Schneier on Security
A blog covering security and security technology.
« Christmas Bomber: Where Airport Security Worked |
| Adopting the Israeli Airport Security Model »
January 4, 2010
Vatican Admits Perfect Security is Both Impossible and Undesirable
This is refreshing:
Father Lombardi said it was not realistic to think the Vatican could ensure 100% security for the Pope and that security guards appeared to have acted as quickly as possible.
It seems that they intervened at the earliest possible moment in a situation in which zero risk cannot be achieved," he told the Associated Press news agency.
"People want to see him up close and he's pleased to see them closely too. A zero risk doesn't seem realistic in a situation in which there's a direct rapport with the people."
EDITED TO ADD (1/4): This is particularly enlightened in comparison to the fears that somehow the U.S. president was endangered by people sneaking into a dinner with him. Presidents meet and shake hands with uncleared random people all the time; the Secret Service knows how to deal with that sort of thing.
Posted on January 4, 2010 at 1:15 PM
• 31 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
One hopes it was said without any mental reservation.
Now that the Vatican has admitted to being fallible on security maybe it's time other bodies did likewise...
If only there were some all-powerful entity they could appeal to that would protect them with "zero risk" security . . .
Does that mean that Fr. Lombardi believes that zero risk would be possible if the Pope had no public engagements?
wow! Who would think that such a lucid comment on the realism of the situation would come from the Holy See?
@Dave Page "Does that mean that ... believes that zero risk would be possible if ... no public engagements?"
Doubt it. The Catholic Church has extensive organizational memory. Some of those memories are labled "Borgia".
Hmm I wonder if the Italian Belecose Gent who just recently had a cathedral made of plaster of Paris shoved in his face thinks the same way?
And if not will he restrict his crowd pleasing activities to just bed hopping from now onwards?
What is it about Italy where two entirely seperate "nutters", with almost identical MO's, can have "second runs" on their elected leaders in just a few days...
@ BF Skinner,
Some of those memories are labled "Borgia".
You have just made me think,
"Maybe I should have used borgious not belecose to describe the Italian incumbrent, it might all things considered be more appropriate ;)
Wow, you really have sth to the Vatican.
I mean, I'm not Catholic, but why do you bash people considered "old school" when they say somenthing that actually makes sense, I can't understand.
@ Clive Robinson
'What is it about Italy where two entirely seperate "nutters", with almost identical MO's, can have "second runs" on their elected leaders in just a few days...'
Italy has perfected the art of the mob. I've been to some of those audiences. People actually rush the turnstyles and charge into the seating area as soon as they have an in. I'd be surprised if they could keep anyone out.
Your update seems to highlight an inconsistency in your condemnation of security theatre. Whether or not it is "enlightened" for someone who claims to have God's incorporeal ear to preach a gospel of insurmountable risk, doesn't it seem like saying the President is safe when security personnel don't do their job a nod in favor of the theatre? I mean, if the party screeners weren't increasing the security, why even have them there providing *false* security in the first place? And regardless of any fears of danger, what's the point of having an invite-only event if the people you're paying to do the simple task of checking the invitations can't do the job?
Haven't the Vatican always been against adopting preventative measures? ;-)
What is it about Italy where two entirely seperate "nutters", with almost identical MO's, can have "second runs" on their elected leaders in just a few days...
I rem remarking on how crazy the Italians are...........breaking the PM's noose with a relic.........pushing the pope to the ground.....
Offcourse are response was........."thank God i am half Italian.."
@Impossibly Stupid: Bruce is suggesting that absolute and complete security is impossible; the gatecrashers, Pope dragger-downers and underpants bomber all show that it's most effective to mitigate against the largest and most drastic risk - but that little risks here and there are both impossible to prevent and expensive to [not] stop.
The underpants bomber is a good example to people like him that a) you're unlikely to succeed and b) you may be ripped apart by other people when that happens.
Millions of people are now being impacted because of that attempt. The terrorists have us terrorised and therefore win. If we looked at the stats and decided "wow, nothing really changed here" then terrorists might not be winning.
How would you, Impossibly Stupid, prevent all tickets on an aircraft being bought by people who all have the same objective? I'm sure the cockpit door will fall eventually.....and there you have it.
Security is always a trade-off. Fly us in individual coffins, doped-up, to our vacation locations? It'll still be a problem. Computerise the transport control.....still a problem. And we have to accept that as we minimise and mitigate against the worst case scenarios.
@Lee: You just gave away a nice movie-plot threat for this year's contest. :-)
Bruce is advocating risk analysis as opposed to throwing money at the problem in gigantic handfuls hoping it will go away.
Security is necessary, but the trade-off between security and accessibility or usability is more important.
What good is a perfectly secure computer if that means it is powered off and unplugged?
What good is a Pope if you keep locked in a prison with no public contact?
I object to the many off-topic and anti-Catholic comments posted above.
Bruce, on the other hand, makes a good point. Perfect security is not attainable, and near perfect security is not practical. A prudent security policy involves some trade-offs.
@abcd: The Pope is infallible on matters of Faith. "Other bodies of knowledge" and "Security" are not subsets of Faith, although I suppose Catholicism would consider Faith a superset over some areas of other bodies of knowledge.
@D: I'm hoping you're kidding, but if not I think the Holy Father leaves his security to the earthly Swiss Guards, not to the heavenly Angelic ones.
That's like the story of the man who sat on his roof and asked God to save him from a flood, but ignored the weather reports, disaster warnings, rescue trucks, rescue helicopter, and rescue boats as the waters rose because none were divine enough. Jesus saves us from sin, not stupidity.
@Tim: Now I've got a Monty Python song in my head. Thanks a bunch.
I am most interested in my Church's measured response to this issue; especially in comparison to my country's contrived security measures that cost a very lot and buy very little.
I think my country could learn a lesson from my Church's wisdom in the matter (not to mention knowledge, understanding, counsel, and courage) regarding risk assessment.
@Lee and Jason
Please don't raise straw man arguments. I questioned the specific failures in the two cases presented, not any other cases of security theater. It seems perfectly reasonable to question the security implications of *not* adhering to a whitelist, and investigating what *other* procedures might be lax. I'm just wondering whether or not Bruce thinks access control is mere security theater, because it seems to be the foundation of a lot of serious security.
@ Yes Im Catholic
"I object to the many off-topic and anti-Catholic comments posted above."
Yeah, its other sins notwithstanding a case can be made that the Roman Catholic Church has traditionally engaged in less magical thinking than its evangelical, fundamentalist, pentecostal, prosperity gospel, mega-church celebrity competitors.
In this case Fr. Lombardi's sensible comments reflect an awareness of the security trade-offs necessary to conduct business. Absolute security is not possible but the task would be much simpler if we had no organizational interests, nothing to get done, no human interaction, no where to go, and all the time in the world.
"I'm just wondering whether or not Bruce thinks access control is mere security theater, because it seems to be the foundation of a lot of serious security."
I can't speak for Bruce, but I'm guessing he might start with "The devil's in the details..."
'Access control' could mean a lot of things. If you have a 10ft thick steal door to a vault manned with astute armed guards checking IDs against a whitelist, it's not exactly 'theatre'. It may not be infallibly secure, but it's still an attempt at real security. If the steel door is actually made of paper mache and the guards are illiterate, that's security theater.
What's with all the (seemingly perfunctory) offense taken on behalf of the Vatican?
First of all, Bruce is giving accolades to the church for openly acknowledging a fundamental truth about security in direct contrast to a 'world-gone-mad'. The whole post was a positive one.
Secondly, I don't really see many harsh comments at all in regards to the Vatican here...? A few tongue-in-cheek one-offs here or there, but really?
Finally, if you are a Catholic, or have sympathetic, familial, or spiritual ties to the Vatican in any way, you would do well to not only acknowledge, but remember well the sins of its past.
The church itself would be the first to deny its own divinity, being a cornerstone of their beliefs, and as such is just as vulnerable to sin and temptation as every man woman and child on this earth.
Like any other world-wide organization of humans in power (spiritual or secular) the Vatican deserves just as much scrutiny and criticism as the next multi-billion dollar corporation (for-profit or not). The big difference here is that most multi-national, multi-billion dollar organizations don't have nearly 2,000 years of history on the books, nor as much sway over the global populace and its world-view.
The church is not infallible, much like security. If it hadn't been questioned or criticized in the past, we would still be touting the 6,500 year-old Earth-centric universe. I think it can handle a few quips every now and again and still save face.
"The devil's in the details..."
But that's precisely the problem: he took a cheap shot at a real security concern with the President and heaped praise on church for an isolated case of *not* engaging in magical thinking. It just doesn't make any sense, so I was hoping for clarification.
And, again, it's unnecessary to make up fake situations to draw analogies when the specific incidents seem straightforward enough. The security for the President's event was supposed to allow in only a whitelist of guests who had been background checked; how is a failure at such a simple level *not* a major cause for concern?
As far as the President's uninvited dinner guests go - it's easy. You follow the 80/20 rule. Same with airports. *Ideally* you enact reasonable defenses that balance with the appropriate trade-offs based on the value of the asset and assessed risk. Using defense-in-depth, you have mitigating measures for the dedicated folks who can penetrate your first line of defense. Lastly, you accept a certain amount of risk and deal with that if all else fails.
Bottom line: The people who sashayed into the State Dinner were wealthy folks who knew people and based on that figured out how to social engineer their way in. It wasn't Joe off the street with a prostitute on his arm who just said, "We're here to see the President, uh hehe ehe hehe..." These people were in so many words well prepared interlopers who failed to pose a threat despite compromising the first line of defense. The question of: but what if they wanted to do harm isn't relevant. The response to conjecture like that is, but what if they had wanted to do harm and hadn't been let in?
The question of access control is a good one. We as consumers demand access to fly and access to the Pope (maybe not all of us there ;)).
If you permit access then you have to acknowledge that you are going to allow access (a decision, there) to the commodity.
What we have from the terrorist attack is a change affecting many people.
What we have from the Pope being dragged to the ground is an understanding of "yes that might happen but that is the worst that'll happen, in theory" approach.
The fact that millions of people have been directly affected by the underpants bomber is a confirmation that the attack was a success.
It's that simple, I think.
And control of the guest list is not the Secret Service's only security measure! The President's physical security would be pretty safe if they just invited 200 random people for dinner. They will be screened for weapons, so unless they use table utensils to start a fight, he's gonna be ok.
This is my beef with aviation watch lists. Sure, they improve security by eliminating known threats, but the absolute fallback measure should be that all pax are screened for explosives and weapons 100%.
Perhaps if you drop the attitude and ask your questions with obvious intent and clarity, you might get a proper answer. When you ask stupid questions you get answers to stupid questions, framed appropriately.
Initially you asked: "I'm just wondering whether or not Bruce thinks access control is mere security theater, because it seems to be the foundation of a lot of serious security."
The short answer is that any security measure can be considered security theater depending on how it's implemented, but stating that a particular security measure is security theater based on it having a greater-than-zero percent chance of failure is just stupid.
So next, following some smartass remarks, you asked an entirely different question altogether: "The security for the President's event was supposed to allow in only a whitelist of guests who had been background checked; how is a failure at such a simple level *not* a major cause for concern?"
The failure itself (ie - overlooking the party crashers) is perhaps a major cause for concern if you're catering the event, but like Bruce said, the hullabaloo is entirely unfounded.
Why? Maybe you should read what Bruce posted before blathering on in the comments about how he's an idiot. He answered this question immediately. The failure is not a major cause for concern because the president speaks and interacts with thousands of random people during the course of the presidency. Placing such a high level of importance on the effectiveness of a whitelist to keep him safe from harm would be the real idiocy here.
Ever heard of the secret service? Well, it's generally their job to ensure that no bodily harm befalls the president. They are there to protect him from friends, foes and associates alike.
What would be impossibly stupid, though, would be to assume that people who wish the president harm are somehow magically unable to get themselves invited to the party or get their name on a whitelist.
Wow, if anyone needs an attitude check it is you. My questions were simple and direct and undeserving of the bile you churned up. Trying to distill out all that anger I'll just make one point: when resources are limited, it is appropriate to use them wisely. The Secret Service can and do protect the President, but that doesn't mean that every event should be organized as "uncleared random people", because the strain on resources is just too great. My assumption is that a whitelist of pre-checked guests had a security value that was discarded when someone didn't do their job. That's all I was asking for Bruce to comment on, and if he's letting you speak for him on this matter then so be it.
People seem to have short memories.
The Vatican has quite a lot of experience here, after all. The Pope John Paul II was shot and nearly killed in 1981...
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.