Copycats

It's called "splash-and-grab," and it's a new way to rob convenience stores. Two guys walk into a store, and one comes up to the counter with a cup of hot coffee or cocoa. He pays for it, and when the clerk opens the cash drawer, he throws the coffee in the clerk's face. The other one grabs the cash drawer, and they both run.

Crimes never change, but tactics do. This tactic is new; someone just invented it. But now that it's in the news, copycats are repeating the trick. There have been at least 19 such robberies in Delaware, Pennsylvania and New Jersey. (Some arrests have been made since then.)

Here's another example: On Nov. 24, 1971, someone with the alias Dan Cooper invented a new way to hijack an aircraft. Claiming he had a bomb, he forced a plane to land and then exchanged the passengers and flight attendants for $200,000 and four parachutes. (I leave it as an exercise for the reader to explain why asking for more than one parachute is critical to the plan's success.) Taking off again, he told the pilots to fly to 10,000 feet. He then lowered the plane's back stairs and parachuted away. He was never caught, and the FBI still doesn't know who he is or whether he survived.

After this story hit the press, there was an epidemic of copycat attacks. In 31 hijackings the following year, half of the hijackers demanded parachutes. It got so bad that the FAA required Boeing to install a special latch -- the Cooper Vane -- on the back staircases of its 727s so they couldn't be lowered in the air.

The internet is filled with copycats. Green-card lawyers invented spam; now everyone does it. Other people invented phishing, pharming, spear phishing. The virus, the worm, the Trojan: It's hard to believe that these ubiquitous internet attack tactics were, until comparatively recently, tactics that no one had thought of.

Most attackers are copycats. They aren't clever enough to invent a new way to rob a convenience store, use the web to steal money, or hijack an airplane. They try the same attacks again and again, or read about a new attack in the newspaper and decide they can try it, too.

In combating threats, it makes sense to focus on copycats when there is a population of people already willing to commit the crime, who will migrate to a new tactic once it has been demonstrated to be successful. In instances where there aren't many attacks or attackers, and they're smarter -- al-Qaida-style terrorism comes to mind -- focusing on copycats is less effective because the bad guys will respond by modifying their attacks accordingly.

Compare that to suicide bombings in Israel, which are mostly copycat attacks. The authorities basically know what a suicide bombing looks like, and do a pretty good job defending against the particular tactics they tend to see again and again. It's still an arms race, but there is a lot of security gained by defending against copycats.

But even so, it's important to understand which aspect of the crime will be adopted by copycats. Splash-and-grab crimes have nothing to do with convenience stores; copycats can target any store where hot coffee is easily available and there is only one clerk on duty. And the tactic doesn't necessarily need coffee; one copycat used bleach. The new idea is to throw something painful and damaging in a clerk's face, grab the valuables and run.

Similarly, when a suicide bomber blows up a restaurant in Israel, the authorities don't automatically assume the copycats will attack other restaurants. They focus on the particulars of the bomb, the triggering mechanism and the way the bomber arrived at his target. Those are the tactics that copycats will repeat. The next target may be a theater or a hotel or any other crowded location.

The lesson for counterterrorism in America: Stay flexible. We're not threatened by a bunch of copycats, so we're best off expending effort on security measures that will work regardless of the tactics or the targets: intelligence, investigation and emergency response. By focusing too much on specifics -- what the terrorists did last time -- we're wasting valuable resources that could be used to keep us safer.

This essay originally appeared on Wired.com.

Posted on March 8, 2007 at 3:23 PM • 41 Comments

Comments

too stupid to think for myselfMarch 8, 2007 3:52 PM

Is is possible that defenders are also guilty of being "copy-cat" defenders, so we need someone clever enough to find an effective defense so everyone else can copy it? Yes, we can be flexible; we can put up as many variations of the same thing as required. BTW, love your writing; we take ourselves far too seriously sometimes.

Israel TorresMarch 8, 2007 4:08 PM

Copy-cats also evolve their tactics when a the original-cat's failures are noted.

(Kind of like they do in virus-land)

Israel Torres

GuillermitoMarch 8, 2007 4:17 PM

If he asked only for one parachute, the authorities would guess that he would use it himself. So they would give him a malfunctioning device. They cannot do that if they think he will force hostages to jump with him.

A smart guy indeed, this Mr Cooper :)

AlanMarch 8, 2007 4:18 PM

I expect that the Terrorists(tm) are also doing cost-benefit analysis of attacks. "If we attack with this strategy, then they will spend x dollars defending against another attack using the same method, but if we attack this other way, they will spend more." Since the cops jump at shadows, it does not even have to be a realistic or workable attack. All it has to do is seem plausable to the most paranoid person in authority. Defending against attacks costs money. Defending against paranoid fantasies costs even more, not only in cash, but in reputation. How many people are going to believe the Boston Police Department that a threat is real after the last two incidents? Not many, I would guess.

mikeqMarch 8, 2007 5:45 PM

Could original criminals patent their schemes and collect royalties from the copy-cat criminals?

sooth_sayerMarch 8, 2007 5:57 PM

Bruce,
What's going on here ?
I agree with your conclusion in your last para, but you jumbled your own argument midstream with Al-Qaida not being copycats and will modify their methods while suicide bombers won't.

Suicide bombers "have" repeatedly changed tactics; using younger boys and even girls and they do get through when they try it.
Israeli security is a myth, they use brute force in their approach and have little regard for rights of "suspects".
If the frequency is less it's only because their sugar-daddy was found at the end of the noose a few months ago. (Saddam used to pay $25K each for them)

And how did you conclude that suicide bombers in Israel are "very" different than 9/11hijackers?
I can't even start to list the problems with this viewpoint.

Is it an affect of too much writing or just believing that everything that comes out of your fingers is just right.

Frank Ch. EiglerMarch 8, 2007 7:08 PM

> The lesson for counterterrorism in America: Stay flexible.

Good advice, though kind of obvious.

> We're not threatened by a bunch of copycats

How did you arrive at this "fact"? Could it be because of responsive screening procedures that aim to preempt reoccurrences of past attempts? In other words, do you turn out to be "right" in this, but only because of all that new screening that you still believe is wrong?

edcoMarch 8, 2007 8:23 PM

I don't agree that it is a good idea to ignore "copycats" because most "new" ideas are really not completely new, no matter what field you are in. The people that come up with the new ideas have usually taken a good amount of time to understand the current ideas and the concepts (or exploits) behind them, and then they think just a little bit harder and come up with a "new" idea. I argue that in order to defend against the terrorists with "new" ideas, we should do exactly the same thing as they do, in terms of thinking pattern, and hope that with enough brains working, our set of "new" ideas will include theirs.

nbk2000March 8, 2007 11:04 PM

'Splash n' Grab' isn't new.

It was old when I worked convenience stores back in '00.

Had a co-worker get robbed this way in '02. The 'african-american' robber threw scalding hot coffee on him, giving him 2nd and 3rd degree burns on his face and upper-chest, and permanently blinding him in one eye.

The robber got all of $40...adequate compensation for the life sentence the jury gave him for maiming the clerk. :p

AnonymousMarch 9, 2007 1:22 AM

sooth_sayer: If you want to be taken seriously please put some content in your posts, and use a dictionary next time you write a pointless rant.

The one you wrote establishes nothing, except that you slept through English class, and lack even the slightest traces of logic.

AntonMarch 9, 2007 2:21 AM

Like Scott mentioned before, this is not a new method. Instead it appears they are copying a method made widely known by the TV series The Shield already a couple of years back. I find it likely that this has been around for longer than that though.

GergMarch 9, 2007 2:52 AM

I'm pretty sure the hot coffee thing isn't new. Not that that changes anything.

yoowanMarch 9, 2007 2:55 AM

An obvious solution would be to serve COLD coffee thus thwarting the criminals...although they might bring a thermos as backup...

CraigMarch 9, 2007 3:30 AM

Off-topic:
When Canter & Siegel cut loose on Usenet, the ISP they used was also my ISP. I couldn't connect (dialup) for at least four days after their original spam.

bartlMarch 9, 2007 6:26 AM

About Cooper's parachutes: my first thought was that he was trying to prevent anybody from jumping after him, and staying on his tail. But I like the idea I've read in another comment, that he may have been trying to avoid getting a sabotaged parachute.

Marinus van AswegenMarch 9, 2007 7:53 AM

We have the same problem here in South Africa.

"A wave of attacks on cash machines by gangs armed with dynamite has struck further fear into South Africans already dealing with sky-high crime rates, authorities said on Friday.Robbers who blew their way into an Absa ATM in the latest attack on Thursday on the outskirts of Johannesburg made off with thousands of rands in the 69th such raid on ATMs this year."

http://www.mg.co.za/articlepage.aspx?area=/...

arlMarch 9, 2007 9:06 AM

Strange, today we worry about copy-cat attacks yet not so long ago we wailed over shoe inspections.

sooth_sayerMarch 9, 2007 9:14 AM

@Anonymous -- who's too afraid to have a name

If my "rant" was pointless why did it raise your dander?
Oh .. I think I know, but love to hear your "logic".

MatthewMarch 9, 2007 10:26 AM

He asked for 4 parachutes not 2. There were 2 pilots and a stewardess who were with him when the plane took off again. If the authorities thought that everyone was going to be jumping out of the aircraft, then they would not give him a faulty parachute.

AnonymousMarch 9, 2007 11:05 AM

They gave him two REGULAR parachutes and two BACKUP parachutes. So he had parachutes for TWO people.
He cut up the second regular parachute and used the lines to tie the bag with the money to his body.

Fenris FoxMarch 9, 2007 1:55 PM

My favorite copycat is still from that Kinkos commercial - where an actual cat was using his paws on paper, with paint on them:

"He's a Copy Cat! He's gonna save us a boatload on color copies." =:o)

BillMarch 9, 2007 2:24 PM

"Had a co-worker get robbed this way in '02. The 'african-american' robber threw scalding hot coffee on him, giving him 2nd and 3rd degree burns on his face and upper-chest, and permanently blinding him in one eye."
__________________
African-americans, that's one group security specialists should target for elimination.

jammitMarch 9, 2007 2:25 PM

/Way/ off topic:
Isn't spamming a site known for being visited by cryptographers and computer security experts (both black and white hats) a real bad idea? Perhaps Mr. Schneier could post all logs and other pertinent information about the spammers.

A little closer to topic:
Splash and grab doesn't seem new to me. It looks like a different implementation of smash and grab, or pepper spray and grab, or wave a gun around and grab. It works by giving the victim a "choice" between the lesser of two evils.

Matthew SkalaMarch 9, 2007 8:21 PM

The selection of which site to spam is almost certainly being done by a bot, which doesn't know anything in particular about the clientele of this particular site. It most likely isn't even targeting any particular Web logging software - just sites with things that look like comment forms on them.

I get thousands of spam attempts on my own site that are clearly from bots looking for substrings like "bbs" and "phpbb" in the URLs of pages with POST forms on them; then they submit to the POST form with spam in every field, in the hope it might result in a posting. It doesn't - but the mere traffic of failed attempts is enough to be a problem.

Used to jumpMarch 9, 2007 9:56 PM

Order more than one parachute, and you can pop one open to make sure you got less than 100% bad parachutes, and to get some confidence that the rest might be OK.

Rumors around the drop zone were that the authorities ran in and grabbed whatever they could find, including one dummy rig used for on-the-ground training. So it wasn't a wasted precaution if that was true (and the person I heard it from was one of the worst liars I ever met).

Fenris FoxMarch 10, 2007 7:27 AM

@jammit, Matthew Skala

Yeah, it's definitely dumb bots.. they seem to hit popular and obscure, high-skill and mundane sites without judgement.

One of my blogs - certainly not the most popular stop on the world-wide spider web - got hit by spammers. As a result, I ended up turning on Captchas.

I certainly understand why Mr. Schneier isn't using Captchas - they can be annoying as hell. But.. if the bots can make it to my blogs, they can make it anywhere. =xoD

In the grand scheme of things, however, I must say that the total proportion of comment spam is actually pretty low on this blog.

Watching Them, Watching UsMarch 11, 2007 3:51 PM

In the United Kingdom, back in the 1960's and 1970's, the favoured method of robbing Armoured Security Van deliveries or pick ups of Cash to retail Bank premises, involved spraying a solution of Ammonium Hydroxide (easily available as a cleaning solvent) into the faces of the Security Guards.

If you ever witness a cash delivery or pick up involving such vans these days, you will see that the Security Guards all wear helmets with polycarbonate face visors to protect against such attacks.

There is a difference between Copycats attacks and Independent Re-Invention of the Wheel.

Here in the UK there has been some recent media publicity about the ongoing crime of burglaries of domestic houses, where nothing is taken except for the car keys of the expensive vehicle in the garage or driveway of the house, which is subsequently then stolen.

In some cases the thieves have used a fishing rod arrangement to steal the keys via the letter box slot, which have been left conveniently in the hallway near the front door.

Is this a novel idea ? The technique of "hooking" valuables from town houses whilst the owners were asleep on the premises is recorded as far back as the Middle Ages in William Caxton's time. and possibly also in Roman times as well.

How about a modern "high tech" crime.like feeding false information into a national telecommunications network which results in a false rumour, which is exploited financially on the Stock Market, to ruin a a personal enemy ?

This is part of the plot of Alexander Dumas's novel "The Count of Monte Cristo", published in 1844, where a Semaphore operator is bribed to falsely pass on a message about a war / revolution in Spain,which is exploited to financial advantage on the Paris Stock Exchange.

Watching Them, Watching UsMarch 11, 2007 3:51 PM

In the United Kingdom, back in the 1960's and 1970's, the favoured method of robbing Armoured Security Van deliveries or pick ups of Cash to retail Bank premises, involved spraying a solution of Ammonium Hydroxide (easily available as a cleaning solvent) into the faces of the Security Guards.

If you ever witness a cash delivery or pick up involving such vans these days, you will see that the Security Guards all wear helmets with polycarbonate face visors to protect against such attacks.

There is a difference between Copycats attacks and Independent Re-Invention of the Wheel.

Here in the UK there has been some recent media publicity about the ongoing crime of burglaries of domestic houses, where nothing is taken except for the car keys of the expensive vehicle in the garage or driveway of the house, which is subsequently then stolen.

In some cases the thieves have used a fishing rod arrangement to steal the keys via the letter box slot, which have been left conveniently in the hallway near the front door.

Is this a novel idea ? The technique of "hooking" valuables from town houses whilst the owners were asleep on the premises is recorded as far back as the Middle Ages in William Caxton's time. and possibly also in Roman times as well.

How about a modern "high tech" crime.like feeding false information into a national telecommunications network which results in a false rumour, which is exploited financially on the Stock Market, to ruin a a personal enemy ?

This is part of the plot of Alexander Dumas's novel "The Count of Monte Cristo", published in 1844, where a Semaphore operator is bribed to falsely pass on a message about a war / revolution in Spain,which is exploited to financial advantage on the Paris Stock Exchange.

Watching Them, Watching UsMarch 11, 2007 3:52 PM

In the United Kingdom, back in the 1960's and 1970's, the favoured method of robbing Armoured Security Van deliveries or pick ups of Cash to retail Bank premises, involved spraying a solution of Ammonium Hydroxide (easily available as a cleaning solvent) into the faces of the Security Guards.

If you ever witness a cash delivery or pick up involving such vans these days, you will see that the Security Guards all wear helmets with polycarbonate face visors to protect against such attacks.

There is a difference between Copycats attacks and Independent Re-Invention of the Wheel.

Here in the UK there has been some recent media publicity about the ongoing crime of burglaries of domestic houses, where nothing is taken except for the car keys of the expensive vehicle in the garage or driveway of the house, which is subsequently then stolen.

In some cases the thieves have used a fishing rod arrangement to steal the keys via the letter box slot, which have been left conveniently in the hallway near the front door.

Is this a novel idea ? The technique of "hooking" valuables from town houses whilst the owners were asleep on the premises is recorded as far back as the Middle Ages in William Caxton's time. and possibly also in Roman times as well.

How about a modern "high tech" crime.like feeding false information into a national telecommunications network which results in a false rumour, which is exploited financially on the Stock Market, to ruin a a personal enemy ?

This is part of the plot of Alexander Dumas's novel "The Count of Monte Cristo", published in 1844, where a Semaphore operator is bribed to falsely pass on a message about a war / revolution in Spain,which is exploited to financial advantage on the Paris Stock Exchange.

Juhana SirenMarch 11, 2007 5:08 PM

This belongs to an old and well-defined class of attack: distract-and-steal. The victim is distracted by a minor "accident" or sensory load, such as a verbal conflict, while the theft takes place unnoticed. It's been practiced by pickpockets for ages. Read your Dickens!

Anyways, when evaluating security risks and countermeasures, it's always beneficial to recognize broader categories of attacks and vulnerabilities, since it makes it easier to spot patterns (something that the brain is particularly good at) and find errors before they have a chance to inflict damage.

artloveroiuyMarch 12, 2007 7:27 PM

I've heart a lot of pheromones and its magic.
Guys, whats your opinion about [url=http://www.pheromone-concentrate.info]pheromone[/url]
using ?

I tried androstenone pheromones and new pheromone addictive. Women talk with me more often and their eyes want sex.
Please share your expirience.

FritzMarch 13, 2007 5:55 PM

My personal recollection is that the first Usenet spam (and called such) was from a student at a 7th Day Adventist college telling us Jesus is coming soon. That one occurred over a holiday (Christmas?), but the Andrews University sysadmins were able to eventually cut it off and apologized profusely to everyone on the 'Net. The Green Card Lottery followed afterwards, but they gained their notoriety from their lack of contrition. I believe the Green Card Lottery was also the very first commercial spam.

Tom BretonMarch 16, 2007 6:14 PM

Bruce: The green-card lawyers (Lawrence Canter and Martha Siegel) were not the first spammers. Usenet had been dealing with occasional spam for some time. I understand from Brad Templeton that the first Internet spam was actually in the 70's.

If the lawyers were the first to do anything, it was to try to override their ISP's wishes and get their spam thru. They did this by changing ISPs and respamming - a heavily copied tactic - and by suing their final ISP, Internet Direct, and its sysadmin, Jeff Wheelhouse. Maybe they figured they could make ID let them keep spamming, but AIUI, all they actually accomplished was to make ID give them their (as they thought) customers' communications, which is to say, about 30,000 complaints.

Before them, the typical spam situation went like this:

Some bozo would feel the his Very Very Important message should be read by everybody so he'd post it everywhere. We'd all email his sysadmin - politely for the most part, believe it or not these days - who would cancel the messages and spank the miscreant, and that was that.

After Canter & Siegel, it was basically war, and has remained so ever since.

UndesciniMay 31, 2008 5:15 AM

Hi!
Without taking into account the issue of establishing a stone by God, which he won't be able to pick up, how do you think, may be something in this world, what can God never see?

ClesCoammefJune 30, 2008 1:44 PM

Bring out yer dead. Mark your calendars of doom in ominous blood-red scrawl, for today is the day that American software beast Microsoft Corp. chopped the retail head off its stalwart XP operating system and held aloft (the still unpopular) Windows Vista as its now unavoidable successor.
If the post made in the wrong section, please move

TessrTornJuly 14, 2008 4:13 AM

Seagate has pipped the likes of Hitachi and Western Digital (WD) at the post to introduce what it claims is the world's first 1.5 terabyte (TB) hard drive.

Hendrik BoomDecember 22, 2008 8:29 AM

Splash and grab doesn't seem new to me. It looks like a different implementation of smash and grab, or pepper spray and grab, or wave a gun around and grab. It works by giving the victim a "choice" between the lesser of two evils.

wave a gun around and grab gives the victim a "choice". The others you mention don't.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..