Schneier on Security
A blog covering security and security technology.
« Me on Chinese Hacking and Enabling Surveillance |
| Penny Shooter Business Card »
January 25, 2010
The Abdulmutallab Dots that Should Have Been Connected
The notion that U.S. intelligence should have "connected the dots," and caught Abdulmutallab, isn't going away. This is a typical example:
So you'd need come "articulable facts" which could "reasonably warrant a determination" that the guy may be a terrorist based on his behavior. And one assumes his behavior would have to catch the attention of the authorities, correct?
Well let's see.
- His dad, a former minister in Nigeria, informed the US embassy there that his son had been radicalized (the dad obviously had a reason for concern).
- US intelligence had been following him for a while, dubbing him "the Nigerian" (one assumes there was a reason).
- He was on a watch list (one assumes there was a reason).
- He had been banned from Britain (yup, one assumes there was a reason).
- The British intelligence service had identified him to our intelligence agencies in 2008 as a potential threat (sigh, uh, yeah, reason).
- He'd just visited Yemen, an al Qaeda hotbed (given the first 5, one can reasonably guess at the reason).
- He bought a one-way ticket to the United States in Africa through Europe (red flag 1).
- He paid cash (red flag 2).
- He checked no luggage (red flag 3).
...are those or are those not "articulable facts" which should have "reasonably warranted a determination" that this guy fit the profile of someone who is usually up too no good? No?
Kevin Drum responds to this line by line:
...the more we learn, the less this seems to be holding water. Let's go through the list one by one:
- Jim Arkedis, a former intelligence analyst: "For the record, 99 percent of the time, walk-in sources to U.S. Embassies are of poor-to-unknown quality. That includes friends and family members who walk into the embassy and claim their relatives are potential dangers. Why? Family relations are tangled webs, and who really knows if your uncle just might want you arrested in revenge for that unsettled family land dispute."
- This is true. But we didn't have a name, only a tip that "a Nigerian" might be planning an attack.
- Yes. But as the LA Times puts it, he was on a list of half a million people with "suspected extremist links but who are not considered threats."
- Yes, but not because of any suspected terrorist ties. From the New York Times: "[Home Secretary Alan] Johnson said Mr. Abdulmutallab's application to renew his student visa was rejected in May after officials had determined that the academic course he gave as his reason for returning to Britain was fake....The rejection of the visa renewal appeared to have been part of a wider process initiated by British authorities this year when they began to crack down on so-called fake colleges that officials said had been established in large numbers across Britain in an attempt to elude tightened immigration controls."
- No, they didn't. From the Telegraph: "Diplomatic sources said that the Prime Minister's spokesman had intended to refer to information gleaned by MI5 after the Christmas Day incident following an exhaustive examination of records going back through Abdulmutallab's time in Britain up to October 2008."
- No, it was a roundtrip ticket.
- Nigeria and Ghana (where Abdulmutallab bought his ticket) are largely cash economies. Andrew Sprung tells us that Abdulmutallab "would certainly raise no alarms by paying cash."
- This is apparently true.
I'd go even further on point 9. I fly 240,000 miles a year, and I almost never check luggage. And that goes double when flying in or out of the Third World. And I've also read that he didn't have a coat, something else that -- living in Minneapolis -- I regularly see.
As I keep saying, everything is obvious in hindsight. After the fact, it's easy to point to the bits of evidence and claim that someone should have "connected the dots." But before the fact, when there are millions of dots -- some important but the vast majority unimportant -- uncovering plots is a lot harder.
I wrote in 2002:
The problem is that the dots can only be numbered after the fact. With the benefit of hindsight, it's easy to draw lines from people in flight school here, to secret meetings in foreign countries there, over to interesting tips from foreign governments, and then to INS records. Before 9/11 it's not so easy. Rather than thinking of intelligence as a simple connect-the-dots picture, think of it as a million unnumbered pictures superimposed on top of each other. Or a random-dot stereogram. Is it a lion, a tree, a cast iron stove, or just an unintelligible mess of dots? You try and figure it out.
It's certainly possible that intelligence missed something that could have alerted them. And there have been reports saying that a misspelling of Abdulmutallab's name caused the Department of State to miss an alert. (I've also heard, although I can't find a link, that some database truncated his name because it was too long for the database field.) And I'm sure that a lot of the money we're wasting on full body scanners and other airport security measures could be much better spent increasing our intelligence and investigation capabilities. But be careful before you claim something that's obvious after the fact should have been obvious before the fact.
Posted on January 25, 2010 at 7:09 AM
• 66 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
How do you spell "Abdulmutallab"?
Seriously. It's not, originally, spelled in the Roman character set, but in the Arabic. So how, really, do you transliterate it?
Abdulmutallab. Abdul Mutallab. Abdul Mu'tallab. Abdul Muhtalab. Etc.
Oh, and each of those spellings could be a separate name entered in the TSDB down at TSC.
I entirely agree. The crowds of commentators who point out that “someone should have done something” are always distinguished by their own failure to predict and do something about it before the fact.
With regard to spelling his name wrong:
It brings into question collaboration and the "need-to-share" vs. the "need-to-know" within the IC, assuming DoS Intel were the ones that missed "the alert". I wouldn't buy the "his name was misspelled so we didn't know" story. Current software allows for these types of misspellings and still yields results. I would surprised if a DB they are using to track these people truncates a last name at 13 characters. Kind of short IMO.
Interesting. It's amazing how many people fall into the trap of assuming that because it's easy AFTER the fact, connecting the dots beforehand is easy as well.
It's not just that the dots can often only be numbered after the fact, it's that you don't even know which dots are the right ones until the end. All of those facts about Abdulmutallab sound fishy, but only because we already KNOW he's a bad guy. Taken on their own, in a sea of similar facts about people who DON'T end up as terrorists, it's much harder.
This point seems obvious, so it's interesting to me that very few people seem to realize it. I know Bruce has looked a lot about the psychology of security, and I've seen a few of his presentations on it at conferences, but I don't remember any commentary on what makes people abuse hindsight like this. And it seems like a crucial part of the equation, since it's hard to make changes that actually improve security with a bunch of Monday morning quarterbacks breathing down everyone's collective neck.
What I find depressingly amusing (forgive the oxymoron) about "connect the dots" crowds is that the vast majority of them almost always seemed to be people who were already opponents of the person/entity they are pointing fingers at.
After 9/11, most of the connect the dots finger pointers were on the political left (after all, we had a republican president) and now most of them are on the political right (now that we have a democratic one).
I don't intend this to be a political comment, the point is about the predispositions of those doing the finger-pointing, which is very valid. It isn't even deliberately biased or unfair. Everyone's predispositions impact their assessments. Right or left or in between, it's very easy to either assign nefarious motives to someone one already believe is bad, attritube to incompetence those one already believe to not be up to the task.
I think it is important to look at what people say now vs what they said in 2002. Bruce, while his political leanings are often obvious in his delivery, seems to be consistent and fair in his conclusions and suggestions. Therefore, it give his advice a bit more credibility.
I don't blame our current or any of our recent presidents. It's just too broad and complex of a problem for anyone to handle with perfection. I just ask that we and they learn from events and make improvements/changes where appropriate.
Viewing the sifting of information for evidence of plots as a signal analysis problem, it is evident that the signal is being swamped by the noise. And, given the heterogeneous and low quality of the vast majority of the input, it is not at all clear that it can ever be otherwise, irrespective of any clever procedures or algorithmics that may be brought to bear.
This is one of the ironies of our surrender to pervasive civil data surveillance. We can have our entire lives --- from grocery lists, to travel, to medical histories, to financial state, to telecomunication connectedness, to Facebook/Twitter gossip, etc. --- cataloged in giant, real-time, TIA-style databases for the edification and entertainment of our law enforcement and intelligence agencies. And those agencies will _still_ not be able to pick out a terrorist plot from the resulting ocean of data on humans being human.
So, do we just declare "no fault?" I agree that there are good reasons why individual pieces of the behavioral profile might have been overlooked. However, if collected and disseminated as a part of a fabric of information, then there would certainly have been sufficient information to highlight the need for some additional questioning. What about his behavior (before boarding) caused passengers to wonder about him?
He was traveling on a Nigerian passport with a U.S. Visa. Both of these documents have very clear document numbers and both have his name spelled out on them. If the consulate did not cross reference the father’s concern to the Visa they issued (it also contains information on the passport in which it was inserted) and the passport information shame on them. If the name was too long then there is a standardized method used on both the visa and passport for truncation. There should have been no question of miss-spelling in this case.
We have some very sophisticated modeling software in our intelligence community, but we do not have a very good real-time data collection system to feed it. If we used modern document reader/authenticators at each point of contact/concern for this person and the information collected were input to our intelligence system, then I am certain there would have been an “alert” in Amsterdam to look closer at this individual.
All of the information on the passport can be read (not just the MRZ) and the security features authenticated on the Visa and the passport Data Page in 3-5 seconds each. If the U.S. was the final destination, then the passport and Visa information should have been collect at the start of the journey and passed on via APIS at that time and prior to each start of each leg of the journey (this is not currently done, data is collected only for passengers boarding flights going directly to the U.S.). Even though these are cash societies and perhaps it is not uncommon to not check luggage on a trip to the U.S. (When was the return scheduled?), these pieces of information should have been collected as well, even though they might not get the same weighting as if it were a journey originating in Europe. The issuing country should be willing to verify that they issued such a document (they aren’t), based on data provided (no additional information beyond the confirmation, validity, and a lost/stolen indicator is required). Interpol maintains an online database of suspect and lost/stolen documents as does the U.S. and others.
Perhaps the G8 countries should share the Passport information (without prejudice) for rejected Visa renewal applications as a part of an on-line database. Many Visa applications are rejected for first-time applicants and it is likely that there is little correlation to any real threat. There are many constructive steps than could be taken to improve the system for the future and the “security theater” that is going on does nothing to make for a more Secure Flight (pun intended).
The total cost to implement such a data collection and document authentication solution worldwide would be less than a dozen full-body scanners. See www.fraudfreeid.com and www.assuretec.com. There are other providers of such technology.
@Brian at January 25, 2010 9:00 AM
I agree. After the fact, everything seems more predictable than it actually was.
To answer your question what makes people abuse hindsight, I think there are a few things.
One, after horrors like 9/11, Virginia Tech, or close calls like this, people are presented with a few dots that seem very easy to connect. So people naturally assume that, since it was so easy for them, those in authority should have been able to do it... based on the small amount of info they have, it seems obvious. The needle in the haystack seems very visible when someone pokes themselves with it. What they don't see are the uncountable number of dots that those in authority had.
Second, as I just posted about, is bias, which I don't even believe is deliberate. After 9/11, people who already thought the president was incompetent saw it as reinforcement of what they already knew. Now, people who already think the president is inexperienced or doesn't take national security seriously similarly have their opinions reinforced.
Finally, and I really hate to say this, I think some people have a hard time accepting that bad things happen.
Here's the question: how many facts were know about Abdulmutallab before the fact, and how many of the distinguishing characteristics of the entire profile would be needed to make the equivalent set small? How distributed were these facts? What would it take to put them in front of one person?
He lived in England for years -- his profile must be huge, just to start with.
I think if we could actually calculate how much information would need to flow in order to come up, with foresight, his unique identity (i.e., predict him), we'd soon come up with a fairly large power plant.
Well, there you go again, Bruce, spoiling everyone's fun with facts! (Thanks for doing so.)
Valerie Plame and Joe Wilson might have some valuable input on this real-or-contrived avenue of action against the US via Nigeria.
Oh, wait. They're not around anymore to make those observations, are they? Does anyone remember why?
@kangaroo at January 25, 2010 9:11 AM
Perhaps more should have been seen. But let's keep two things in mind, the first of which being he was one of tens or hundreds of thousands of people on the radar.
The second is the characteristics of non-Abdulmutallab population which is likely of more importance than we realize just looking at Abdulmutallab's information.
I do a lot of CAATS in my job, and it has been eye opening to me when programming searches and queries how many hits a seemingly obvious and rare red flag will get. Sure, they correctly identify a problem instance, but they also identify several others with similar behavior that is not a problem just an anomoly. When dealing with large populations, even a fraction of a percent will flag a large number of possible Abdulmutallabs.
I'm not saying that is what happened, I don't have enough facts to say one way or the other.
OK, if "connecting dots" was too difficult to do, why was it also too difficult to respond to at least one of the "clues" listed everywhere. If he really was traveling one-way without luggage...
Because on the other hand also here on this blog there are lots of stories of innocent people being harassed for much, much less "evidence", like taking a photo of a building, or making someone feel "uncomfortable". Let only your current name be "Yusuf Islam" and no matter how many people know you as the nice Mr. "Cat Stevens", your plane gets redirected because - sorry, I have no idea why, but they did...
Perhaps the intelligence community, security services etc were better off dropping a lot of nonsense games and concentrating instead on what they are supposed to do...
Whenever I hear "connect the dots" I mentally replace it with "foretell the future."
Sure, it happens. But it's less about child's play and more about getting lucky.
@dl7und: "Because on the other hand also here on this blog there are lots of stories of innocent people being harassed for much, much less "evidence", like taking a photo of a building, or making someone feel "uncomfortable". Let only your current name be "Yusuf Islam" and no matter how many people know you as the nice Mr. "Cat Stevens", your plane gets redirected because - sorry, I have no idea why, but they did...
True too. Being wrong about someone has consequences either way you are wrong.
Even if this guy was flagged, short of strip searching him it may have been tough to detect. Had they not let him on the plane, he may very well have become a poster child for victims of discrimination.
Interesting point. The idea that we can reverse-engineer a terrorist and identify him prior to an incident 'looks good on paper' - but what's really going on is that we're solving for a known quantity (x + y = 4). Unfortunately, there are a number of possibilities for x and y that return a valid result, but do not mean the sum = terrorist.
It's also interesting that the folks who assume we should have 'connected the dots' on Abdulmutallab often then jump to the conclusion that we don't have to search grandmothers and babies because we know they're harmless - which may be true if you are proceeding backwards from a known, but not forward from an unknown.
One of my minor hobbies is Pearl Harbor conspiracy theories. It's fascinating watching some of the mental gyrations in the attempt to avoid the basic fact that the Japanese pulled off a surprise attack on Pearl Harbor.
One thing I often see is that a Japanese laundry worker warned the Peruvian embassy about the Pearl Harbor attack in January 1941. Nobody mentions all the other low-quality information coming in. (This is assuredly low-quality, since the decision to attack was made much later, after a good deal of controversy.) Another thing I see is a belief that an attack on Pearl Harbor was the obvious thing to do, which is wasn't.
Some people just seem to want to live in a world that is not just deterministic but determinable. There has to be somebody who can figure out what's going to happen, and a failure to do so is seen as malice (or the malice can motivate the reasoning, I suppose). It's so easy to come up with an explanation as to why we would have foreseen X that people forget how easy it is to come up with explanations for things that never actually happened.
BTW, anybody remember that Swedish guy who was kept out of the US because his father-in-law told the US embassy that he had al-Qaida connections? We have the choice between seriously discommoding large numbers of people or, I guess, laughing at some turkey setting his underwear on fire. I know which I prefer.
If he really was traveling one-way without luggage...
From the quote in the article above:
7. He bought a one-way ticket to the United States in Africa through Europe (red flag 1).
7. No, it was a roundtrip ticket.
@Nick Lancaster: "It's also interesting that the folks who assume we should have 'connected the dots' on Abdulmutallab often then jump to the conclusion that we don't have to search grandmothers and babies because we know they're harmless - which may be true if you are proceeding backwards from a known, but not forward from an unknown."
Great point. If you don't search harmless grandmothers and babies, then a terrorist will use the trust extended to them to smuggle something past security. Then, we'd have more dots that "should" have been connected.
@David: "BTW, anybody remember that Swedish guy who was kept out of the US because his father-in-law told the US embassy that he had al-Qaida connections? "
Yup. It was blogged about here, many ridiculed the US for investigating it. Authorities determined he wasn't a terrorist, but sent him home instead of letting him in. Of course, given a tip from the father-in-law, I can imagine the heaps of criticism had he been allowed in and been caught doing something (doesn't even have to be terrorism).
Intelligence services knew much more than the 9 points listed above. Leaks reported by the New York Times say that they knew: 2 of the 3 words in his full name, Christmas was the day, a Yemen connection was involved in the plot, and apparently several other items that the leaker did not divulge. We do not need to predict the future. All those comments are off base. We need to collect organized facts, create changing screening criteria, and implement them at multiple points around the world. These are achievable actions. Abdulmutallab should have triggered extensive screening at the airport. A crystal ball was not necessary - only organized screening criteria on that particular time interval were needed. Any screening person could have caught the guy if presented with organized criteria and flags on their computer screen. That is the systemic failure.
@David: "BTW, anybody remember that Swedish guy..."
There's other reasons to keep out Swedish people...they are darned odd at times.
Bredo's Grandson overstayed his visa, got grandpa cryongenic, and started a festival in Nederland Colo.
Of course...it IS a fun festival (Nederland is where all the Hippies from Boulder moved up the valley to)
Let's see how many reasons for concern and red flags we can raise about Bruce Schneier.
1. Bruce Schneier flies 240,000 miles per year all over the world, including Third World countries. He has a a very good knowledge of how airports work, and probably knows more about Minneapolis airport than anyone else. Reason for concern #1
2. Bruce Schneier has tirelessly criticized the TSA since 2001 and is preaching against full-body scanners, pat downs, watch lists and water bans. Clearly this man wants to smuggle things through airport security. Reason for concern #2
3. Bruce Schneier makes a good living giving conferences all over the world; he has enough money to buy explosives or to corrupt airport employees. Reason for concern #3.
4. Bruce Schneier almost never checks luggage. Red flag #1
5. Bruce Schneier has a beard. Red flag #2
6. The data on Bruce Schneier's computer is encrypted. Red flag #3
7. Bruce Schneier developed the encryption algorith himself. Clearly this guy has something to hide. Red flag #4
This is very true. There did not need to be any confusion about this particular person being worthy of very close scrutiny. In fact, there was sufficient prior information available that this person should have been denied entry permission and brought to the attention of law enforcement in Amsterdam. It just wasn’t available where and when needed to make the decision. The number of instances of this occurring on any given flight would be very small and, in most instances, a few brief questions will eliminate the "false positive" hits.
The issue is what should be done to keep this from happening in the future. Automated, reliable data collection and analysis inconvenience no one unless there is probable cause to ask more questions. Examination of the document for tampering comes along for free (cost and time) with the document authentication process.
I do not know your level of expertise in screening or behavioral profiling, but I would have thought you might get at least one of the possible criteria correct. You did not.
If you had said the Bruce consistent flew a route through Yemen and it was not explainable by his final destination, or business you would be closer. How would you know his business? Ask him!
I'm with you on your basic premise, hindsight is 20-20.
About the misspelled names red herring. There is a name search technique called "Soundex". The algorithm was designed in the 1800's. Granted it is English name biased, but I'm sure there are some bright boys in the CIA/NSA/etc with spare time on their hands that could figure out the appropriate international variations. Heck, they probably already have.
The part about a name field being too short is just too funny.
No fly lists are funny too (as long as you aren't on them). How about the guy who figured out the "secret" of getting around them: http://it.toolbox.com/blogs/securitymonkey/...
"There did not need to be any confusion about this particular person being worthy of very close scrutiny."
The problem is that any of the criteria used to justify that "very close scrutiny" would also apply to so many other travelers that it would overwhelm the security systems in place.
"The number of instances of this occurring on any given flight would be very small and, in most instances, a few brief questions will eliminate the "false positive" hits."
How would such questions do that?
Not that it matters because no matter how small the error rate, even one false positive per flight would be higher than the real percentage of terrorists.
Speaking of things that are obvious in hindsight, I never stopped to consider how common points 8 and 9 would be for travellers flying out of the Third World before.
As for the truncated name, you don't have to look very far for at least one piece of software that's doing it. Movable Type appears to be using char to hold its filenames.
This whole "connecting the dots" deal reminds me somewhat of some sort of trapdoor function. Once you know the terrorist plot it is easy to pick out the correct dots, but given the correct dots it is all but impossible to correctly deduce the plot.
Perhaps someone could design some sort of cryptosystem around this concept... ;)
@Ron at January 25, 2010 11:08 AM
I recently attended a talk about so called "fuzzy search algorithms" which covered Soundex. Apparently there are more versitile algorithms that have largely replaced soundex, making improvements on the concept in various ways. Even so, I'm not entirely convinced the concept could be scaled very far for uses like this. At the very least you'd probably have thousands of name collisions to deal with. Still, it could probably (and probably is) be used to supplement existing searching techniques.
And as always, regardless of what went wrong or who screwed up, the only "action" the government is taking is to punish all air travelers.
The only possible "message" this is sending to our enemies is that they don't have to spend their time and money on complicated, spectacular plots. They need only choose an expendable schmuck to carry a low-tech bomb that involves some ubiquitous items like shoes or underwear, who will then most likely fail to cause any actual harm. Then they let our own government do the real job of inflicting long-term damage through pointless, boneheaded, inconsistently implemented "enhanced security" that costs a lot of money, erodes our liberty, and wastes untold amounts of individual travelers' time and money.
The TSA and its defenders insist that criticizing them is "aiding the enemy." But in fact, the TSA (along with the politicians and bureaucrats who give them blank checks) is the terrorist's most effective weapon of mass destruction.
I think the points 7-9 are perhaps the most useless. The are part of this whole profiling business that people keep bringing up. And it comes to show once again that people do not understand how profiling can work. A recommendation based on points 7-9 would be that somehow we should pay more attention to people who 1) pay in cash, 2) have one way tickets and 3) check no luggage. However, that is useless. If we do that, terrorists will just start paying with credit cards, buy roundtrip tickets and check as much luggage as possible.
For profiling to work, you have to 1) have a low enough type 1 and 2 error and 2) make your criteria things potential terrorists have a hard time changing. The cloths they wear, the city they choose as their destination, the amount of luggage or the method of payments are examples of very poor ideas because terrorists can just side-step those criteria entirely. Things like race or country of origin are huge type 1 errors. If you get too many false positives, you can't concentrate correctly on all of them. It's just too much. The kind of data you need is not the kind that you get from a passport. It's the kind you get through intelligence work. Where has this or that person go in the past 10 years? (Did they go somewhere that indicates they may have gone to a terrorist training camp) Did they in their earlier days join radical groups or make radical statements? (I would imagine that before becoming a terrorist master manipulator with an organisation behind them, most terrorists start out shouting their new-found truth everywhere they go) That's the kind of profiling data that would not stop every terrorist, but it probably would significantly shrink the pool from which suicide bombers are drawn.
Reading this, I think I am seeing an assumption on the part of the guys tasked to "find the terrorists" that is not helping.
As far as I can tell, there are three classes of people:
- Possibly dangerous
Possibly dangerous people may be selected for more inspection, but when not found with a bomb, become Safe people for the remainder of their trip. Dangerous people are banned from all travel/entry/whatever.
The lack of gradation might be where the "connect the dots" makes sense. Assume any normal person with no information is a 0 security risk. (A guy in prison for terrorism is a 100 risk).
So, you are from Yemen, you get a +10. Someone informs on you vaguely. You get a +5, and we keep track of that info trail, so if his tips start paying off, we go back and up that to a +12. You travel to even more dangerous countries with no explanation +++. Etc.
And that's one dimensional. It could be more complex. But the point is that I seem to be seeing everyone think "that one factor should have red flagged him." I suspect almost any ONE factor should not turn you into a Dangerous Person.
Gradations of danger, and information attached to them, should be able to help with smart screening and what screeners and security personnel should look for...
Whoops, I dropped the :-) that should have been after my second paragraph...
@wiredog "Imagine the fun dealing with 28,537 false positives/day"
I'm not sure where I heard it hear or somewhere in the halls.
"We're spending all of our time clearing the same people over and over again."
Granted periodic reinvestigations are necessary with some risk/asset type matches but clear every traveller every time they pass through ever security check point? A full employment program for the Dept of Redundency Dept?
The problem with the grading system described above is as soon as you create it, it is obsolete.
Everyone from terrorists to dignitaries to just plain people who have something to hide will either have to game the system to fall under the benchmarks or stop using forms of transportation monitored by the system.
A lot of "safe" people will get swept up into the system, too.
Then the politics begins with claims the system is racist, sexist, bigoted, or whatever.
No, a straight system of points and pluses and minuses are no replacement for a well-trained human being who just senses something isn't right.
In the case of this "bomber" that was the passengers on the plane who sensed something was up and kicked his butt.
What's Bruce's point, other than pointing out the technical difficulty of connecting the dots to his technically-minded audience? I thought the doctrine is to espouse investing security dollars in intelligence, investigation and emergence response instead of intrusive screenings. This post would seem to refute the possibility of payback in that investment. So, given that intelligence and investigation (as well as the intrusive screening) failed to prevent Abdulmutallab from boarding the flight, if we had not had the success of bad terrorist technology and passenger response, what are we left with? Picking up the pieces after the fireball outside Detroit? Saying that a certain number of bombings is more acceptable than screening?
Bruce had written extensively on people's failure to properly assess remote risks, but I don't see that he has yet succeeded in enlightening a large portion of the population. Polls indicate a majority in favor of more intrusive screening.
If we're going to win over the populace, we're going to have show them *how* improving intelligence has a better return than full body scans.
Actually soundex was invented to solve exactly this problem, with Hindu names being transliterated differently.
The miss-spelling is a real problem. I work for a company that makes a very complex (expensive) piece of software to solve this.
It's a lot more complex than just spelling - all the databases are based on the assumption of first name, initial, surname where matching surnames mean a link and middle initial is unique. This isn't necessarily true in other cultures.
Add in minimum wage data entry and the usual mailing list misspellings and a list of names is basically useless.
To give an example of a British politician.
Anthony Neil Wedgwood Benn, Tony Benn, Viscount Stansgate and the Right Honourable Tony Benn MP - are the same person.
Now would you expect an airline ticket clerk that spoke only Arabic to get that right or might he type in "Toni Ben" = no match ?
I don't know how Hans Henrik Ágost Gábor Tasso Freiherr Thyssen-Bornemisza de Kászon et Impérfalva ever gets on a plane!
We came across matches of terrorist vessels because the names began with the same sub-string. The string was "star of" in Arabic, all Arabic ships as far as we could see are called "star of ..."
Another government agency decided to roll their own name normalisation. They replaced any name beginning Al/Ali/Aly with "Alistair" - great for spotting 19C horor writer Aleister Crowley but less useful with arabic suspects.
"Granted periodic reinvestigations are necessary with some risk/asset type matches but clear every traveller every time they pass through ever security check point?"
No. That is the number of flights per day. The number of travelers per day is much higher.
That was in reference to having a single false positive per flight. And how that single false positive per flight would overwhelm the current security system's ability to clear them.
Who, of the posters who are saying the spooks messed up, has experience in the field?
This WSJ article puts terrorism in its proper perspective. I believe that some of the points have also been made by Mr. Schneier. I have always said that a real leader would have made a speech like this after 911 to put terrorism in perspective and avoid senseless fear and irrational responses.
@David at January 25, 2010 9:56 AM
Read "The Man in the High Castle" by Phillip K Dick. Excellent story.
I am becoming confused. The "false positive" will become a "Safe for the trip after 10-15 seconds of questioning". One person per flight being questioned 10-15 seconds longer would not "swamp the system." The idea is to save the remainder of the passengers from extra scrutinty so the resources can take more time with the "higher risk travelers."
The point here is that no Soundex or other name matching was necessary in this case. The precise identification information existed on the documents he was traveling with and the ones the DOS had on record with should have been the ones that made it to the "watch list". The watch list had 550,000 names, but was not checked! Only the "no fly list" was checked. He wasn't on it.
When you have the amount of information that we should have had on record for this individual, there is no confusion and the checking and verification is very, very fast. How much information does Google check to respond prompt to your Search request?
A simple name check on the larger list, given the relevance of most of the names on the list and name similarities, aliases, etc, would produce dozens of false alerts on a large number of flights. So it was not used. It this case we had much more information than just a name. We had age, birth date, place of birth, nationality, document issue date, passport number, visa number, etc. They simply were not entered (DHS and DOS both had this information in their databases) and had they been they were not checked any way.
@Mailman: You left out having been known to get large quantities of liquid past TSA screeners (specifically, two bottles of saline solution, nominally one for each eye).
@Aaron: For the Synoname project, how many names would be lumped together? The problem with dumping similar names into buckets is that there may be a lot of people in one bucket, one of whom you're interested in. How many names would come out equivalent to Abdulmutallab?
@Steven Hoober: The problem with any automated screening system is that, statistically speaking, terrorists don't exist. The number of terrorists is far less than the margin of error on any statistical approach. Either you let somebody like Abdulmutallab through, or you strip-search a whole lot of people (was there any reliable way to catch Mr. Pants On Fire aside from a strip search?).
@David: " Either you let somebody like Abdulmutallab through, or you strip-search a whole lot of people (was there any reliable way to catch Mr. Pants On Fire aside from a strip search?)."
Another nice post, David.
I can just imagine the backlash if an innocent person were strip searched. (Especially if their demographics could make it painted as profiling or bigotry).
I also think some people do not grasp the numbers. The TSA alone screens well over 750 million passengers each year, and that says nothing for what other airline security entities do outside the USA. Even a remarkably (or should I say impossibly) precise system that was so accurate it only had one false positive for every 1 million passengers, that would still be several hundreds (perhaps thousands) of people each year that would be "harrassed" and would make the news as nice poster children for US excesses.
It's simply too complex of a problem to be handled with the level of perfection some people seem to want.
"The "false positive" will become a "Safe for the trip after 10-15 seconds of questioning"."
How? What questions can you ask that will tell you whether a person is a terrorist or not and why would the terrorist answer differently than a non-terrorist?
Every detection mechanism will turn up positives, almost all of them false.
The crux of the problem is that humans are unable to cope with a flood of false positives: we quickly get bewildered.
Suppose terrorists are one in a million.
Say it's your job to investigate ten thousand positives in hopes of turning up the one terrorist that might be there. Quickly, you get so used to clearing candidates, one after the other, that clearing them becomes a habit and eventually a policy, reducing you to a rubber-stamp automaton, no longer able to tell any two people apart.
There'll be another ten thousand tomorrow, so you'd better get busy, and since this operation runs around the clock seven days a week, don't bother coming in Monday if you're not here Saturday and Sunday.
How soon would you give up in defeat? The counter-terror people have been at this insanity for eight years.
We are looking for terrorists broadly, rather than hunting them narrowly.
(If you want to know about hunting terrorists, see Terrorist Hunter by Anonymous. Hint: Finding them requires mastery of their native languages, and a laptop.)
"This whole join the dots...
...Perhaps someone could design some sort of cryptosystem around this concept... ;)"
Depending on how you look at it they already did, and it's called Public Key.
The first and still arguably the best (due to patent expiry ;) is RSA.
There was a joke about IBM and HAL from A. C. Clarks 2001 that he simply shifted the letters back up the alphabet by one to be "one up on IBM"
So let me se RSA -- TSA, yup their heading in the wrong direction in the wrong way and by twice the usual amount ;)
It should have been QRZ that has real meaning to some people (it is a morse Q code meaning 'who is calling me' but is also the name of a very very large DB of radio amatures etc ;)
Mind you the Q code we all might start using with the TSA since Cptn Underpants is,
QRM - Are you being interfered with?
QRM - Who is interfering with me?
"and probably knows more about Minneapolis airport than anyone else. Reason for concern #1."
I think there's a Senator from Idaho that knows more about MSP. ;-)
"That's the kind of profiling data that would not stop every terrorist, but it probably would significantly shrink the pool from which suicide bombers are drawn."
Hmm probably not.
Lets have a look at the Airport/aircraft list since 9/11.
Cptn Underpants and Cpl Hotfoot where both almost comical Walter Mitty types who would have been a real serious liability to a terrorist organisation if not handled correctly (It's why I think any Intel from them is going to be "stale" or "invented" especialy for them).
Then we have Dr Fingerlicking and friend. Who tried to have a bit of a "ho down" in Scotland. Apparently their barbi act was not a crowd pleaser and thus failed the standup circuit (and will not appear at the Edinburgh Fringe).
Then we have the "Thirst Brothers" they missed the bus to the airport as it where.
All jokes aside there are two important points to note.
First of they all failed only one of the above can remotely be said to be by Intel community action (UK Police had them under active watch but...)
Secondly appart from Dr Fingerlicking and friend they where carrying out somebody elses plan using supplied weapons that border on the "exotic/fancifull" in nature.
I cann't help but feel (in my gut) that the terrorists are not interested in aircraft or the airline industry as mainline targets any more (not that they have much in the past even with 9/11 it was not the aircraft that where the real targets, they where "force multiplier tools" just like the box cutters).
Firstly the attacks on aircraft although successess have probably cost the terorists more than we think, in that travel regulations have been tightend up, which realy hurts them. And the likes of London appears to be no longer a safe haven for R&R etc of the seniors and planners.
The one pluss point for terrorists in more recent times has been the Banking collapse, where criminal (drugs mainly) money has been the only liquidity around. This has enabled them like other criminals setup and legitamise future finance streams.
I further suspect that the flights around the place for Cptn Underpants and Cpl Hotfoot where an attempt to test them out to see if they where realy "usable clean DNA" or other "nut jobs" being watched by security forces.
As I and others have said they are not ment to succeed they are actually ment to fail. The question is why?
The likes of Cptn Underpants realy are of no real use to insurgents etc carrying out ground attacks on soldiers, in fact they would be a very real liability to their own organisations.
Likewise terrorists planning to do ground type attacks on civilians in Hotels nightclubs etc.
They are infact not just inept they are a very real liability to a terrorist organisation. In that they know something about the recruitment process and they may know more about various ops etc.
Thus the best plan of action is to keep them away from where the real activities are untill whatever they know about the real activities of the terrorist recruiting etc has gone "stale" and is thus worthless.
However as a terrorist organisation you have a significant expense running such people in a fake world you create to prevent them doing harm to the organisation.
Thus you issolate them from the main organisation, you train them up slowly, you show them real conceald weapons that work and how to hide them and see if atleast they can manage that for themselves if not you might as well use them as "Poster Boy" or "Flag waving" missions that actually work better if they fail (nobody else gets hurt and you have lots and lots of press covarage).
Thus importantly Cptn Underpants and Cpl Hotfoot where issolated outliers not mainline.
Thus even less likely to appear in the Intel World Directory of Terrorists.
The fact that Cptn Underpants was as well known as he was appears is not down to the Intel community. But his father and that in the UK Nigerians, Somalis and one or two other African nation nationals are currently being bashed "as a bunch of free loading illegal immigrants" hiding behind fake collages etc mainly used to legalise "buy-a-bride" girls and more criminal types such as unlicensed taxi cabs, bush meat, canabalistic witchcraft, drugs etc etc (it is difficult with political footballs to work out what the real issues are as they are deliberatly conflated).
Lets be honest the amount of explosives they have used are about the same as anti-personnel weapons and people survive those all the time even when standing right on top of them.
It actually takes a quite knowledgable person to do real damage with so little and that sort of person is worth way way more to a terrorist organisation alive than thrown away on just one mission that if successfull may actually not be recognised as such for some period of time if at all...
The 747 that came down on the little Scotish town was (from what we have been told) ment to drop in the ocean not on land is that realy true?
The practice in the aircraft industry irrespective of the real cause has always been "blaim the pilot if he's dead" PR him if alive as a super human hero fighting a one in 10Billion freak event. That is "DON'T SCARE the public" with stories of unknown airframe failures, it's not good for business.
Thus a successfull attack with that small quantity of explosive may show up on "black boxes" not as an explosion but an airframe failure.
Which means from the industry and economic point of view "sit in your seats" for the last hour would likley do way way more damage than an aircraft blowing up above a US City. Thus it is not in National Security interests overall...
Jon Stewart (Daily Show) noted one important item: How often do you respond to emails from Nigerian ministers?
I've been pulled in for questions when entering Australia becuase my name is just 'similar' to one on their watch list, so I don't buy the misspelling thing either (I know we're not talking about Australia here, but it seems likely that US system would pick up 'similar' names too).
Or it could have been a considered choice and our elected and appointed leaders don't want us to know that they are willing to take risks (yeah!) with our lives (booo!).
Director of the National Counterterrorism Center (NCTC), Michael E. Leiter testitifing to Congress as reported in
CongressDaily on January 22 that intelligence officials "have acknowledged the government knowingly allows foreigners whose names are on terrorist watch lists to enter the country in order to track their movement and activities."
Leiter told the Committee: "I will tell you, that when people come to the country and they are on the watch list, it is because we have generally made the choice that we want them here in the country for some reason or another."
@Clive Robinson at January 25, 2010 7:15 PM
Well I was thinking more along the lines of a public key cipher that relied on the difficulty in catching terrorists instead of the difficulting in factoring large integers. :)
ffs, the man set fire to his own underpants!
If we are terrorised by the hopeless what hope is there?!
i thought the idea was to stay off of the watch lists? apparently, getting on to them so that no one watches you is the way to do it.
With what our insecurity group has stated I would say the next bomber will be a female wearing protection. How are they going to handle this one at the check points. They stated that the crotch is a spot the new X-ray unit cannot detect explosives. This guy had it in his shorts how about a hygiene item used by females. They have used them in the past. I am not sure what the promise is for females but they can and do recruit them. What are you going to do when your wife or daughter receives a close inspection? It is intelligence not the junk in the airports. This has been repeatedly been proven we are just unintelligent. CIA, NSA, FBI, MI5, etc. should be fired due to lack of intelligence.
@ Brian 1-25...
Second, as I just posted about, is bias, which I don't even believe is deliberate. After 9/11, people who already thought the president was incompetent saw it as reinforcement of what they already knew. Now, people who already think the president is inexperienced or doesn't take national security seriously similarly have their opinions reinforced
As humans we filter tons of information every day- and every one of us has specific biases. What most don't realize is HOW MUCH our perceptions are warped by it.
Why is "I told you so" the hardest thing to keep in?
I have enjoyed reading some layman level physchology that discusses this issue. Basically the ideas I see seem to be that "we all like to be consistent" or feel smart or vindicated regarding the opinions we currently hold. It's universal isn't it?
It seems it is just human nature to *over-emphasize* the value of any new information that supports our opinion- and the reverse is true. We all *devalue* and dismiss information that runs counter to our thinking.
It's easy to see the "conscious dismissal of facts" in people who are arguing with you, much harder to catch yourself doing it. But you do. In effect we twist new events into supporting what we thought all along. These topics of debate are no exception. As a result, as Brian said, the bias doesn't have to be intentional. Aha! See I was right all along!!
One of the problems is that our initial opinions (which we will cling to irrationally) are rarely formed based on enough information to try and claim anything like real accuracy. Especially for complicated issues.
I see a lot of prejudicial and biased thinking about the intelligence community, the military, the government, etc. (All of which I have had some personal experience with- but I claim no real expertise or special knowledge).
That does not mean we should not debate the issues hindered as we are, just that we should try and be aware of the assumptions and bias- in ourselves and others, so we can filter out the chaff, avoid error and arrive at better conclusions.
I like the article itself. I love the technique to "lay out the facts everyone knows" and then expose them to more specific information. I don't always agree with you Bruce, but you are always worth reading and thoughtful consideration.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..