Schneier on Security
A blog covering security and security technology.
« U.S Terrorism Arrests/Convictions Significantly Overstated |
| Friday Squid Blogging: 450 kg Squid Caught »
February 23, 2007
Is Everything a Bomb These Days?
In New Mexico, a bomb squad blew up two CD players, duct-taped to the bottoms of church pews, that played pornographic messages during Mass. This is a pretty funny high school prank and I hope the kids that did it get suitably punished. But they're not terrorists. And I have a hard time believing that the police actually thought CD players were bombs.
Meanwhile, Irish police blew up a tape dispenser left outside a police station.
And not to be outdone, the Dutch police mistook one of their own transmitters for a bomb. At least they didn't blow anything up.
Okay, everyone. We need some ideas, here. If we're going to think everything weird is a bomb, then the false alarms are going to kill any hope of security.
EDITED TO ADD (3/3): If you're having trouble identifying bombs, this quiz should help. And here's a relevant cartoon.
Posted on February 23, 2007 at 12:38 PM
• 75 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Forget about using bomb detectors, let's just explode anything that is suspect.
I'm surprised the people who make hostile entry and bomb disposal robots aren't out pitching their products. A robot could remove a CD player or tape dispenser with minimal threat to life or property. Granted, a child or dog could handle the CD player or tape dispenser safely, but a robot helps avoid the bad press in the event that it's actually a bomb.
I don't think there's anything that anyone can do to improve this situation. People want to be afraid. They want to believe that everything unfamiliar is dangerous, regardless of how often that turns out to be true. It's even easier since we have many politicians and companies making up reasons for people to be afraid.
A police spokesperson said: ...
"We are also conscious that terrorists have used items made up to look like police equipment in booby traps."
I guess that explains the Dutch police?
I'm pretty sure my optical mouse is a bomb. It has a weird light underneath.
A few more weeks of exposure to these stories and I'm going to have to stop reading Bruce's blog to cut down on this splitting headache...
Just be glad a similar prank hasn't happened on an airplane!!
There's nothing to be done. If people come to my desk once a month to ask me to decide based on no real information whether something should be treated as a bomb, I'm going to say yes every time. Blowing a few things up periodically is free, whereas making a mistake once is not.
The only way people will stop doing this, and the only reason they should, is if this stuff becomes common enough that it makes economic and CYA sense not to. So look for to a lot of explosions for the near (and possibly distant) future.
From the article:
"Authorities determined the music players were not dangerous and kept the third one to check it for clues, said police Capt. Gary Johnson."
They needed to blow up TWO of them to determine they weren't dangerous?
I have a feeling that the FBI's terror database is going to pay big dividends when they match fingerprints from the third CD player to a known terrorist.
This blog could be a bomb...
By the way, I'm aware of the similarity of my post to the essay you wrote recently, Bruce. That was easily one of the best things you've written in a while, but I'm curious whether you really think it's an issue. Surely Boston was an issue, but that was an overreaction even from a CYA prospective. If each state blows up one tape player every ten years, is that really a problem? It's dumb, but who cares?
The Dutch story is the best. It is a clear denial-of-service attack on the local police force. A bad-ish guy finds a police transmitter taped to his car and decides to retaliate by calling in a bomb warning. The CYA-fixated police overreact, as he no doubt expected, and he gets an unreported amount of their resources allocated to worthless work.
This reminds me of students tripping the fire alarm to postpone the big math test. Eventually schools had to have silent fire alarms, so that they could control the disruption from the office.
The culture of CYA makes a denial-of-service attack less risky and almost as effective as a real attack. If your goal is to terrorize people, you don't actually need to blow them up. Just get enough scary bomb squad video on their TV sets. Even if you get caught, you can say "It was all a marketing campaign" or "It was a free speech protest". Much less likely to get you sent to Gitmo than detonating actual bombs.
>Irish police blew up a tape dispenser left outside a police station.
Correction: This occured in Northern Ireland and the Police there are not Irish Police, but are a British Police Force:
And would be very upset to be confused with the Garda Síochána (The Republic of Ireland's national Police force).
This might sound like nit-picking, but a major of Northern population do not regard themselves as Irish, and Northern Ireland is technically part of the UK.
One thing to remember is that the PSNI (formerly the RUC) have a lot of expierence with "suspect devices":
Possibly more so than most other police forces (including the Irish Police).
Overall, the British response to terrorism from the 1960's to the early 1990's shows some of the worse ideas of policing such activities. Such as the ability to detain suspected terrorists for up to 30 days (or longer?) without legal respresentation leading to innocent people being jailed due to forced confessions or racial bais (and the real perps remaining free).
I'm sure there are good security lessons to be learned from Northern Ireland regarding security, but off the top of my head I can't think of any.
Regarding the Dutch incident, I'm suprised that they realised the info that it was their own transmitter and didn't try and keep the suspected offender and the public in the dark? I'd reckon that the regular police aren't aware of what the transmitters look like as they probably don't use, or maybe the whole incident was staged to try and keep the suspect in the dark about the transmitter and info leaked out.
@Sean: I actually disagree that it is "free" to blow up stuff periodically. Frankly, this sort of thing makes our law enforcement look like a bunch of idiots (I make no statement one way or the other as to whether they actually _are_ idiots). It's the old "boy who cried wolf" phenomenon. I know that I, if I worked in Boston and the Boston PD came in to my office to say that a bomb had been found, would immediately think they had found another ad... maybe _Family Guy_ this time?
I wish I had an idea of what to do about this, frankly. Maybe we need a national "Just Chill" day. The country is way too uptight and is over-reacting to just about everything, so far as I can tell... and I don't mean just about terrorism. Those kids who put those CD players in the church are probably going to end up facing criminal charges when found... and some ass is probably going to argue that they should be tried as an adults for some sort of sex crime.
"Blowing a few things up periodically is free [...]"
... until someone places a glass bottle of VX in a "suspicious" package and the cops blow it up thinking there is no harm. When this happens, do we get to fire the person who said "blow it up" for being incompetent, or will there be a further excuse at that time?
It's really very simple. Of all the stuff you might find out there, exactly none of it is a bomb.
Oh, there is possibly one exception, a smoking crater where previously there were people and buildings might well be where a bomb was at some point in the past. Or a metorite. Or a StarWars weapon test. Or a leaking gas pipe. Or one of a million other causes of explosions that are not bombs.
If terrorists are rare, bombs are rarer. To live a live afraid of everything that might just be a bomb is to live a wasted life.
Ten years ago the city where I live was bombed by the IRA. By luck nobody was killed despite buildings over a 400 metre radius being badly damaged. I walked through the city centre the following morning, walking on inches thick layers of broken glass outside the cordoned off epicentre of the explosion. To be afraid of the IRA at the time was to give them a victory. To treat the current terrorist threat as something special is to give them a victory. Ignore then, laugh at them, try to understand them, but for gods sake do not give them a victory.
I've sat in that church. I'm just thankful that they didn't mistake me for a bomb and blow me up... I suppose that's what I have to look forward to in the future.
Just who are the real terrorists...
Well, it'll probably be harder now to tie the "high school students" (if that's who it was) to the placement of those CD players, as the police decided to completely obliterate the evidence before even trying to do any investigating.
About 10 years ago a friend I worked with had his car blown up by the Dutch police because he parked outside an Embassy in the Hague and happened to stand and have a look through the gates at the Embassy itself (with his elderly Mum). As it was a nice building he (and his Mum) spent a few minutes there. On the backseat of his car was one of the "old" cassette "briefcases" - for you tapes for the car stereo. Cops thought it could be a bomb and used a controlled explosion to kill his music collection! (if memory serves me right it was well worth consigning his musical tastes to hell).
This "it must be a terrorist" hysteria, or CYA (Thanks Bruce for the new TLA!) is nothing new.
The really funny part is that the CD players were removed from the pews to another location, apparently by hand, and later blown up. I guess that's standard procedure.....
Any flying object is a UFO, or unidentified flying object, until you identify it.
We need a similar term, like UBO (for unidentified bombish object) to apply to all objects that cannot be readily identified by viewing them from a safe distance.
Since it is unsafe to approach a UBO, most of them will remain unidentified, ensuring that most UBOs get blown up.
Blowing a few things up periodically is free
er, no, it isn't.
I just noticed that every parking spot in my city has mechanisms mounted on sturdy steel-pipe columns -- which makes me think of super pipe bombs -- and the mechanisms have countdown displays that show in red 'EXPIRED' -- which I assume means detonation time. If I tip off the police, will the bomb squad destroy these infernal devices?
I think it's merely a PR campaign, a "show of force" for the "talk nice" people.
Any officer who mistook these items for a possible bomb, should not only loose their badge, but should be jailed.
I used to think that "Chicken Little" was just a fun, silly story that kids learn. 5 years after 911, though, it's a profound allegory about how people can be scared into acting like idiots.
We're not idiots, and it's good to see our sense of humor back.
"We need a similar term, like UBO (for unidentified bombish object)"
How about UXO, for "unexploded object"? After all, the way things are going, it looks like the only thing you guarantee is not a bomb is the thing the bomb squad has already detonated.
Keep in mind that after the Boston incident, this kind of story is "news" and therefore reported wherever it occurs. It doesn't mean that it's happening more often than it used to.
The reason why government gets jumpy about these things is that it is expected to be 100% perfect in keeping people safe from harm. The poor sheep bleat very loudly if they think that they're not protected, regardless of how safe they actually are.
Reminds me of a couple of characters from an SCTV sketch from the 80s. John Candy and Joe Flaherty had a couple of hick characters that like to "Blow things up real good". Security these days is more and more comedy entertainment than anything useful.
My Creative Zen Micro MP3 player has a pretty, bright blue LED border that lights up whenever I press the touch pads for anything.
With that much photonic bling-bling, it's gotta be a bomb! =;o)
/ Enough of this Security Theatre will make everyone's brain into a bomb! =;o)
Yes, Brian, we've heard the apologies from the government and their supporters.
However, the problem is that even the sheep can perceive the issue: if it is known that the police are going to blow up anything they can't explain, we have a wickedly serious problem in the making. Two simple examples:
1. Someone encloses extremely dangerous substances, depending on the cops to disperse it with the explosion. "Just doin' our job!"
2. Alice, angry at Bob, anonymously calls in a bomb threat against Bob's property. The cops come over and blow up a piece of Bob's house in the interests of national security, while Alice sniggers in delight.
Both of these (and many others) follow because the authorities are being predictably stupid. With each detonation, the foolishness becomes more transparent, the threat to everyone increases. Why do the terrorists need to use up a real bomb when the reaction to a fake one is _identical_, and the reaction can be put to even more effective use?
It's time for bomb squads to go back to the job of investigating and only blowing up bombs if, in fact, they are bombs. If this means a few bomb squad members die every now and then in the performance of their duty, well, the job is dangerous, they know it, and are compensated appropriately, no? This is supposedly why they are paid in the first place: to keep us and our property safe, as opposed to (oh, say, just suppose) being blown up. Or is Bob supposed to feel better because the cops blew his house up instead of some 'terrorist'?
... until someone places a glass bottle of VX in a "suspicious" package and the cops blow it up thinking there is no harm."
This is a really, really good point.. if a UBO contains a bio/chem-type weapon - hermetically sealed, to prevent detection by instruments - and the bomb squad sets off a paranoia charge, it would distribute that crud all over.
And while they panic about false bombs, possible bomb materials, possible bomb techniques, the REAL bomb material is still legally available. Were fireworks forbidden in the meantime?
I mean, a medium sized cracker can blow off your hand. Make a shopping tour in the time it is legally sold and buy some hundred kilos of it. With some precautions everybody, you, me, Bruce, can pretty easily build a real bomb that will work...
Time to CYA now and to forbid it now. When it happens, then everybody will say that it was sooooo obvious and soooooo predictable.
But maybe not. I can't remember that anybody has ever mentioned this idea. Please don't blame me for stating the obvious possibilities... ;)
Boy some mediocre responses here (maybe people didnt have their coffee this morning).
@mdf and the person that agreed with him. That's the dumbest movie plot scenario I've heard in my life, and you should be embarrassed.
@people that responded to me that its not free. Someone said that it wasnt free in terms of public opinion. I disagree. Remember, Bush got reelected. Also remember, in Boston, it was the CEO of Cartoon network that resigned, not the police chief or the mayor. If anything, it's a PR bonus, because you can say, hey we take our job seriously, no risk is to small when it comes to the lives of citizens [and kids].
But my point wasn't whether treating everything like a bomb (because there are so few candidates) was bad or not based on public opinion. My point was that if the police blow up one CD player nationwide once every couple weeks, who cares?
Bruce's soapbox is only so big. Why use it to talk about something that isn't going to change, and wouldn't matter if it did?
And no, I don't think police behavior in this regard effects the national mood either, so it's irrelevant in that regard too. So what's the point?
The police tested the third player for fingerprints and DNA? For crying out loud, I've had my residence burgled before with clear fingerprints on the broken window shards and the cops didn't even bother to lift 'em. Guess the police department in question was having a slow week.
Just to underscore the fact that it was the PSNI and not the "Irish police." The Gardaí do stupid things at times, but this one isn't their fault.
"If we're going to think everything weird is a bomb, then the false alarms are going to kill any hope of security."
Well, the Earth is very weird :-)
(See the URL link)
Maybe the accompanying music was da bomb?
I'm also suspicious of Blowfish. There's a pun waiting to happen there ....
Wasn't there a story a few months ago about a road being shutdown for several hours because of a "strange green substance" on the side of the road? They even called out the HazMat teams to clean it up. For those that don't recall, it was just Jello (Jelly for our EU readers)!
I kinda wish I was a pyromaniac. I could get things blown up by proxy without having to lay my hands on explosives myself.
If the bomb squads blows up all things that don't blow themselves up, who blows up the bomb squad?
One of these days someone is going to be killed by a bomb squad detonation charge, and then the circle of irony will be complete.
The problem is that there are too many bomb squads.
If you're a bomb squad, everything looks like a bomb.
Inspector Clouseau gets around quite a bit.
When you're a cop, you never get in trouble for blowing things up...and it's lot's of fun.
"They needed to blow up TWO of them to determine they weren't dangerous?"
The first one didn't make a sufficiently satisfying "ker-PLOW" sound when it went off. Where's the fun in that?
Is that a metronome or is that a BOMB?!
I wonder if our troops in Iraq would call out the bomb squad if they found a CD player taped to a church pew? (There are a few churches there.)
These ideas of the VX in a bottle are foolish - if you have VX you can figure out some way to spread it yourself that is much better than blowing it up by proxy. When cops blow something up they obviously clear the area first. This will just make the death rate of the agent lower than if they did something as simple as mixing(a suicide mix) the VX with hot water in a crowded place or just allowing it to get on surfaces in the area.
However the idea does have merit if the "dangerous" substance was much easier to get/make - pesticides might work for media scare even if the real harm done would probably be low to nothing.
This firecracker = bomb thing is silly. Flashpowder is nothing like real explosives. On the other hand it would probably do some minimal damage and would stir up just as much media coverage/fear as a true explosive. Transportation of that amount of flashpower would not be for the faint of heart and the cost would be rather large - it would be easier to make real explosives.
The idea of DoSing bomb squads is brilliant and rather worring.
As Schneier is always saying security is a cost/benefit trade off - seems a few people here are forgetting this also applies to the attacker in a similar way!(VX and flash powder guys)
I don't believe ideas are of any use, because if reason and intelligence had any relevance to police these things wouldn't happen to begin with.
The best course of action would be to abolish police, but of course the sheeple would never go for it.
Perhaps instead we could replace them all with chimpanzees. I only know of one incident of a chimpanzee attacking an innocent person anywhere in the US in the last ten years, which is a much better record than cops have.
All the news about terror and violence and mayhem and on and on is just lumping more stress in our lives.
The time is now: LEGALIZE MARIJUANA!
Now, the real bombers only need to take a clue from their Palestinian colleagues:
1. Place a real nail-stuffed bomb out on the street, in a place where the evacuated crowd from some "secure" location (like a courthouse or some fed building) is likely to gather.
2. Call in a phony bomb threat.
3. Blow the real bomb using a cell phone when the cops and the bomb squad arrvie and herd everyone out from under protection of solid walls. No need to suicide trying to smuggle the bomb into the guarded area.
Now, if there is someone seriously wanting to kill many people indiscriminately, his job is made easier by these overzealous DHS halfbrains.
The ONLY protection against bombers is to stop being a target . Meaning, let them rot in their dusty hellholes - no need for imposing democracy on them, no need to import them en mass into Europe and US.
One day a nice low-level employee brings a package into the security office. We tell him that the mailroom is down the hall. He tells us, "Yeah, but this is a suspicious package."
So of course he brings it to the place where it would do the most damage!
Two scenarios flash through my head.
1) I evacuate the security control center, call the PD bomb squad, dump the building, have to run the evacuation without the control center and without radios, and generally make a nasty expensive big public stink. Then I have to write the reports.
2) I apply some common sense to the problem. The guy carried the package down here without it blowing up. So I have him gently set it down on the counter, tell the other officers to stay in the control center, and carry the package out to a concrete pad surrounded by a wide grassy area.
On closer examination and application of the suspicious package guidelines, we determined that the package was completely normal.
I narrowly escaped being written up.
People who enjoy excitement and/or feel a need to protect their career ambitions would choose (1) over (2) any time they feel they can.
This also describes most politicians and police command types. Can you really blame them?
This scenario is close to what happened in Omagh, Northern Ireland in 1998 by the "Real IRA"- although, according to the bombers, not intentionally.
Another, more nefarious attack happened near Warrenpoint, Northern Ireland in 1979. The Provisional IRA exploded a roadside bomb when an army convoy passed, and then having analysed British Army responses to prior attacks, blew up a much larger bomb 19 minutes later, in a parking area that the army and emergency services were using to coordinate the rescue.
Northern Ireland has produced some of the most innovative bombings. It makes you wonder what these people could have achieved if they weren't so intent on killing others...
@sean, and Anonymous at 8:36PM on the 23rd:
"@mdf and the person that agreed with him. That's the dumbest movie plot scenario I've heard in my life, and you should be embarrassed."
No.. you should be embarassed - for taking it, and my response, so seriously. Like the guy mentioned about Ireland, you need to laugh it off.. knee-jerk reactions just give the terrorists what they want. Stop jumping, and they'll stop (or at least slow down) on saying "frog."
Of course it's a ridiculous movie-plot scenario.. but as far as irony, it's perfect. Certainly there are more efficient ways to spread a biochem agent.. but the irony and black eyes that would come from the police being responsible, would be massive.
Bruce is the one who started the whole "security theatre" phrase - and I like to write comedy. Find the humor in the center of the bomb. =;o)
The advantage to callling in the bomb squad and blowing up two of the three CD players is that now they have a better case against whoever is caught whenever they are caught. I mean really, a prank is a misdomeanor, but scaring everyone and causing 1000s of dollars of reaction is a felony for sure.
I didn't take is seriously, I posted about 15 words about it on someone's blog online. And you just defended it again! Stop! It's never going to happen! It's a dumb movie plot! It's wildly inefficient for the amout of resources it would take! Just blow it up yourself! Why depend on trained personel not figuring out what's going on, for no gain? Your way is akin to Doctor evil refusing to kill Austin Powers himself, and instead locking him in a room on a lowering platform over a pool of angry sea bass, and then leaving to go do something else. Bad!
Oh and while I'm at it, IANAChemist, but I think when they detonate these things, they use explosives that will genorate enough heat to destroy whatever toxin is in there (generally speaking). I guess simple stuff, like HCN or HF might survive (sarin wouldn't, I don't think), but anyway given the amount that would be there due to density constraints I don't think it would be very dangerous at all.
But I'm actually kind of interested to that answer to that if anyone knows.
The part of this whole situation that I've found disturbing is that the media haven't been asking pointed questions. For example, NPR reported the Lite-Brite Scare but did not conduct interviews asking either the police or Homeland Security to explain why they reacted as they did. Perhaps they have good reasons, perhaps not, but a bit of media focus might help us tell one from the other.
The police would either decline to be interviewed, or if interviewed, would decline to answer questions about their procedures for reacting to bomb-like objects, on the grounds that it would reveal such information to the terrorists.
I think UO for "Unexploded Object" is a better acronym than UXO. You pronounce it "Uh-Oh", as in "There's an uh-oh on my desk that looks like a tape dispenser. What should I do?" Or "I just found this box. I wonder what's in it." Uh-oh.
Yes, fireworks are obvious. When I was a kid in Northern Ireland, only licensed displays had fireworks. You couldn't just buy them.
I saw a thing about gun enthusiasts in the US, and it had a guy making his own ammunition. I found myself wondering what he used as propellant.
When an acquaintance of me was a kid, he and his friends used marbles to shot holes into a glass brick wall. Then they'd put firecrackers into these holes. A furnitured room was on the other side of the glass bricks -- at least before the kaboom. Afterwards, it was a mess.
I was in Atlanta International on Feb 23. Over the intercom and with flashing strobes in the terminal, an announcement with the "red alert" sound said, "An emergency has been reported in the terminal. Please stand by for further instructions while this is verified." At first my heart pounded for a second, then I thought, they provided absolutely no information to act on like (watch for a unattended box) - it would have been better to not alert of anything as their alert was completely useless to everyone in the terminal. Yet another pointless security measure that only insights fear for everyone in the terminal. I wonder if they blew up a cd player.
When this used to happen in the UK, nobody thought it was stupid, because the set of things blown up was reasonably restricted.
For many years, if you left a bag unattended in a UK railway station, especially in London, there was a real danger that it would be taken away and detonated (or, for that matter, the station cleared and it detonated in place). It wouldn't be carefully investigated to see whether it looked like a bomb, or chemically sniffed, or anything, the bomb squad would go through their routine. If it turned out not to be a bomb then I suspect they just figured, "fine, we've had a realistic training exercise".
So, British travellers no longer leave nearly so much luggage unattended in stations as they used to a few decades ago. This makes the job of watching out for suspect packages much easier, because there are far fewer initial suspects. Of course, the risk of losing your luggage through theft is probably more of a factor than the risk of shutting down the entire station *and* losing your luggage, but the fact remains that the bomb squads made their point quite succinctly and effectively.
It's probably not practical to prevent everyone in the US from taping CD players to the undersides of church pews, so this case makes the bomb squad look a bit silly. But who knows: maybe it is practical. Maybe in ten years time, leaving unidentified boxes lying around will be as socially unacceptable as shouting "fire" in a crowded theatre, and these kinds of false alarms will remain rare (one a week in the US is, I contend, "rare"). I think it depends in part on whether, in ten years time, we're still irrationally afraid of bombs.
"These ideas of the VX in a bottle are foolish - if you have VX you can figure out some way to spread it yourself that is much better than blowing it up by proxy."
Ahem. The target in all of these cases are not any potential victims (be they people, or at least in the VX case, otherwise useful property), but the instrument of security itself. If you can't trust the tool, and so on.
Being predictable in the face of an enemy is Just. Plain. Utterly. Stupid. Beyond. Comprehension.
Imagine the panic if the police ran across a device that actually said: "This device will self-destruct in 5 seconds".
Wasn't somethig similar done in Isreal quite some time ago?
"I saw a thing about gun enthusiasts in the US, and it had a guy making his own ammunition. I found myself wondering what he used as propellant."
Gunpowder. Reloaders buy all the components in bulk--gunpowder, brass, primers, and bullets. Some of them even melt down lead and cast their own bullets.
Keep in mind that modern gunpowder is not an explosive--it just burns really fast.
I think a lot of this can be accounted for by the fact that bomb squad guys like blowing stuff up. And they get to do it more often these days. I thought the same thing reading that. They didn't really think they were bombs. But can you really say given the chance to do so you wouldn't blow up a couple of CD players? Or maybe it's just me
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..