Schneier on Security
A blog covering security and security technology.
November 2007 Archives
Someone drove a truck through the front gate of the Guinness brewery in Dublin, loaded the trailer with 450 kegs of beer, and drove out the gate. Security presumed it was just another legitimate contractor coming to pick up beer for distribution, and ignored him.
Moral: look like you belong.
EDITED TO ADD (12/5): Looks like they were caught before they drank all the beer.
The lead paragraphs:
The plot was like something from a Hollywood blockbuster: dozens of foreign terrorists working with a Mexican drug cartel to attack a Southern Arizona Army post with anti-tank missiles and grenade launchers.
But (no surprise):
But the plot, widely reported by local stations and national TV networks and The Washington Times, turned out to be nothing more than fiction, an FBI spokesman said Monday.
Just put up a password strength meter and encourage people to submit their passwords for testing. You might want to collect names and e-mail addresses, too.
For the record, here's how to choose a secure password:
So if you want your password to be hard to guess, you should choose something not on any of the root or appendage lists. You should mix upper and lowercase in the middle of your root. You should add numbers and symbols in the middle of your root, not as common substitutions. Or drop your appendage in the middle of your root. Or use two roots with an appendage in the middle.
EDITED TO ADD (12/5): Note that I am not actually accusing them of harvesting passwords, only pointing out that you could harvest passwords that way.
In the UK:
In early November about 30 animal rights activists are understood to have received letters from the Crown Prosecution Service in Hampshire inviting them to provide passwords that will decrypt material held on seized computers.
Actually, we don't know if the activists actually handed the police their encryption keys yet. More about the law here.
If you remember, this was sold to the public as essential for fighting terrorism. It's already being misused.
I've been saying this for a while now:
Since the outbreak of a cybercrime epidemic that has cost the American economy billions of dollars, the federal government has failed to respond with enough resources, attention and determination to combat the cyberthreat, a Mercury News investigation reveals.
Unlike police, firefighters and emergency medical personnel don't need warrants to access hundreds of thousands of homes and buildings each year, putting them in a position to spot behavior that could indicate terrorist activity or planning.
Because it's such a good idea for people to start fearing firefighters....
"Practical Aspects of Modern Cryptography," taught by Josh Benaloh, Brian LaMacchia, and John Manferdelli at the University of Washington. The page includes links to lecture notes and video of the classes.
I don't know why anyone is surprised that investigators were able to smuggle things through airport security. Anyone who flies regularly could have told you that.
I didn't write about this story at first because we've seen it so many times before: a disk with lots of personal information is lost. Encryption is the simple and obvious solution, and that's the end of it.
But the UK's loss of 25 million child benefit records -- including dates of birth, addresses, bank account information, and national insurance numbers -- is turning into a privacy disaster, threatening to derail plans for a national ID card.
Why is it such a big deal? Certainly the scope: 40% of the British population. Also the data: bank account details; plus information about children. There's already a larger debate on the issue of a database on kids that this feeds into. And it's a demonstration of government incompetence (think Hurricane Katrina).
In any case, this issue isn't going away anytime soon. Prime Minister Gordon Brown has apologized. The head of the Revenue and Customs office has resigned. More is certainly coming.
And this is an easy security problem to solve! Disk and file encryption software is cheap, easy to use, and effective.
Excellent article by John Tehranian: "Infringement Nation: Copyright Reform and the Law/Norm Gap":
By the end of the day, John has infringed the copyrights of twenty emails, three legal articles, an architectural rendering, a poem, five photographs, an animated character, a musical composition, a painting, and fifty notes and drawings. All told, he has committed at least eighty-three acts of infringement and faces liability in the amount of $12.45 million (to say nothing of potential criminal charges). There is nothing particularly extraordinary about John’s activities. Yet if copyright holders were inclined to enforce their rights to the maximum extent allowed by law, he would be indisputably liable for a mind-boggling $4.544 billion in potential damages each year. And, surprisingly, he has not even committed a single act of infringement through P2P file sharing. Such an outcome flies in the face of our basic sense of justice. Indeed, one must either irrationally conclude that John is a criminal infringer -- a veritable grand larcenist -- or blithely surmise that copyright law must not mean what it appears to say. Something is clearly amiss. Moreover, the troublesome gap between copyright law and norms has grown only wider in recent years.
The point of the article is how, simply by acting normally, all of us are technically lawbreakers many times over every day. When laws are this far outside the social norms, it's time to change them.
It's in Portuguese, but the photo is good.
EDITED TO ADD (11/23): Title corrected.
...I thought it would be interesting to find out the account password. Wordpress stores raw MD5 hashes in the user database.... As with any respectable hash function, it is believed to be computationally infeasible to discover the input of MD5 from an output. Instead, someone would have to try out all possible inputs until the correct output is discovered.
Makes no sense:
Passengers at Liverpool's Lime Street station face airport-style searches and bag-screening, under swingeing new anti-terror measures unveiled yesterday.
Of course, less busy train stations are only a few minutes away by car.
No two-person control or complicated safety features: until 1998, you could arm British nukes with a bicycle lock key.
To arm the weapons you just open a panel held by two captive screws -- like a battery cover on a radio -- using a thumbnail or a coin.
Certainly most of the security was procedural. But still....
The "War on the Unexpected" is being fought everywhere.
Bouncers kicked a Melbourne man out of a Cairns pub after paranoid patrons complained that he was reading a book called The Unknown Terrorist.
At the U.S. border with Canada:
A Canadian firetruck responding with lights and sirens to a weekend fire in Rouses Point, New York, was stopped at the U.S. border for about eight minutes, U.S. border officials said Tuesday.
In the UK:
A man who had gone into a diabetic coma on a bus in Leeds was shot twice with a Taser gun by police who feared he may have been a security threat.
A powdered substance that led to a baggage claim being shut down for nearly six hours at the Portland International Jetport was a mixture of flour and sugar, airport officials said Thursday.
Fear is winning. Refuse to be terrorized, people.
I don't know if this story is true:
Portable hard discs sold locally and produced by US disk-drive manufacturer Seagate Technology have been found to carry Trojan horse viruses that automatically upload to Beijing Web sites anything the computer user saves on the hard disc, the Investigation Bureau said.
EDITED TO ADD (12/14): A first-hand account.
A 2003 "Camp Delta Standard Operating Procedures" manual has been leaked to the Internet. This is the same manual that the ACLU has unsuccessfully sued the government to get a copy of. Others can debate the legality of some of the procedures; I'm interested in comments about the security.
See, for example, this quote on page 27.3:
(b) Upon arrival will enter the gate by entering the number (1998) in the combination lock
The idea is simple: prevent the machine from completing an action and place it in an error state, and then exploit that state. In this instance, the hacker prevents the machine from dispensing the drink bottle. The machine refunds the money, but the bottle stays on the conveyor belt. Then the hacker purchases a second bottle, and receives them both.
The World War II factoring machine, Colossus, is back online.
I previously wrote about Dan Egerstad, a security researcher who ran a Tor anonymity network and was able to sniff some pretty impressive usernames and passwords.
Swedish police arrested him:
About 9am Egerstad walked downstairs to move his car when he was accosted by the officers in a scene "taken out of a bad movie", he said in an email interview.
No charges have been filed. I'm not sure there's anything wrong with what he did.
Here's a good article on what he did; it was published just before the arrest.
The case is clearly a major embarrassment for both the FBI and CIA and has already raised a host of questions. Chief among them: how did an illegal alien from Lebanon who was working as a waitress at a shish kabob restaurant in Detroit manage to slip through extensive security background checks, including polygraphs, to land highly sensitive positions with the nation's top law enforcement and intelligence agencies?
Here's another article.
Dan Bernstein wrote an interesting paper on the security lessons he's learned from qmail.
My views of security have become increasingly ruthless over the years. I see a huge amount of money and effort being invested in security, and I have become convinced that most of that money and effort is being wasted. Most "security" efforts are designed to stop yesterday's attacks but fail completely to stop tomorrow's attacks and are of no use in building invulnerable software. These efforts are a distraction from work that does have long-term value.
Very interesting stuff, some counter to conventional security wisdom.
I have become convinced that this "principle of least privilege" is fundamentally wrong. Minimizing privilege might reduce the damage done by some security holes but almost never fixes the holes. Minimizing privilege is not the same as minimizing the amount of trusted code, does not have the same benefits as minimizing the amount of trusted code, and does not move us any closer to a secure computer system.
From the AP:
...government experts and intelligence officials say such a threat gets vastly more attention than it deserves. These officials said a true suitcase nuke would be highly complex to produce, require significant upkeep and cost a small fortune.
Interesting technical details in the article.
Here's the story.
Random numbers are critical for cryptography: for encryption keys, random authentication challenges, initialization vectors, nonces, key-agreement schemes, generating prime numbers and so on. Break the random-number generator, and most of the time you break the entire security system. Which is why you should worry about a new random-number standard that includes an algorithm that is slow, badly designed and just might contain a backdoor for the National Security Agency.
Generating random numbers isn't easy, and researchers have discovered lots of problems and attacks over the years. A recent paper found a flaw in the Windows 2000 random-number generator. Another paper found flaws in the Linux random-number generator. Back in 1996, an early version of SSL was broken because of flaws in its random-number generator. With John Kelsey and Niels Ferguson in 1999, I co-authored Yarrow, a random-number generator based on our own cryptanalysis work. I improved this design four years later -- and renamed it Fortuna -- in the book Practical Cryptography, which I co-authored with Ferguson.
The U.S. government released a new official standard for random-number generators this year, and it will likely be followed by software and hardware developers around the world. Called NIST Special Publication 800-90 (.pdf), the 130-page document contains four different approved techniques, called DRBGs, or "Deterministic Random Bit Generators." All four are based on existing cryptographic primitives. One is based on hash functions, one on HMAC, one on block ciphers and one on elliptic curves. It's smart cryptographic design to use only a few well-trusted cryptographic primitives, so building a random-number generator out of existing parts is a good thing.
But one of those generators -- the one based on elliptic curves -- is not like the others. Called Dual_EC_DRBG, not only is it a mouthful to say, it's also three orders of magnitude slower than its peers. It's in the standard only because it's been championed by the NSA, which first proposed it years ago in a related standardization project at the American National Standards Institute.
The NSA has always been intimately involved in U.S. cryptography standards -- it is, after all, expert in making and breaking secret codes. So the agency's participation in the NIST (the U.S. Commerce Department's National Institute of Standards and Technology) standard is not sinister in itself. It's only when you look under the hood at the NSA's contribution that questions arise.
Problems with Dual_EC_DRBG were first described in early 2006. The math is complicated, but the general point is that the random numbers it produces have a small bias. The problem isn't large enough to make the algorithm unusable -- and Appendix E of the NIST standard describes an optional work-around to avoid the issue -- but it's cause for concern. Cryptographers are a conservative bunch: We don't like to use algorithms that have even a whiff of a problem.
But today there's an even bigger stink brewing around Dual_EC_DRBG. In an informal presentation (.pdf) at the CRYPTO 2007 conference in August, Dan Shumow and Niels Ferguson showed that the algorithm contains a weakness that can only be described as a backdoor.
This is how it works: There are a bunch of constants -- fixed numbers -- in the standard used to define the algorithm's elliptic curve. These constants are listed in Appendix A of the NIST publication, but nowhere is it explained where they came from.
What Shumow and Ferguson showed is that these numbers have a relationship with a second, secret set of numbers that can act as a kind of skeleton key. If you know the secret numbers, you can predict the output of the random-number generator after collecting just 32 bytes of its output. To put that in real terms, you only need to monitor one TLS internet encryption connection in order to crack the security of that protocol. If you know the secret numbers, you can completely break any instantiation of Dual_EC_DRBG.
The researchers don't know what the secret numbers are. But because of the way the algorithm works, the person who produced the constants might know; he had the mathematical opportunity to produce the constants and the secret numbers in tandem.
Of course, we have no way of knowing whether the NSA knows the secret numbers that break Dual_EC-DRBG. We have no way of knowing whether an NSA employee working on his own came up with the constants -- and has the secret numbers. We don't know if someone from NIST, or someone in the ANSI working group, has them. Maybe nobody does.
We don't know where the constants came from in the first place. We only know that whoever came up with them could have the key to this backdoor. And we know there's no way for NIST -- or anyone else -- to prove otherwise.
This is scary stuff indeed.
Even if no one knows the secret numbers, the fact that the backdoor is present makes Dual_EC_DRBG very fragile. If someone were to solve just one instance of the algorithm's elliptic-curve problem, he would effectively have the keys to the kingdom. He could then use it for whatever nefarious purpose he wanted. Or he could publish his result, and render every implementation of the random-number generator completely insecure.
It's possible to implement Dual_EC_DRBG in such a way as to protect it against this backdoor, by generating new constants with another secure random-number generator and then publishing the seed. This method is even in the NIST document, in Appendix A. But the procedure is optional, and my guess is that most implementations of the Dual_EC_DRBG won't bother.
If this story leaves you confused, join the club. I don't understand why the NSA was so insistent about including Dual_EC_DRBG in the standard. It makes no sense as a trap door: It's public, and rather obvious. It makes no sense from an engineering perspective: It's too slow for anyone to willingly use it. And it makes no sense from a backwards-compatibility perspective: Swapping one random-number generator for another is easy.
My recommendation, if you're in need of a random-number generator, is not to use Dual_EC_DRBG under any circumstances. If you have to use something in SP 800-90, use CTR_DRBG or Hash_DRBG.
In the meantime, both NIST and the NSA have some explaining to do.
This essay originally appeared on Wired.com.
I'm not sure what qualifies a site for being illuminated, but here's a listing of past sites of the week.
This kind of thinking can do enormous damage to a free society:
As Congress debates new rules for government eavesdropping, a top intelligence official says it is time that people in the United States change their definition of privacy.
Anonymity, privacy, and security are intertwined; you can't just separate them out like that. And privacy isn't opposed to security; privacy is part of security. And the value of privacy in a free society is enormous.
Malcolm Gladwell makes a convincing case that criminal profiling is nothing more than a "cold reading" magic trick.
A few years ago, Alison went back to the case of the teacher who was murdered on the roof of her building in the Bronx. He wanted to know why, if the F.B.I.'s approach to criminal profiling was based on such simplistic psychology, it continues to have such a sterling reputation. The answer, he suspected, lay in the way the profiles were written, and, sure enough, when he broke down the rooftop-killer analysis, sentence by sentence, he found that it was so full of unverifiable and contradictory and ambiguous language that it could support virtually any interpretation.
Stoddart told inquiry Commissioner John Major she is concerned that people could be placed on the list in error and face dire consequences if their identities are then disclosed to the RCMP or passed on to police agencies in other countries.
Okay, so it was a stupid (and dangerous) stunt:
A 17-year-old Hopewell High student was apparently acting on a dare when he did a fly-over prank at a Hopewell High football game Friday, at one point dipping below the stadium lights.
But this is just funny:
"My immediate reaction was that we were going to have a terrorist act of some sort," said Vincent "Bud" Cesena, head of CMS law enforcement, who was among the 4,000 people in the stands.
Yeah, because the terrorists are going to target high-school football games.
Interesting and thoughtful article about suicide attacks in the online video game Halo 3:
Whenever I find myself under attack by a wildly superior player, I stop trying to duck and avoid their fire. Instead, I turn around and run straight at them. I know that by doing so, I'm only making it easier for them to shoot me -- and thus I'm marching straight into the jaws of death. Indeed, I can usually see my health meter rapidly shrinking to zero.
The biggest problems in discussing cyberwar are the definitions. The things most often described as cyberwar are really cyberterrorism, and the things most often described as cyberterrorism are more like cybercrime, cybervandalism or cyberhooliganism--or maybe cyberespionage.
At first glance there's nothing new about these terms except the "cyber" prefix. War, terrorism, crime and vandalism are old concepts. What's new is the domain; it's the same old stuff occurring in a new arena. But because cyberspace is different, there are differences worth considering.
Of course, the terms overlap. Although the goals are different, many tactics used by armies, terrorists and criminals are the same. Just as they use guns and bombs, they can use cyberattacks. And just as every shooting is not necessarily an act of war, every successful Internet attack, no matter how deadly, is not necessarily an act of cyberwar. A cyberattack that shuts down the power grid might be part of a cyberwar campaign, but it also might be an act of cyberterrorism, cybercrime or even--if done by some 14-year-old who doesn't really understand what he's doing--cyberhooliganism. Which it is depends on the attacker's motivations and the surrounding circumstances--just as in the real world.
For it to be cyberwar, it must first be war. In the 21st century, war will inevitably include cyberwar. Just as war moved into the air with the development of kites, balloons and aircraft, and into space with satellites and ballistic missiles, war will move into cyberspace with the development of specialized weapons, tactics and defenses.
I have no doubt that smarter and better-funded militaries are planning for cyberwar. They have Internet attack tools: denial-of-service tools; exploits that would allow military intelligence to penetrate military systems; viruses and worms similar to what we see now, but perhaps country- or network-specific; and Trojans that eavesdrop on networks, disrupt operations, or allow an attacker to penetrate other networks. I believe militaries know of vulnerabilities in operating systems, generic or custom military applications, and code to exploit those vulnerabilities. It would be irresponsible for them not to.
The most obvious attack is the disabling of large parts of the Internet, although in the absence of global war, I doubt a military would do so; the Internet is too useful an asset and too large a part of the world economy. More interesting is whether militaries would disable national pieces of it. For a surgical approach, we can imagine a cyberattack against a military headquarters, or networks handling logistical information.
Destruction is the last thing a military wants to accomplish with a communications network. A military only wants to shut down an enemy's network if it isn't acquiring useful information. The best thing is to infiltrate enemy computers and networks, spy on them, and surreptitiously disrupt select pieces of their communications when appropriate. The next best thing is to passively eavesdrop. After that, perform traffic analysis: analyze the characteristics of communications. Only if a military can't do any of this would it consider shutting the thing down. Or if, as sometimes but rarely happens, the benefits of completely denying the enemy the communications channel outweigh the advantages of eavesdropping on it.
Cyberwar is certainly not a myth. But you haven't seen it yet, despite the attacks on Estonia. Cyberwar is warfare in cyberspace. And warfare involves massive death and destruction. When you see it, you'll know it.
This is the second half of a point/counterpoint with Marcus Ranum; it appeared in the November issue of Information Security Magazine. Marcus's half is here.
I wrote a longer essay on cyberwar here.
This squid has a light-producing organ on its underside powered by luminescent bacteria, possibly making it less noticeable from below.
I spoke at the Educause conference this year in Seattle. There's a podcast and video of my talk available ("Ten Trends of Information Security"; I've given the talk before) as well as a podcast of an interview with me.
Funny: from The New Yorker.
At least that's what they said two weeks ago:
On Sunday, Nov. 11, al Qaeda's electronic experts will start attacking Western, Jewish, Israeli, Muslim apostate and Shiite Web sites. On Day One, they will test their skills against 15 targeted sites expand the operation from day to day thereafter until hundreds of thousands of Islamist hackers are in action against untold numbers of anti-Muslim sites.
I think this is nonsense. We'll see who's right next week.
This is a very moving story about a foreign tourist being removed from a train for taking pictures:
The train is a half hour west of New Haven when the conductor, having finished her original rounds, reappears. She moves down the aisle, looks, stops between our seats, faces the person taking pictures. "Sir, in the interest of national security, we do not allow pictures to be taken of or from this train." He starts, "I……." but, without English, his response trails off into silence. The conductor, speaking louder, forcefully: "Sir, I will confiscate that camera if you don’t put it away." Again, little response. "Sir, this is a security matter! We cannot allow pictures." She turns away abruptly and, as she moves down the aisle, calls over her shoulder, in a very loud voice, "Put. It. Away!" He packs his camera.
EDITED TO ADD (11/13): A response from the writer of the original article, after people questioned the veracity of the story.
Salesforce.com has finally acknowledged what security experts have suspected for weeks: that a Salesforce.com employee had his company credentials stolen in a phishing scam, and criminals have been using names and e-mail addresses from Salesforce's customer list to conduct other highly targeted phishing attacks, including the recent round of fake e-mails apparently from the Federal Trade Commission." In such hightly targeted attacks, the AV companies are at a loss -- they have little chance of quickly developing signatures for threats that only reach a few thousand victims.
Does anyone know anything about this open source encrypted cell phone?
It uses Twofish.
Interesting study: "Identity Fraud Trends and Patterns: Building a Data-Based Foundation for Proactive Enforcement," October 2007. It's long, but at least read the executive summary. Or, even shorter, this Associated Press story:
Researchers reviewed 517 cases closed by the Secret Service between 2000 and 2006. Two-thirds of the cases were concentrated in the Northeast and South and there were 933 defendants. The Federal Trade Commission has said about 3 million Americans have their identities stolen annually.
This was accidental, but it could certainly be done on purpose:
Some cars failed to start on Tuesday in Parrock Street car park, in Gravesend, Kent, while others would not unlock.
Mad at someone? Turn him in as a terrorist:
A man in Sweden who was angry with his daughter's husband has been charged with libel for telling the FBI that the son-in-law had links to al-Qaeda, Swedish media reported on Friday.
EDITED TO ADD (11/6): Businesses do this too:
In May 2005 Jet's application for a licence to fly to America was held up after a firm based in Maryland, also called Jet Airways, accused Mr Goyal's company of being a money-laundering outfit for al-Qaeda. Mr Goyal says some of his local competitors were behind the claim, which was later withdrawn.
Interesting GAO testimony/report: "Internet Infrastructure: Challenges in Developing a Public/Private Recovery Plan," Gregory C. Wilshusen, Director, Information Security Issues, Government Accountability Office (GAO), October 23, 2007.
Synthetic identity theft is poised to become a bigger problem than regular identity theft:
Unlike traditional identity thieves, who purloin people's information to get loans or make purchases, fraudsters like Mr. Rose mix legitimate and phony data to create synthetic identities. This kind of fraud doesn't usually directly affect consumers. The big losers are banks, which get stuck with loan defaults and unpaid credit-card bills that identity thieves leave behind.
Actually, real people do get harmed:
The men paired fake names with Social Security numbers of real people. Adam Gregory, the purported Las Vegas resident, had the Social Security number of a real California resident.
Okay, this is clever.
Basically, someone arrested as a homicide suspect walked out of jail after identifying himself as someone else. The biometric system worked, but human error overrode it:
But Sauceda's fingerprints, taken by a jail employee to verify his identity, were smudged and couldn't be matched to those on file for Garcia, said Brian Menges, director of jail administration.
It's a neat scam. Find out someone else who's been arrested, have a friend come and post bail for that person, and then steal his identity when the jailers come into the cellblock.
Joe Bennett in New Zealand:
An officer frisks me with hands like questing butterflies. Up my legs they flutter, then over my buttocks, my back, my chest and along my arms, but not, I notice, over my crotch. So there's the answer. When my anger at being pointlessly searched in airports finally reaches such incandescence that I feel compelled to act, I'll tape a bomblet behind my scrotum with the detonator clenched between my cheeks. It will kill no one except myself and I won't make a pretty corpse, but I will make damn sure I take out a particular notice. You know the one I mean. It's the only notice in human history to forbid, on pain of imprisonment, the making of jokes. I am not allowed to crack a joke about bombs.
Spammers have created a Windows game which shows a woman in a state of undress when people correctly type in text shown in an accompanying image.
I've been saying that spammers would start doing this for years. I'm actually surprised it took this long.
This is really interesting:
(In)Security explores a new design vocabulary in direct response to the climate of fear and paranoia that currently drives the program and aesthetic of much contemporary urban design. The project addresses the current and future state of security in and around the Wall Street financial district, creating viable security alternatives while simultaneously questioning our nation's current philosophy that security = freedom.
Full paper here.
We've opened up a new front on the war on terror. It's an attack on the unique, the unorthodox, the unexpected; it's a war on different. If you act different, you might find yourself investigated, questioned, and even arrested -- even if you did nothing wrong, and had no intention of doing anything wrong. The problem is a combination of citizen informants and a CYA attitude among police that results in a knee-jerk escalation of reported threats.
The problem is that ordinary citizens don't know what a real terrorist threat looks like. They can't tell the difference between a bomb and a tape dispenser, electronic name badge, CD player, bat detector, or trash sculpture; or the difference between terrorist plotters and imams, musicians, or architects. All they know is that something makes them uneasy, usually based on fear, media hype, or just something being different.
Even worse: after someone reports a "terrorist threat," the whole system is biased towards escalation and CYA instead of a more realistic threat assessment.
Watch how it happens. Someone sees something, so he says something. The person he says it to -- a policeman, a security guard, a flight attendant -- now faces a choice: ignore or escalate. Even though he may believe that it's a false alarm, it's not in his best interests to dismiss the threat. If he's wrong, it'll cost him his career. But if he escalates, he'll be praised for "doing his job" and the cost will be borne by others. So he escalates. And the person he escalates to also escalates, in a series of CYA decisions. And before we're done, innocent people have been arrested, airports have been evacuated, and hundreds of police hours have been wasted.
This story has been repeated endlessly, both in the U.S. and in other countries. Someone -- these are all real -- notices a funny smell, or some white powder, or two people passing an envelope, or a dark-skinned man leaving boxes at the curb, or a cell phone in an airplane seat; the police cordon off the area, make arrests, and/or evacuate airplanes; and in the end the cause of the alarm is revealed as a pot of Thai chili sauce, or flour, or a utility bill, or an English professor recycling, or a cell phone in an airplane seat.
Of course, by then it's too late for the authorities to admit that they made a mistake and overreacted, that a sane voice of reason at some level should have prevailed. What follows is the parade of police and elected officials praising each other for doing a great job, and prosecuting the poor victim -- the person who was different in the first place -- for having the temerity to try to trick them.
For some reason, governments are encouraging this kind of behavior. It's not just the publicity campaigns asking people to come forward and snitch on their neighbors; they're asking certain professions to pay particular attention: truckers to watch the highways, students to watch campuses, and scuba instructors to watch their students. The U.S. wanted meter readers and telephone repairmen to snoop around houses. There's even a new law protecting people who turn in their travel mates based on some undefined "objectively reasonable suspicion," whatever that is.
If you ask amateurs to act as front-line security personnel, you shouldn't be surprised when you get amateur security.
We need to do two things. The first is to stop urging people to report their fears. People have always come forward to tell the police when they see something genuinely suspicious, and should continue to do so. But encouraging people to raise an alarm every time they're spooked only squanders our security resources and makes no one safer.
We don't want people to never report anything. A store clerk's tip led to the unraveling of a plot to attack Fort Dix last May, and in March an alert Southern California woman foiled a kidnapping by calling the police about a suspicious man carting around a person-sized crate. But these incidents only reinforce the need to realistically assess, not automatically escalate, citizen tips. In criminal matters, law enforcement is experienced in separating legitimate tips from unsubstantiated fears, and allocating resources accordingly; we should expect no less from them when it comes to terrorism.
Equally important, politicians need to stop praising and promoting the officers who get it wrong. And everyone needs to stop castigating, and prosecuting, the victims just because they embarrassed the police by their innocence.
Causing a city-wide panic over blinking signs, a guy with a pellet gun, or stray backpacks, is not evidence of doing a good job: it's evidence of squandering police resources. Even worse, it causes its own form of terror, and encourages people to be even more alarmist in the future. We need to spend our resources on things that actually make us safer, not on chasing down and trumpeting every paranoid threat anyone can come up with.
This essay originally appeared on Wired.com.
EDITED TO ADD (11/1): Some links didn't make it into the original article. There's this creepy "if you see a father holding his child's hands, call the cops" campaign, this story of an iPod found on an airplane, and this story of an "improvised electronics device" trying to get through airport security. This is a good essay on the "war on electronics."
Unlike police, firefighters and emergency medical personnel don't need warrants to access hundreds of thousands of homes and buildings each year, putting them in a position to spot behavior that could indicate terrorist activity or planning.
Powered by Movable Type. Photo at top by Per Ervland.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.