Schneier on Security
A blog covering security and security technology.
« Secretly Recording Interrogations |
| Security-Breach Notification Laws »
December 12, 2007
Police Helping Thieves
This is a weird article. Local police are putting yellow stickers on cars with visible packages, making it easier for thieves to identify which cars are worth breaking into.
EDITED TO ADD 12/19): According to a comment, this was misreported in the news. The police didn't just put signs on cars with visible packages, but on all cars. Cars with no visible packages got a note saying: "Nothing Observed (Good Job!)." So a thief would have to read the sign, which means he's already close enough to look in the car. Much better.
Posted on December 12, 2007 at 8:18 AM
• 57 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
A good idea, bad implementation.
Raising awareness of the public, good; marking the cars as targets, bad.
Got to think it out solutions all the way.
It's all fun and games until grandma comes out and sees one of those massive police tickets on her window ... and keels over from a coronary.
It would be quite an interesting situation if 20 cars were smashed into; belongings stolen; and all that was left in the 20 cars was the big yellow warning message.
Presumably the police stayed in the immediate area.
In the university where I am studying my postgraduate they do the same with bad secured bicycles. Campus security put a badge on cycles with bad security.
They probably got too many complaints for doing what the campus police did at my school back in the day: They'd add a lock of their own and make you come to the station and get the key (and pay a deposit on the lock until you returned it).
In the parking lot where I rather often park, the police creates "loot-awareness" by picketing and/or putting leaflets under every car's windscreenwipers.
These cops should be cited for vandalism and ticketed for obstructing the view out of the vehicle. I would be absolutely LIVID if anyone did this to my car.
I can't wait till someone gets in an accident because their view was obscured by this sticker and the cops are sued to oblivion.
@Erik - if a cop put a lock on my bike, I'd follow a bike cop all day till he parked and put one of my own locks on his bike. They no more right or excuse to do this than I do.
Where do these pigs get these wacky ideas? It just goes to show they are completely above/immune/oblivious to the law and the whole point of the USA. Live free or die.
@AngryMan - it's not a sticker, it's pretty clearly just a card tucked into the window gasket.
If I got one, I might think it was fun to move it to the least likely place; perhaps a delivery truck, or a really ancient beat-up truck with all kinds of crap piled in the back.
Hilarious idea.. so the cops actually do the vehicle pre-screening for the thieves..
I wonder whether this sheet even includes a line where the cop can insert the estimated value of visible stuff.
Here's a hip idea. Take the sticker off the window - THEN drive away. It's pretty high-tech, to be sure, but sometimes, it's the wacky, off-the-wall ideas that work best.
This is really a: "Cops to holiday thieves: You're a bunch of retards," story.
We look at this story, and two points come to mind. 1) That all we have to do is look for the cards, and we'll know every car in which an officer has spotted visible loot. And 2) If *I* can figure this out, so can any other member of the general public, like, say, a would-be thief.
The Conyers Police Department has pretty clearly spaced on one or both of these points, demonstrating a certain lack of awareness of the intellect of the average citizen.
They do this in Baltimore too, though I didn't find a reference in a very brief search.
I'm surprised at some of the vehement anti-police comments. Sure this could have been done better (ticket-like note under the wiper blades) but it sounds like their hearts are in the right place. I suspect that they've had several smash-and-grabs lately and are trying to avoid having more. No, the police aren't *always* out to get you! :-)
Until there's evidence that says otherwise, I'm inclined to think that the increased risk is only theoretical.
The police doesn't use any special method to spot the cars with visible packages in them. Would-be thieves can do the same thing - just walk around and look inside car windows. One can argue that what the police does make the thieves' job easier, but I'm not sure would-be thieves would give up on the idea of breaking into cars on the consideration that having to walk around the parking lot is too much trouble.
Somehow I think the evidence locker with the marijuana must be empty by now.
Part of the issue is that the police have, in effect, obviated a good part the first step of a theft - identifying a target. I don't think that the policy will lead to more thieves (not counting random teenagers) - but what it could lead to is each thief being able to hit more cars through not having to case EVERY car - they can limit their search to just those car that have been pre-marked.
What we don't know, is how many cars have been marked. If the Conyers area was already a target-rich environment, then the police action won't make much difference. But if the targets were reasonably hard to find in a quick search, the police have accidentally made it easier to find targets.
Basically, the police are just publicizing a vulnerability, aren't they?
Kind of like putting a sign on someone's front door saying "you didn't lock this today" so the owner of the house will know about it... making it a zero-day exploit.
The road to hell is paved with good intentions. I couldn't possibly care less where the police's heart is, I care how effective they are at doing their job, which is, in order, protecting the public and catching criminals.
@MSB and ARM,
good to hear comments that make some sense in this thread. Too much "omgthecopsarestupid", too little thinking going on here.
Sticker abuse story:
Back in the early 90s, I was contract teaching at a power plant. There was a paved lot and unpaved area for construction workers to park. One day I made the mistake of parking in the paved area to avoid teaching with dirty shoes. When I returned to my car, there was a large sticker in the middle of the windshield, alerting me to my parking violation. (guilty)
Here's the interesting part. The sticker wasn't easily removable (either an annoyance factor intended to deter future violations or lowest-bid purchase of stickers). The security folks didn't have any way to remove the stickers or glue. When I tried to warn my teaching contacts about the security and liability issues they faced obstructing the views of drivers leaving their property, my concerns were dismissed and my contract was promptly canceled. :-(
I wonder if the Conyers city attorney was apprised of this and considered public safety issues.
Hi to all. Found this via Boing Boing, and I must point out I live in Conyers. Truth be told, I work at the WalMart (I know, I know) which is one of the highest volume retailers in the area.
And I have seen none of these. Granted, I wasn't looking for them (like I intend to now), but so far they haven't popped up on my radar. So from my limited experience, they're not all over the place yet.
I fail to see how this differs substantially from advertising vulnerabilities in software to force software vendors to fix their security holes. I'm amazed at how much venom is being sprayed at police in the comments, when if a security researcher took the same approach with vendors about obvious security vulnerabilities, they would be hailed as heros.
It's the exact same argument: "If you publish vulnerabilities, you are helping the bad guys."
Remember that the police are not concerned with theory, they are concerned with practice. And if you looked at the statistics, I'm absolutely certain you would see a sharp drop in car crime because of increased vigilance from drivers, as compared to a very tiny increase, if any, from crooks looking for stickers.
I have worked with very large police departments (Miami-Dade, etc.) to monitor their statistics. Trust me, if something like this was increasing crime, it would be quickly noticed and cancelled.
Full Disclosure can't possibly be harmful, can it? The vulnerability of car doors is well known. Originally, the vulnerability was reported to the manufacturers, and they patched the cars by supplying locks for the doors. The rest of the security is up to the user, ie keeping their valuables out of sight. Surely no one here can fault the police for full disclosure. The user is expected to provide defense-in-depth.
To my understanding, the reason why we hail people who publicly call out software vendors is the perception (valid or not, I cannot say), that the vendor won't take any action if they think that no-one else is aware of the issue, and that they will, implicitly or explicitly, disavow any knowledge of vulnerabilities while continuing to sell their software. In other words, if the public isn't alerted, the issue is an externality (losses to customers) and the vendor has no incentive to fix the problem.
When you're dealing with individuals, for whom problems aren't externalities, they have an incentive to fix the problem, to reduce their own risk, whether or not anyone else knows about the problem. Now, if we were seeing a failure of people to take action after directed warnings, and then still complaining to the police (in other words, attempting to make the risk an externality by seeking redress from others after failing to take appropriate precautions) then a deliberate public "shaming" campaign (which is really what advertising vendor vulnerabilities is all about) would be in order.
Since the whole goal here is to reduce the risk of victimization, actions that increase that risk seem ill-considered.
"I fail to see how this differs substantially from advertising vulnerabilities in software to force software vendors to fix their security holes."
The most immediate difference I see is that software has thousands of users (paying customers) that are affected by vulnerabilities. A package being stolen affects one person- the person directly responsible for the vulnerability. It is considered poor form to publish a vulnerability publicly without contacting the company responsible before posting it on a major website or whatever. It probably would have been prudent to find something a little more discreet (small card under windshield wiper) rather than a large bright yellow card.
"It probably would have been prudent to find something a little more discreet (small card under windshield wiper) rather than a large bright yellow card."
I have found that when people leave their windows cracked, a note inside the vehicle on the driver's seat tends to work wonders.
The police are probably operating on the theory that the bad guy can also peek through windows and see piles of stuff ready to be stolen (which sadly enough is common). They don't realize that they're saving the bad guys some work.
However, this has to be traded against the fact that when the police see it, it's a slightly increased vulnerability UNTIL the person sees it, at which point the vulnerability will hopefully be reduced in the future.
I hope the bad guys are courteous enough to also steal the stickers.
anyone written to the staff writer with a link to this blog entry?
I am waiting for some prankster to swipe the cards and put them on cop cars.
When I first saw the heading I thought this was about the yellow bumper stickers the police are using here. The bumper stickers are fine for normal squad cars, but I have been seeing them on unmarked cars which makes them easier to spot from a distance as yellow bumper stickers stand out and are fairly rare. Hopefully undercover officers aren't attaching them to their cars.
And once again, security by amateurs... the stupidity continues...
@ Joseph (and others): "I fail to see how this differs substantially from advertising vulnerabilities in software to force software vendors to fix their security holes."
Then you haven't thought about it very carefully. Advertising vulnerabilities is like putting up a *general* sign that says "Leaving valuables in your car makes it easy for thieves". This gives a hint (admittedly a rather obvious one) to thieves that if they look in windows, they will be better able to select their targets. HOWEVER, this is not that at *all*. This is pointing out *specific* targets, which would be like a software vulnerability which listed the IP addresses of all the servers which are susceptible (which vulnerability reports do *not* do).
They are not even remotely the same thing.
The creepier part of this is the wholesale security aspect of it. So, now we're assigning cops to essentially walk parking lots, peering into every car. I know that in theory cars in public have looser warrentless search laws than your house, but there's an official nosyness to this program that I find disturbing.
It's more of the nanny state creeping in.
"I'm surprised at some of the vehement anti-police comments. Sure this could have been done better (ticket-like note under the wiper blades) but it sounds like their hearts are in the right place."
As the old saying goes, the path to hell is paved with good intentions. Regardless of their intentions, they did not THINK before implementing this item -- it is a typical knee-jerk solution.
@Juan working at a Wal-Mart:
I suspect these would show up around shopping locations with bigger tickets per item, like jewelry stores, CompUSA, etc. I doubt they'd be seen around Wal-Mart, Sam's Club, CostCo, BJ's, Target and the like.
It's like the story about Captchas... a lot depends upon how VALUABLE the material is.
Mind you... when the cops start putting up placards on cars based upon the theft rate for those cars... (laughs some more)
If someone robs a car in a Wal-Mart lot, they may be punished by having to keep what they stole. (I had a car, once, that my co-workers commented "Jack, if someone _did_ steal your car, they'd be forced to keep it, as punishment.")
Ah, then there's those of us who don't have trunks to hide stuff in.
My favorite idea for a trick during the holidays is to take a box of heavily used kitty litter, wrap it in bright wrapping paper, and leave my car door unlocked.
I do my shopping by mail order - I hate crowds.
Now let's just wait for the lawsuits to start... "aiding and abetting" is a good criminal charge for casing the parking lot and flagging the good cars to hit, right?
This also gives the Police 'legitimate' reason to visually search every car in every car park 'for your protection'. Call me paranoid, but this is just another way to condition people to have no privacy, and make sure that everyone knows they are being watched 'for their own safety.'
In a security sense it utilizes bad disclosure practices, '0day', whereby the world finds out before the parties responsible are given the chance to fix it.
Maybe they want to publicly shame people into compliance - but that is hardly any better.
@FD: These markers compare with full disclosure for software only if my leaving packages in my car makes all cars of the same model vulnerable.
Off Topic But Too Good to Pass Up:
My wife (WOAF?) once saw (in NYC) a supercilious man in a luxury car park illegally, then take the ticket off the car behind him and put it on his own car. Cops won't ticket someone already ticketed, right? When he walked off, another witness to this event put the ticket back on the original car.
SMiaLC's action on returning to his (now-ticketed) car are left as an excercise for the reader. :-)
This is like an AV scanner or another security software creating a backdoor!
Is it a bad thing that ARM's comment about "holiday thieves" reminded me of the Grinch?
I've seen similar things in car-theft campaigns; at the launch of the remake of Gone in 60 Seconds, the police put a checklist of common anti-theft measures (alarm, club, lack of visible packages) under wipers.
I also can't help thinking, what if the police are watching to prevent thieves from breaking into the marked cars? Wouldn't that constitute entrapment?
This is a police department with WAY too much time on its hands.
Isn't there crime in that little burg to investigate?
Why is law enforcement spending its time wandering around shopping mall parking lots peering into cars?
"...They do this in Baltimore too, though ..."
OMG - i hope you dont have a LITE BRITE in your car!!!
Perhaps if they put the sticker on *every* car? This would help raise awareness, without singling out targets...
It would also reduce the privacy concerns with having cops looking into your car... they don't need to (though probably still will) since they're sticking them on every car, not just "vulnerable" ones.
And if you think that your car, with its glass windows, is some haven of privacy, you're fooling yourself. People in glass houses shouldn't walk about naked...
Those people won't put visible packages in their cars again from the shock. Look long term. --one way of looking at it
Some years back, the state of Florida took notice that tourists were being targeted by muggers, etc. At that time, they required license plates to have a sticker on them declaring what county you lived in. Rental cars had special "Lease" plates. These lease plates made it easy for a crook to tell if you were a tourist.
The Florida DMV decided one day to replace all of the lease plates with standard county plates. It turned out that Manatee county had a surplus, so they grabbed a bunch of those and handed them out to car rental agencies.
Manatee county residents weren't thrilled by this.
If the stickers are only placed on cars with *obviously* visible valuables, I honestly don't see the issue. Car burglars already can spot valuables at a glance. It's the *profession* for pity's sake. The sticker isn't as big help for them as it is for you or I.
Sure, criminals are by and large stupid. But they're also know how to do their "job" of breaking into things better then you do. The sticker might help *you*, a college-educated security-professional, find a car worth breaking-into. But they don't do much to help streetwise thieves, because they already know how to find the obvious marks, and that's all the stickers get put on.
The sign just says that there is loot in the car AND the cops were here very recently and could still be close by. Overall, it probably decreases the theft risk when the sign is left and it decreases theft after the owner has removed the sign.
A random person going around looking into parked cars (especially if he/she was "ticketing" some of the cars) would generally be viewed as suspicious. Someone might well confront them or "call the cops".
If the police are doing this they are less likely to be confronted, almost certainly nobody is going to "call the cops" on the police.
Even worst someone who sees someone who turns up soon after the police have ticketed cars and appears only interested in the ticketed cars may assume that they are "with the police"...
I mean, otherwise it´s just security by obscurity?
I contacted Conyers Police Department, basically iterating the same thought that this lets thieves know which vehicles they should be paying attention to.
Their response to me was:
"Thank you for contacting the Conyers Police Department. We appreciate that you took the time to write us with your comments about our flyer initiative.
Unfortunately, the media did not impart the whole story in regard to the flyers. Flyers were not just placed on vehicles that contained visible items. Flyers were also placed on vehicles that contained no visible items with a note saying "Nothing Observed (Good Job!)". All vehicles were targeted. This initiative was not aimed only at vehicles that had items actually visible. Therefore, the flyers would not have been of any use to a thief for targeting vehicles since vehicles without items also received flyers. In addition, it was also not reported that all of the areas had extra patrols and officers on foot who were distributing the flyers.
We are sorry that the media did not provide this information despite the fact we asked them to. We hope that makes you see that our initiative was better planned than you believed."
Hopefully, thieves won't be able to easily differentiate between a flyer that indicates loot versus a flyer that indicates no loot; if the former looks noticeably different, they'll ignore the latter.
"In the parking lot where I rather often park, the police creates "loot-awareness" by picketing and/or putting leaflets under every car's windscreenwipers."
I'ld be more impressed if I came back to my car and found one of these sitting on the driver's seat :-) (with the door still locked and no alarm sounding...)
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.