Blog: April 2010 Archives

Homeopathic Bomb

This is funny:

The world has been placed on a heightened security alert following reports that New Age terrorists have harnessed the power of homeopathy for evil. “Homeopathic weapons represent a major threat to world peace,” said President Barack Obama, “they might not cause any actual damage but the placebo effect could be quite devastating.”

[…]

Homeopathic bombs are comprised of 99.9% water but contain the merest trace element of explosive. The solution is then repeatedly diluted so as to leave only the memory of the explosive in the water molecules. According to the laws of homeopathy, the more that the water is diluted, the more powerful the bomb becomes.

[…]

“A homeopathic attack could bring entire cities to a standstill,” said BBC Security Correspondent, Frank Gardner. “Large numbers of people could easily become convinced that they have been killed and hospitals would be unable to cope with the massive influx of the ‘walking suggestible.'”

It’s a little too close to reality, though.

Posted on April 30, 2010 at 2:28 PM49 Comments

Fun with Secret Questions

Ally Bank wants its customers to invent their own personal secret questions and answers; the idea is that an operator will read the question over the phone and listen for an answer. Ignoring for the moment the problem of the operator now knowing the question/answer pair, what are some good pairs? Some suggestions:

Q: Do you know why I think you’re so sexy?
A: Probably because you’re totally in love with me.

Q: Need any weed? Grass? Kind bud? Shrooms?
A: No thanks hippie, I’d just like to do some banking.

Q: The Penis shoots Seeds, and makes new Life to poison the Earth with a plague of men.
A: Go forth, and kill. Zardoz has spoken.

Q: What the hell is your fucking problem, sir?
A: This is completely inappropriate and I’d like to speak to your supervisor.

Q: I’ve been embezzling hundreds of thousands of dollars from my employer, and I don’t care who knows it.
A: It’s a good thing they’re recording this call, because I’m going to have to report you.

Q: Are you really who you say you are?
A: No, I am a Russian identity thief.

Okay, now it’s your turn.

Posted on April 30, 2010 at 7:24 AM

Hypersonic Cruise Missiles

The U.S. is developing a weapon capable of striking anywhere on the planet within an hour. The article talks about the possibility of modifying Trident missiles — problematic because they would be indistinguishable from nuclear weapons — and using the Mach 5–capable X-51 hypersonic cruise missile.

Interesting technology, but we really need to think through the political ramifications of this sort of thing better.

EDITED TO ADD (5/13): Report on the policy implications.

Posted on April 29, 2010 at 1:28 PM63 Comments

Frank Furedi on Worst-Case Thinking

Nice essay by sociologist Frank Furedi on worse-case thinking, exemplified by our reaction to the Icelandic volcano:

I am not a natural scientist, and I claim no authority to say anything of value about the risks posed by volcanic ash clouds to flying aircraft. However, as a sociologist interested in the process of decision-making, it is evident to me that the reluctance to lift the ban on air traffic in Europe is motivated by worst-case thinking rather than rigorous risk assessment. Risk assessment is based on an attempt to calculate the probability of different outcomes. Worst-case thinking ­ these days known as precautionary thinking’ — is based on an act of imagination. It imagines the worst-case scenario and then takes action on that basis. In the case of the Icelandic volcano, fears that particles in the ash cloud could cause aeroplane engines to shut down automatically mutated into a conclusion that this would happen. So it seems to me to be the fantasy of the worst-case scenario rather than risk assessment that underpins the current official ban on air traffic.

[…]

Worst-case thinking encourages society to adopt fear as of one of the key principles around which the public, the government and various institutions should organise their lives. It institutionalises insecurity and fosters a mood of confusion and powerlessness. Through popularising the belief that worst cases are normal, it also encourages people to feel defenceless and vulnerable to a wide range of future threats. In all but name, it is an invitation to social paralysis. The eruption of a volcano in Iceland poses technical problems, for which responsible decision-makers should swiftly come up with sensible solutions. But instead, Europe has decided to turn a problem into a drama. In 50 years’ time, historians will be writing about our society’s reluctance to act when practical problems arose. It is no doubt difficult to face up to a natural disaster — but in this case it is the all-too-apparent manmade disaster brought on by indecision and a reluctance to engage with uncertainty that represents the real threat to our future.

Posted on April 29, 2010 at 6:40 AM69 Comments

Can Safes

Hiding your valuables in common household containers is an old trick.

Diversion safes look like containers designed to hide your valuables in plain sight. Common diversion safes include fake brand name containers for soda pop, canned fruit, home cleaners, or even novels. Diversion can safes have removable tops or bottoms so that you can put your goods in them, and the safes are weighed so that they appear normal when handled.

These are relatively inexpensive, although it’s cheaper to make your own.

Posted on April 28, 2010 at 1:21 PM58 Comments

Seat Belt Use and Lessons for Security Awareness

From Lance Spitzner:

In January of this year the National Highway Traffic Safety Administration released a report called “Analyzing the First Years Of the Ticket or Click It Mobilizations“… While the report is focused on the use of seat belts, it has fascinating applications to the world of security awareness. The report focuses on 2000 – 2006, when most states in the United States began campaigns (called Ticket or Click-It) promoting and requiring the use of seat belts. Just like security awareness, the goal of the campaign was to change behaviors, specifically to get people to wear their seat belts when driving… The campaigns were very successful, resulting in a 20-23% increase in seat belt use regardless of which statistics they used. The key finding of the report was that enforcement and not money spent on media were key to results. The states that had the strongest enforcement had the most people using seat belts. The states with the weakest enforcement had the lowest seat belt usage.

[..]

I feel the key lesson here is not only must an awareness program effectively communicate, but to truly change behaviors what you communicate has to be enforced. An information security awareness campaign communicates what is enforced (your policies) and in addition it should communicate why. Then, follow-up that campaign with strong, visible enforcement.

Posted on April 28, 2010 at 7:39 AM57 Comments

New York Police Protect Obama from Bicycles

They were afraid that they might contain pipe bombs.

This is the correct reaction:

In any case, I suspect someone somewhere just panicked at the possibility that something might explode near the President on his watch, since the whole operation has the finesse of a teenage stoner shoving his pot paraphernalia under the bed and desperately trying to clear the air with a copy of “Maxim” when he hears his parents coming home.

Seems that it’s legal:

When asked by Gothamist, their precinct contact replied: “No, they just did this because the president was coming and they didn’t want anything on the sidewalks. You’re not supposed to lock you bike to signposts anyway, they have those new bike racks you’re supposed to use.”

I’ll bet you anything that they didn’t leave the bicycles that were locked to the racks.

Posted on April 27, 2010 at 6:27 AM56 Comments

Punishing Security Breaches

The editor of the Freakonomics blog asked me to write about this topic. The idea was that they would get several opinions, and publish them all. They spiked the story, but I already wrote my piece. So here it is.

In deciding what to do with Gray Powell, the Apple employee who accidentally left a secret prototype 4G iPhone in a California bar, Apple needs to figure out how much of the problem is due to an employee not following the rules, and how much of the problem is due to unclear, unrealistic, or just plain bad rules.

If Powell sneaked the phone out of the Apple building in a flagrant violation of the rules — maybe he wanted to show it to a friend — he should be disciplined, perhaps even fired. Some military installations have rules like that. If someone wants to take something classified out of a top secret military compound, he might have to secrete it on his person and deliberately sneak it past a guard who searches briefcases and purses. He might be committing a crime by doing so, by the way. Apple isn’t the military, of course, but if their corporate security policy is that strict, it may very well have rules like that. And the only way to ensure rules are followed is by enforcing them, and that means severe disciplinary action against those who bypass the rules.

Even if Powell had authorization to take the phone out of Apple’s labs — presumably someone has to test drive the new toys sooner or later — the corporate rules might have required him to pay attention to it at all times. We’ve all heard of military attachés who carry briefcases chained to their wrists. It’s an extreme example, but demonstrates how a security policy can allow for objects to move around town — or around the world — without getting lost. Apple almost certainly doesn’t have a policy as rigid as that, but its policy might explicitly prohibit Powell from taking that phone into a bar, putting it down on a counter, and participating in a beer tasting. Again, if Apple’s rules and Powell’s violation were both that clear, Apple should enforce them.

On the other hand, if Apple doesn’t have clear-cut rules, if Powell wasn’t prohibited from taking the phone out of his office, if engineers routinely ignore or bypass security rules and — as long as nothing bad happens — no one complains, then Apple needs to understand that the system is more to blame than the individual. Most corporate security policies have this sort of problem. Security is important, but it’s quickly jettisoned when there’s an important job to be done. A common example is passwords: people aren’t supposed to share them, unless it’s really important and they have to. Another example is guest accounts. And doors that are supposed to remain locked but rarely are. People routinely bypass security policies if they get in the way, and if no one complains, those policies are effectively meaningless.

Apple’s unfortunately public security breach has given the company an opportunity to examine its policies and figure out how much of the problem is Powell and how much of it is the system he’s a part of. Apple needs to fix its security problem, but only after it figures out where the problem is.

Posted on April 26, 2010 at 7:20 AM71 Comments

Security Fog

An odd burglary prevention tool:

If a burglar breaks in, the system floods the business with a dense fog similar to what’s used in theaters and nightclubs. An intense strobe light blinds and disorients the crook.

[..]

Mazrouei said the cost to install the system starts at around $3,000.

Police point out that the system blinds interior security cameras as well as criminals. Officers who respond to a burglary also will not enter a building when they can’t see who’s inside. Local firefighters must be informed so they don’t mistake the fog for smoke.

EDITED TO ADD (4/21): I blogged about the same thing in 2007, though that version was marketed to homeowners. It’s interesting how much more negative my reaction is to fog as a home security device than as a security device to protect retail stock.

Posted on April 21, 2010 at 12:55 PM54 Comments

Young People, Privacy, and the Internet

There’s a lot out there on this topic. I’ve already linked to danah boyd’s excellent SXSW talk (and her work in general), my essay on privacy and control, and my talk — “Security, Privacy, and the Generation Gap” — which I’ve given four times in the past two months.

Last week, two new papers were published on the topic.

Youth, Privacy, and Reputation” is a literature review published by Harvard’s Berkman Center. It’s long, but an excellent summary of what’s out there on the topic:

Conclusions: The prevailing discourse around youth and privacy assumes that young people don’t care about their privacy because they post so much personal information online. The implication is that posting personal information online puts them at risk from marketers, pedophiles, future employers, and so on. Thus, policy and technical solutions are proposed that presume that young would not put personal information online if they understood the consequences. However, our review of the literature suggests that young people care deeply about privacy, particularly with regard to parents and teachers viewing personal information. Young people are heavily monitored at home, at school, and in public by a variety of surveillance technologies. Children and teenagers want private spaces for socialization, exploration, and experimentation, away from adult eyes. Posting personal information online is a way for youth to express themselves, connect with peers, increase popularity, and bond with friends and members of peer groups. Subsequently, young people want to be able to restrict information provided online in a nuanced and granular way.

Much popular writing (and some research) discusses young people, online technologies, and privacy in ways that do not reflect the realities of most children and teenagers’ lives. However, this provides rich opportunities for future research in this area. For instance, there are no studies of the impact of surveillance on young people– at school, at home, or in public. Although we have cited several qualitative and ethnographic studies of young people’s privacy practices and attitudes, more work in this area is needed to fully understand similarities and differences in this age group, particularly within age cohorts, across socioeconomic classes, between genders, and so forth. Finally, given that the frequently-cited comparative surveys of young people and adult privacy practices and attitudes are quite old, new research would be invaluable. We look forward to new directions in research in this area.

How Different Are Young Adults from Older Adults When it Comes to Information Privacy Attitudes & Policy?” from the University of California Berkeley, describes the results of a broad survey on privacy attitudes.

Conclusion: In policy circles, it has become almost a cliché to claim that young people do not care about privacy. Certainly there are many troubling anecdotes surrounding young individuals’ use of the internet, and of social networking sites in particular. Nevertheless, we found that in large proportions young adults do care about privacy. The data show that they and older adults are more alike on many privacy topics than they are different. We suggest, then, that young-adult Americans have an aspiration for increased privacy even while they participate in an online reality that is optimized to increase their revelation of personal data.

Public policy agendas should therefore not start with the proposition that young adults do not care about privacy and thus do not need regulations and other safeguards. Rather, policy discussions should acknowledge that the current business environment along with other factors sometimes encourages young adults to release personal data in order to enjoy social inclusion even while in their most rational moments they may espouse more conservative norms. Education may be useful. Although many young adults are exposed to educational programs about the internet, the focus of these programs is on personal safety from online predators and cyberbullying with little emphasis on information security and privacy. Young adults certainly are different from older adults when it comes to knowledge of privacy law. They are more likely to believe that the law protects them both online and off. This lack of knowledge in a tempting environment, rather than a cavalier lack of concern regarding privacy, may be an important reason large numbers of them engage with the digital world in a seemingly unconcerned manner.

But education alone is probably not enough for young adults to reach aspirational levels of privacy. They likely need multiple forms of help from various quarters of society, including perhaps the regulatory arena, to cope with the complex online currents that aim to contradict their best privacy instincts.

They’re both worth reading for anyone interested in this topic.

Posted on April 20, 2010 at 1:50 PM35 Comments

The Effectiveness of Political Assassinations

This is an excellent read:

I wouldn’t have believed you if you’d told me 20 years ago that America would someday be routinely firing missiles into countries it’s not at war with. For that matter, I wouldn’t have believed you if you’d told me a few months ago that America would soon be plotting the assassination of an American citizen who lives abroad.

He goes on to discuss Obama’s authorization of the assassination of Anwar al-Awlaki, an American living in Yemen. He speculates on whether or not this is illegal, but spends more time musing about the effectiveness of assassination, referring to a 2009 paper from Security Studies: “When Heads Roll: Assessing the Effectiveness of Leadership Decapitation“: “She studied 298 attempts, from 1945 through 2004, to weaken or eliminate terrorist groups through ‘leadership decapitation’ — eliminating people in senior positions.”

From the paper’s conclusion:

The data presented in this paper show that decapitation is not an effective counterterrorism strategy. While decapitation is effective in 17 percent of all cases, when compared to the overall rate of organizational decline, decapitated groups have a lower rate of decline than groups that have not had their leaders removed. The findings show that decapitation is more likely to have counterproductive effects in larger, older, religious, and separatist organizations. In these cases decapitation not only has a much lower rate of success, the marginal value is, in fact, negative. The data provide an essential test of decapitation’s value as a counterterrorism policy.

There are important policy implications that can be derived from this study of leadership decapitation. Leadership decapitation seems to be a misguided strategy, particularly given the nature of organizations being currently targeted. The rise of religious and separatist organizations indicates that decapitation will continue to be an ineffective means of reducing terrorist activity. It is essential that policy makers understand when decapitation is unlikely to be successful. Given these conditions, targeting bin Laden and other senior members of al Qaeda, independent of other measures, is not likely to result in organizational collapse. Finally, it is essential that policy makers look at trends in organizational decline. Understanding whether certain types of organizations are more prone to destabilization is an important first step in formulating successful counterterrorism policies.

Back to the article:

Particularly ominous are Jordan’s findings about groups that, like Al Qaeda and the Taliban, are religious. The chances that a religious terrorist group will collapse in the wake of a decapitation strategy are 17 percent. Of course, that’s better than zero, but it turns out that the chances of such a group fading away when there’s no decapitation are 33 percent. In other words, killing leaders of a religious terrorist group seems to increase the group’s chances of survival from 67 percent to 83 percent.

Of course the usual caveat applies: It’s hard to disentangle cause and effect. Maybe it’s the more formidable terrorist groups that invite decapitation in the first place — and, needless to say, formidable groups are good at survival. Still, the other interpretation of Jordan’s findings — that decapitation just doesn’t work, and in some cases is counterproductive — does make sense when you think about it.

For starters, reflect on your personal workplace experience. When an executive leaves a company — whether through retirement, relocation or death — what happens? Exactly: He or she gets replaced. And about half the time (in my experience, at least) the successor is more capable than the predecessor. There’s no reason to think things would work differently in a terrorist organization.

Maybe that’s why newspapers keep reporting the death of a “high ranking Al Qaeda lieutenant”; it isn’t that we keep killing the same guy, but rather that there’s an endless stream of replacements. You’re not going to end the terrorism business by putting individual terrorists out of business.

You might as well try to end the personal computer business by killing executives at Apple and Dell. Capitalism being the stubborn thing it is, new executives would fill the void, so long as there was a demand for computers.

Of course, if you did enough killing, you might make the job of computer executive so unattractive that companies had to pay more and more for ever-less-capable executives. But that’s one difference between the computer business and the terrorism business. Terrorists aren’t in it for the money to begin with. They have less tangible incentives — and some of these may be strengthened by targeted killings.

Read the whole thing.

I thought this comment, from former senator Gary Hart, was particularly good.

As a veteran of the Senate Select Committee to Investigate the Intelligence Services of the U.S. (so-called Church committee), we discovered at least five official plots to assassinate foreign leaders, including Fidel Castro with almost demented insistence. None of them worked, though the Diem brothers in Vietnam and Salvador Allende in Chile might argue otherwise. In no case did it work out well for the U.S. or its policy. Indeed, once exposed, as these things inevitably are, the ideals underlying our Constitution and the nation’s prestige suffered incalculable damage. The issue is principle versus expediency. Principle always suffers when expediency becomes the rule. We simply cannot continue to sacrifice principle to fear.

Additional commentary from The Atlantic.

EDITED TO ADD (4/22): The Church Commmittee’s report on foreign assassination plots.

EDITED TO ADD (5/13): Stratfor blog since 2004, and in my monthly newsletter since 1998. I'm a fellow and lecturer at Harvard's Kennedy School, a board member of EFF, and the Chief of Security Architecture at Inrupt, Inc. This personal website expresses the opinions of none of those organizations.

Latest Book

We Have Root

More Books