has to balance with actually catching criminals, but I wholeheartedly disagree with activities that turn everyone into a suspect. Most people are good, honest, law-abiding (if you skip the speed law) people who don't deserve to be second guessed by their public servants.
I've actually been treated like a criminal by the police several times when I have committed no crime. I have to tell you, I don't accept that I appreciated that treatment, even knowing that it, for some reason or another, makes other people feel safer. It certainly doesn't make me feel any safer knowing police are question my motives and not those of the real terrorist.
Will the real terrorist please raise your hand?
I like the way everyone is jumping in on the race card here. Or maybe they are just projecting.......
I agree the race card is getting played a lot lately.
If they would have executed the murderer 20 years ago when he killed another person in cold blood maybe he wouldn't even had a chance to escape.
After looking at about the first half of the video I don't see the officer doing anything wrong. In his telephone conversation he was trying to get information about the escapee and what he got back did not seem to match up.
In my area the local LEOs are starting to get in car cameras that can be used for facial recognition. Tough call when you consider the "big brother" issues against letting an escaped murderer get away...
I think the turning point was when the cop asked when the guy was born, and then compared that to when the missing convict was born. To accept the convict's given DOB was to trust him, with no objective reason to do so.
I saw this reported on local news the day it happened and the point they repeatedly stressed was that the officials were publically revealing the video in order to help others recognize and apprehend the escapee. They simply said a mistake was made and they wanted to ensure the video was available to help prevent it from happening again. Although the mistake is interesting, I thought the way the mayor responded was also notable.
The CNN transcript ends with commentary by their anchor about this:
"As for the officer's actions, the police chief and mayor support him. They say the federal prison did not provide a good enough description. And they released the dash-cam video, so people can see what he really looks like. And that is the important thing."
When he asked him his name, where he worked _anything_ he had to trust him. Thats about all you can do.
When he had the guy take his gloves off he was looking for a mark or tatoo that was not there. Things were not pointing to this guy as the convict. You can hear him on the phone trying to get anything that will help, but no information is available.
Better record keeping in prison along with better ways to get the information out would seem to be a helpful idea.
FYI, it is NOT a crime to be in a public place without identification. Further, being in such a state does not even provide probable cause for further action. Now, "loitering" in a public place without identification might (and maybe should) be enough probable cause for further police activity (searching, investigating, etc), but a police officer is put into a bind when a person acts apparently legally and faced with a criminal.
With no legal recourse to proceed against a potential criminal, what is a police officer to do? The answer, unfortunately in the case of an actual criminal, is to let the person go.
Remember that the US Constitution provides protections against unwarranted detention. A police officer can't legally stop someone on the street for no reason and start an arbitrarily long investigation. These protections are important.
What if you are stopped by a police officer for no reason, and are late to your destination according to the terms of some contract? (Airplane ticket, for example?) You would have no recourse. Or, what if a police officer could confiscate some item legally in your posession as "evidence" without any cause? Now you no longer have that potentially valuable object in your posession. Is this fair?
Living in a police state creates not only large inequities, but small ones too. Don't be fooled - those small inequities are valuable ones, as anybody who'se been searched multiple times at an airport check line to the point that a plane was missed might tell you.
Once while walking, I got stopped by a state police roadblock because I fit the description of an armed robber. All they had to work with was 'denim jacket and sunglasses'. They had no descriptions of the two accomplices.
Yes, the cop made mistakes that are easy for us to see in retrospect -- like the person giving two names. Also, knowing that the person is an escaped murderer helps us see them as mistakes.
However, there are other questions. Such as why didn't the cop know there was an escapee around? Maybe he did, but since no one is saying that there was an APB, I'm guessing there wasn't.
Another important questions is whether we want our public servants to presume guilt.
The cop has so-so technique. Looking at his reactions, he failed to really believe this might be the guy (his comment, "When I saw you I asked, 'how lucky can I be?'," is telling of his state of mind).
He didn't take notes, and that is the killer. If someone has a polished story, the interrogator has to take notes to spot the discrepancies. Robert and Jimmy, as his first name is a classic, "repeat" function. In military interrogation teaching the students to do that is one of the hardest parts.
A quick phone call, with the guy providing the number (his putting a 10 minute delay on when the "brother" was going to get back to the motel was brilliant, the cop doesn't want to be standing outside in the sun for that long) would have put the question to rest.
He didn't do that. The trick of appearing willing to do something, which the subject doesn't really want to do, gave it verismilitude, even as he took away the means to actually carry it out.
There were some details at the end which were wrong. I have to carry my military ID 24/7, and have been expected to do so since I got to Basic Training, but the cop didn't know that.
It was interesting to watch. I wonder where the guy got the drink.
Things I noticed that made the killer's case more effective.
Gave his age and year of birth before the cop asked. That gave the cop the idea of using the DOB that the killer knew would not match up. Offered the year of his birth before he was asked for it. He didn't just say "I'm 50 years old" and then have to think about what year that meant he was born in, a common challenge to verify someone is not lying about their age. My guess is he knew a day and month and the zodiac symbol of that birth date as well.
Had a good reason to not be near where anything could be verified, he was dropped off to jog back.
He offered another way to verify who he was, "Call my little brother, he'll tell you who I am." However, he also had a good reason his little brother couldn't be contacted for 10 to 15 mins, human nature is not going to want to let that cop want to hang around that long.
Not from the area, but had a good reason to be there. The transient work roofing is pretty common and he probably has done it before so he had an answer to the cut up and knee pads questions. That was good.
He did seem to represent about 1 weeks worth of being there's knowledge. I personally think he made a mistake when he mentioned that's where he "usually stays" referring to the camper place. He knew a little too little about the area to have been there multiple times, but the cop didn't pick up on that because his mind was already made up by that point.
Selected a very common name that would be hard to match to confirm anything because of background noise in the results. A bit of security through ubiquity if you will should they decide to actually try and look it up. I swear in the south every place has at least one Jimmy. In the north I think it's a Mike.
Practice. He had been over this story in his head before, it was well thought out, perhaps practiced. Confidence games usually require that unless you are very gifted in thinking on your feet and very few people are, no matter what you think, to a trained person, they can spot on the spot thinking things up by body language you never even realized you had.
Friendly, smiled, laughed, joked
And the things the others pointed out:
Not in a hurry to leave.
Some knowledge of the area of operations.
Killer's mistakes as I saw them:
Too figity, jumping around, video wasn't clear enough to see if his facial expressions made up for it in friendliness, must have.
Name change in the story.
Turning his back and walking a few paces away at one point. Cops can turn on a dime if they sense lack of respect, the back turning risked that or triggering his "tried to run" sense. I think the only reason it didn't here was the cop was looking down talking on his phone or radio and didn't fully see it happen.
The cop clearly didn't have the proper professional training for interrogation and perhaps didn't have the proper professional approach to the situation. Both management and/or systemic failures and not his fault really.
The lack of professional approach led to the quick judgment that this guy probably wasn't the guy early in the encounter. As others have pointed out, non professionals think they can "just tell" which often seems indistinguishable from profiling of various sorts to me.
All in all, it's a shame this guy is still on the loose, I hope the officer involved learns from this as does his management and law enforcement types around the country. Having this on tape in such a serious matter will probably help catch criminals that otherwise would have gotten away in the future many times over.
By the way, I think this supports the idea that IDs are not the solution to anything. ID was not required to catch this guy in this situation, a more professional police force was. Further, had this guy had a fake ID the encounter probably would only lasted 4 mins instead of 8 before the guy was on his way.
I forgot to add another thing the killer did right, no tattoos. I was told one time by a convict about the only thing he regretted was the tattoos because they identified him and I should never ever consider getting one for that reason.
"I like the way everyone is jumping in on the race card here."
If you're going to use that annoying expression at least try to do it in a way that makes sense. How exactly does one "jump in on the race card"?
"look at the available picture that they had"
Good point. It does seem a bit odd that such primitive technology was all the officer had to work with given the video setup. One would think that a color scan of the photo could be sent directly to the laptop in his vehicle, if not his PDA.
A grainy fax hanging on some board back at the station is so 80s.
@arl - on the cop trusting the DOB.
The cop didn't ask his name, and then seem to accept that as indication that he wasn't the guy. By the time he got to DOB, he got on the radio, and seemed (at least to me) to take the convict's word on DOB as at least evidence that he wasn't the guy.
I'm not talking about what the cop did right or wrong, I'm talking about the point where I saw that the cop, not seeing anything objective to go on, was moving to subjective- "he's not running from me, he must not be the guy. He's a nice guy, he must not be the guy". Something inside the cop made him think the suspect's claimed DOB was somehow useful information, and it was not.
I have worked eith convicts for almost 20 years. That guy was the coolest cucumber in the bunch. At no time did he display any undue nervousness, and when he did get a little edgy he covered by moving and streaching. He always maintained a close contact distyance in case he needed to tak the Officer out. As for the jogging, any one motice the temp display? 113 and then went to 114!
Did anyone notice that the same security van drove by the scene two or three times? I'm not questioning the video, but that does seem odd. Or am I?
As for the lack of tattoos, that was a good thing for the guy.
I mentioned to other inmates while I was in Federal prison that the one thing that would guarantee them being arrested - even if they were innocent - was the fact that they had tattoos. Somebody with tattoos robs a bank, they're driving along ten miles away, they're gonna get stopped and questioned solely because of the tattoos.
I actually knew a guy at Florence FCI who was there BECAUSE he had tattoos. He was an armed robber, but he never robbed banks. A cop knew he was an armed robber but couldn't prove it. So at one point he simply arrested him and charged him with a recent bank robbery. They had no physical description of the bank robber except the tattoos. They showed this guy's tattoos in court. Result: conviction.
Nothing like painting a target on your forehead for the cops. A smart criminal looks like everyone else. The first bank I robbed I was dressed in a suit and a tie and a raincoat. I ditched the raincoat, stashed the money in a briefcase hidden outside the bank - and walked to the subway right past a police car parked there looking for the bank robber. I looked like every other business guy on the street.
"I actually knew a guy at Florence FCI who was there BECAUSE he had tattoos."
So, lets say a guy didn't have tattoos, but put on some temp tattoos...nothing like faking distinguishing marks.
Good to see that a law enforcement officers who has regard for correct identification and assumption of innocence until there is _evidence_ to the contrary. He did not have enough information and could not get any.
McNair was ready to pounce any second. Why Bordelon was alone?
I'm rooting for the guy. He out-thought and out-maneuvered hundreds of guards and police. Mailing himself out of prison - brilliant!
He escaped from a super-max facility. He is intelligent and funny, with a flair for the elegant - supposedly sending a sheriff a Christmas after one of his three escapes.
True, he committed a crime 20 years ago, but 20 years seems like long enough to serve.
The U.S. Supreme Court recently decided that a law officer, while investigating a crime, may require people to show valid identification.
For the other 215 years of the Bill of Rights, it was not required that citizens identify themselves to police.
Now we can dig out the Iron Curtain era actors who had that chilling, threatening voice when saying, "your papers, please" and reemploy them to train the officers of our burgeoning police state.
From a Bureau of Prisons employee:
Too painful to watch again. Bordelon was desperately hoping that he hadn't caught the guy, and was looking for a way to let him go.
He presented several opportunities for McNair to kill him. If he'd tried to take him into custody without backup, McNair would have killed him.
The escape is not one of the BOP's brighter moments. Escape is very rare in our system. Policy was completely violated, and obviously had been violated on an ongoing basis for long enough that McNair saw how to take advantage of it. If they'd been following policy, the box he was hiding in would have to sit in the secure rear gate area through at least three counts before going out to the warehouse.
On the subject of tatoos: I'm curious what the person that the officer phoned said, which made the officer ask McNair to take off his left glove. Officer Bordelon then said words to the effect "he's clean." This implies that the prison records indicated McNair had some kind of tatoo on his hand(s).
"He presented several opportunities for McNair to kill him. If he'd tried to take him into custody without backup, McNair would have killed him."
I've only taken one concealed weapons course, and I'm not in law enforcement, so I know I'm not an expert in these matters. Certainly the escapee appears more fit than the officer. However, we can't assume that the escapee could have easily taken the officer's weapon had the officer decided to arrest him. (Taking the weapon really is the only plausible narrative that would lead to such a result, so please don't suggest any zany martial-arts maneuvers.)
For one thing, the first thing the officer would have probably done was the "wait here while I check something in my car" maneuver. After gaining 15-20 feet of distance, the officer can then draw his weapon and index the subject without fear of B-movie shenanigans. He can then instruct the subject to lie face down, call in a quick "assistance needed", and attempt to handcuff the subject. If the subject misbehaves at any point, the officer can take appropriate action a) to protect himself and others, and b) to subdue the subject. While a single officer can't be certain of successfully apprehending a dangerous but unarmed criminal, he can nearly always defend his own life.
Any comments from BOP employees have to be read with some skepticism. This seems to have been a bit of "see, the police are just as incompetent as the wardens!" schadenfreude. These two professions are not as similar as one might think. While both made errors with respect to this escapee, of course the prison is more responsible for this situation than the police.
As for the "desparate hope", rational people have a certain level of fear of mortal conflict, but skilled police can deal with that fear and do their job. I think that fear had little if any to do with the officer deciding that this person was not the fugitive he was seeking. As others have suggested, the officer's interview skills could most stand some improvement.
One interesting thing about McNair's conversation with Officer Bordelon that has not been pointed out yet is this:
McNair volunteers that he is doing roofing "with my brother." He introduces his brother just to get the officer used to it. Several minutes later, he asks the officer to call his "little brother". So the brother reference seems much more plausible introduced the second time because it had been introduced in an innocuous setting the first time.
"The U.S. Supreme Court recently decided that a law officer, while investigating a crime, may require people to show valid identification."
Sorry, but this is not the case. The Supreme Court said that it was reasonable for an officer to require that a person identify himself. This is not the same thing. Physical proof of identity is not required.
Law enforcement officers, no matter how trained or experienced, are only humans. The core of Social Engineering is exploiting the human element of security and manage to make that exploit succeed. Analize any succesful case of Social Engineering after the fact and a miriad of questions may arise, but the fact is, several things come to play; from plain gullibility, ignorance or overconfidence to fear, empathy or submission. And there is a lesson to be learned on each one of these cases: When my right hand starts snapping its fingers, you "best watchout" for what my left hand is doing. It's like Tango isn't it? I lead, you follow.
"Police State"? I'm pretty sure we are not in a "Police State", but even if we were, the only time you would have to worry is if you were guilty of something, and that's usually the peopl who are indignant about being "hassled" by the police. As far as I can tell, this officer didn't have the facts or support he needed to make an ID on anyone, not to mentiong the ever present threat of being sued for making a mistake. Maybe the people who are criticizing this and so many other officers should go and try to do the job better, if they can with the minimal pay, training and public support that so many officers are faced with. The fact is, those people couldn't handle what these officers have to deal with!
The person in question(inmate), while friendly in appearance was actually ready to do what was necessary to keep himself safe and free. The officer was distracted with his phone call and was looking everywhere but at the person he was calling in about and exchanging information with the dispatcher in front of the person in question (who we now know was the escaped inmate). This put the officer in danger because he was doing too many things at one time. The person was bouncing and moving all around and this should have been a signal to the officer and put him on alert.
The officer should have been taking notes on what the person was telling him and could have spared a few minutes of his time to investigate the "brother", the "hotel" and the name of the company. He could have asked the person to sit in the back of his squad car or he could have asked him to stay put and go back to his car to do more checking on things and REQUESTING backup. When dealing with a possible escaped inmate of any kind, when you have a suspect or person of interest you ALWAYS REQUEST ASSISTANCE...especially when you are not in good enough physical shape to take the person down yourself if you have need to do so.
No one is perfect and the inmate was slick. I was taught that if you ever leave a post in prison and think you had a perfect day, that you were a fool and might just as well quit because one or more of the inmates had already played you for the day. They have 24 hours a day, 7 days a week, 365 days a year to watch you, learn your ways and likes/dislikes and learn about the area they are in.
I wonder how many of you idiots commenting on this site...especially those of you who say it would have been different if he was black...have ever been a police officer. Unless you know that officer personally, and I bet none of you do, saying that he would have done something differently if the escapee was black is like me saying that all black people eat pigs feet. See, just because he has on the uniform doesnt mean he is racist..and just because someone is black, doesnt mean they like pigs feet.
If you are presuming that he is a racist one because he is a white cop, that makes you a racist.
The guy gave 2 different names, first time he said Robert Jones, then he said Jimmy Jones.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.