Schneier on Security
A blog covering security and security technology.
« Twitter's Two-Factor Authentication System |
| Lavabit E-Mail Service Shut Down »
August 9, 2013
Latest Movie-Plot Threat: Explosive-Dipped Clothing
It's being reported, although there's no indication of where this rumor is coming from or what it's based on.
...the new tactic allows terrorists to dip ordinary clothing into the liquid to make the clothes themselves into explosives once dry.
"It's ingenious," one of the officials said.
Another senior official said that the tactic would not be detected by current security measures.
I can see the trailer now. "In a world where your very clothes might explode at any moment, Bruce Willis is, Bruce Willis in a Michael Bay film: BLOW UP! Co-starring Lindsay Lohan..."
I guess there's nothing to be done but to force everyone to fly naked.
Posted on August 9, 2013 at 6:04 AM
• 68 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Great. Monday's headline: "Security expert: flying naked a must".
Perhaps AQ has figured out that their communications are being monitored by the NSA, so they might as well inject some disinformation.
Attention US citizens: This has absolutely nothing to do with the intense scrutiny we've been under lately. This is true, honest. We would never lie to you.
Similar in a way to how certain fertilizers have been turning farmer's dungarees into gun cotton for over 50 years.
Bruce, have you heard yet that lavabit.com has closed down?
Apparently, somebody learned what happens when you mix cotton with nitric acid. I have bad news for you, though- you aren't going to wear those clothes ever again.
Amsuingly, this idea isn't even novel. This was used in a gimmick in Harry Harrison's Stainless Steel Rat's Revenge. (google books linky) for lack of a better way to cite.
It'd be absolutely horrible if more terrorists read fiction.
Page on ABCnews.com has been removed. If folks have to fly in g-strings and pasties it will do away with the x-rays
Next: Government Ad campaign saying "Don't accept free T-Shirts from strangers. Don't take hitchhikers. Don't breath air! Coz you just might die."
>>[...] into explosives once dry.
>>I guess there's nothing to be done but to force everyone to fly naked.
... or wet! At least the ladies :-)
So these are non-nitrate liquid explosives that will get past sniffers and swabs right?
I've seen what happens when nitrated jeans are ignited (I was young, Conc. Nitric acid was available). I'm sure it would have stung if I'd been wearing them but undirected it just flashed (probably more than the sweat would have if I'd been wearing them), but I don't see how it'd do a lot of damage. Maybe if soaked into heavy clothing which was then jammed into a critical area.
... lavabit.com has closed down?
And Silent Circle (?)
Both have co-operated with individual warrants before so perhaps this time it's a blanket order.
NOTE: I'm speculating.
Doesn't sound like it would make a good bomb. No compression. Might flare up nicely.
But you'd smell like a chemical factory. "Not detected by current security measures," my butt.
Didn't we see it here in 2006?
I've read about that kind of explosives when I was a kid. The book is called The Stainless Steel Rat's Revenge (1970, by Harry Harrison).
There is an strong security disadvantage to paranoia, it breeds easy scenarios for *distraction* and exhausts resources which makes them easily controlled.
It breeds fantasy and negative imagination. They can get into a situation where they want to believe the fantasy, and so their enemies can provide it.
None of these efforts does anything to prevent a nation backed adversary, which is a very real threat -- especially when the US is continuing to stay in foreign countries with a military presence and building up intel and military infrastructure.
If you have a neighbor who is constantly buying weapons and building bunkers, you might not be so nervous. But if they are also committing home invasions in your neighborhood, you would be stupid not to be nervous. Especially if they are irrational about it. Say they invade someone else's home near yours because they believe they have the really bad weapons they themselves have. Only it turns out that they did not. Then you do not have just someone who is well armed and with a bunker, but they are also completely fucking crazy.
I seem to recall Ryan Air had some fun with the "fly naked" meme some ten (or so) years ago.
That kind of reminds me of Heinlein's puppet master story since it was a "workable" security measure though I'm not sure how well politicians could lie w/o clothing. (All right, so it was fiction.)
I wonder if there are many security issues in Cap D'Agde.
@Scott "SFITCS" Ferguson
"And Silent Circle (?)" [is down]
No, not the entire enterprise; only their "Silent Mail".
I am surprised at the (apparently) huge market for commercial, encrypted comm. "solutions". Over the 16 years that I've used asymetric encryption - starting with PGP (v2.2?) - I never needed special tools or web sites, beyond the encryption program on my PC and an email service.
Flying naked will be a whole new experience sitting in the middle seat next to a 400-pound sweathog ...
Flying naked would be a bit cheaper on Samoa Air
Every suitcase full of dirty laundry will now be suspect ... and I don't know how you differentiate between laundry of ordinary teenagers and that soaked in explosives. ;-)
There was a CSI:Miami (?) episode with exploding wedding dresses. Some nefarious guy had sewn det cord into the seams.
TSA rule #999: No brides on planes.
@Scott "SFITCS" Ferguson
According to the article as @CallMeLateForSupper says, only part of the service but, from what I can tell, the only bit we find useful.
I have (or rather had) and account with lavabit and now I'm looking for a non-US alternative that is as immune to pressure from the US-IC/Govt as possible. That also rules out AUS/NZ/CAN/UK (five-eyes), probably much of Eastern Europe the Baltics and China/HK/SG.
Then I can drop google for good.
Any suggestions? Possibly some crew in Venezuela?
Naked, in handcuffs, after a cavity search more likely.
This idea has popped up in fiction books one way or another for over a century.
My current favorite can be found in Terry Pratchett's "Going Postal" basicaly an old codger with his own ideas about avoiding the common cold and other similar maladies puts sulfer in his socks that he has washed with a solution of salts of potasium, and sprinkled charcol in the soles of his boots to help keep the foot pong down...
For those that don't know this is aproximatly the recipie for gun powder and would make you a little more than "hot foot" :-)
But... this is not a myth urban or other wise there is quite a bit of truth to this and many years ago at a weekend house party in Oxford I was joking with Terry and his wife about exploding socks (as well as telling an appaling joke about the difference between Kinky and perverted).
Obviously as many people know you can buy today charcol impregnated inner soles for your shoes very easily, also the inventor of Televison John Logie Baird, once had a slightly profitable business selling his patent medicated socks that were impregnated with sulfer and as for Saltpeter (saltpetre) this was often used in foot baths and was (and still is) readily available to make cures for pork and beef (it's the salt in proper corned beef and one of the main constituants in bacon cures as it keeps the meat pink not the grey of salt only cures, http://pods.dasnr.okstate.edu/docushare/dsweb/... ).
If you can't get hold of it by the kilo you can fairly easily make it at home but it won't be safe to eat but just fine for pyrotechnics. The recipe can be seen here,
Oh and the by product ammonium chloride (E510, sal amoniac) is also used as a medication food addative and chemical in pyrotechnics such as smoke bombs. Oh and most importantly for this blog is used by the giant squid for it's boyancy :-)
For 20+ years there have been what we can call for paranoia reasons explosive fabrics. Factory made ones. Look up LEXFOAM. Liquid explosive foams. Sprayable, or you can buy them as foam sheets or blocks. So, foam explosive sheeting that's sewn into my clothing, backpack, etc.
Of course, these are still what we call "non-magical" explosives. They should be detected by any number of scanning devices, or by the guy wearing lumpy clothing, sweating and trying to ignite it with a home-made match and fuse.
I decline to be fearful of the technology level of non-movie-villain terrorists.
On the same web site is another story that might be of interest,
Basicaly Florida Police taser another tenager to death.
Florida is developing a reputation like New York used to have where police officers just open fire when a suspect flees...
As with the several hundred other deaths caused by the use of tasers many of which are in Florida, I don't expect the "investigation" will do anything other than blaim the victim and exonerate/glorify the officers that killed the unarmed teenager...
the new tactic allows terrorists to dip ordinary clothing into the liquid to make the clothes themselves into explosives once dry.
So they've rediscovered fly dynamite?
I'm fine with everyone flying naked as long as I can sit between two hot young college girls.
Maybe this is when as a country we finally start to figure out that you can't protect against every threat.
If you fly naked, will the airlines charge you for the sanitary seat cover necessary to protect from the last guy's butt stains?
The results of our inadequate science education are starting to affect every level of society, there's no place to hide anymore.
So much easier than attacking a plane is to merely phone in a threat & let law enforcement ground it.
The backlog of people routinely observed at airports everywhere (typically at check-in locations, but often also at baggage claim) is a readily accessible target someone with a firearm, explosive, etc. could readily attack easier than a plane, and attack more people. If this happened it would make people fear going to the airport, never-mind about getting on a plane.
That such easy attacks, that could easily produce very high body counts, isn't occurring seems to suggest the real threat out there isn't really all that threatening.
... now I'm looking for a non-US alternative that is as immune to pressure from the US-IC/Govt as possible.
Venezuela wouldn't be my choice. Too unstable. I can think of several examples where the US ignored Australian laws - they're less likely to respect countries that aren't their allies.
But, if you insist - Switzerland doesn't keep logs without a court order by law, and I trust the Righthaven crew to be as "spineful" as humanly possible. :)
I suspect outsourcing of responsibility is a short-term solution no matter who or where it is (particularly if you allow the provider to control the private keys for some insane reason). The more trusted a provider the more attractive a target they are for compromise - and almost everyone can be compromised.
You probably know this, but... all it takes is one mistake in the environment you compute in or your use of encryption - or the same with anyone you communicate with. I consider all data captured for all time so it's impossible to calculate what constitutes a risk in the long-term. You don't need to be a criminal, non-impotent protestor, whistleblower, or investigative journalist to be a target. You simply need to be a potential vector to someone or something that represents a threat to a business that's seen as critical to some countries economy.
For that reason I wouldn't consider Righthaven hosting (they don't provide email yet anyway) any safer than Gmail or Windoof Live. The provider is only one link in the chain. The most reliable provider is yourself - I wouldn't use anything other than Debian for that.
Personally if enigmail isn't enough, then I'd run my own local email server and use enigmail. But it still requires compartmentalising risk (different keys for different folks) and constant education (especially of others). Basically if I can't live with any of my emails being read by anyone - I shouldn't have sent it.
NOTE: the chances of educating most people in how to use GPG properly are slim - most can't even see the point of digital signatures (or know what and how to trust them).
My first thought when reading this was nitrogen triiodide. Allegedly used during WWII by saboteurs to blow up train tracks as the vibration from the train was enough to set off the explosive. It is very stable when wet and very unstable when dry. Easy to make - ammonia (the purer, the better) and iodine crystals react to create NI3. The clothes would stink from the ammonia and the iodine would stain everything in sight.
My favorite movie plot idea is bring aboard a chunk of pure sodium wrapped up and labeled as a ball of mozzarella. Flush the sodium metal with warm water down the airplane toilet. The heat from the reaction should be enough to set off the hydrogen that is released.
Sorry Clive - I don't think black powder socks'll do more than defeat athlete's foot ;p
If anyone wanted to impregnate clothing with a useful explosive it's easy. Here's a simple 5 step plan.
Dissolve silver in conc. Nitric acid
Soak your clothing in it, then let it dry (best choose material carefully).
Put the clothing on (the order is critical)
Liberally apply alcohol to your new silver loaded suit
Call a taxi and head for your flight while the alcohol is still damp.
will make a big bang when it detonates.
Good luck :)
NOTE: just so long as no one figures out a bag of flour will do the trick... keeping bread products off planes is damn near impossible.
Wayne LaPierre, president of the National Rifle Association, will offer a solution to this undoubted risk:
All airline flights must include guardians wearing explosive clothing. "The only way to stop a bad guy with explosive clothes is with a good guy with explosive clothes. Americans must exercise and defend their constitutional right to wear arms!"
I agree; without end-to-end security, in both tech and behaviour/policy then the game is over or, at least, much shorter. It comes down to convenience versus security - a tradeoff I'm sure most here are aware of.
One alternative I see is to use mega.co.nz and invite trustees to share files and then drop data to exchange into a folder shared only with those for whom it's intended. (As long as the data was backed up somewhere else in case the GCSB kick Kim's door down again and wipe the server array.)
I seem to recall reading that David Petraeus was using a gmail account's Drafts folder as a drop-box to communicate with his ... er ... squeeze du jour.
I'm using slackware-64 (with mods of my own) which I'm pretty happy with. Debian, I agree, looks pretty solid too - I just prefer a command-line, a compiler, lynx and vim.
Now ... where's that bag of flour ...
I said after the TSA started it's crap after 9/11, 'Eventually, we'll all be flying naked."
I think flying naked would not be so bad at all, provided there are some blankets.
However there have been several cases of rectal explosives in the last few years:
I am surprised that there is no mandatory probing of body orifices prior to boarding a plane yet. Clearly this is a dramatic oversight and should immediately be implemented. Otherwise we'll lose the war on terror.
I always figured they'd get around to securing planes by (1) stripping us; (2) cavity search; (3) give us a hospital gown to board.
Looks like we are getting there...
It comes down to convenience versus security - a tradeoff I'm sure most here are aware of.
Yes. That's why I use email. :/
One alternative I see is to use mega.co.nz
That's one method. This works too - even when I don't make finding my key this easy:-
-----BEGIN PGP MESSAGE-----
Version: GnuPG v1.4.10 (GNU/Linux)
-----END PGP MESSAGE-----
If I2P-Bote doesn't interest you perhaps neomailbox.net (Swiss) might.
I seem to recall reading that David Petraeus was using a gmail account's Drafts folder as a drop-box to communicate with his ... er ... squeeze du jour.
I seem to remember he'd become a threat and was under observation. But maybe the official story was true (it's not like rooting around would ever be covered up).
I'm using slackware-64 (with mods of my own) which I'm pretty happy with.
Slackware is very good - only problem is it all depends on one guy (who's not very healthy). Expecting one person to check all that upstream code is a lot.
I just prefer a command-line, a compiler, lynx and vim.
A secure communication system should be no more than that. Vim is overkill when nano will edit, a compiler, perl, and any dev libraries should be removed once the system is built (simpler to audit, harder to hide, less tools for intruders, also easier to encrypt and backup to the tubes when travelling). LUKS is good, but only as secure as /boot. There are encrypted /boot systems but I'd rather use a micro-flash with an md5 check on /.
Now ... where's that bag of flour ... :) :D
Luckily you won't find magnesium, oxygen, epoxy, or aluminium on planes. Oh wait...
When my daughter was a toddler, her booster seat went through the scanner and set off their explosives detector. Fortunately there was a security guy there who was smart enough or experienced enough to understand that dried pee can do that: the detector is looking for NOx, which can be found in most explosives but also in urea.
Presumably the same technology would sniff the explosive-dipped clothes.
Judging from the environment on the average airplane, TNT is not necessary for the creation of assplosions ...
So all a terrorist needs to do is to soak a booster seat lining - or just a bunch of child's used underpants - with explosives and go through. For a good measure, he can spill some actual pee on it, so it'll really smell like peed clothes to the security guys.
There was a movie with Jean-Claude Van Damme where the bad guys would turn some push-button you can find on clothes into explosive devices with the purpose of making them all explode at once.
Like Aspie mentions this sounds like it might be inspired by the Exploding Trousers: https://en.wikipedia.org/wiki/Exploding_trousers
Natural-fiber clothing soaked in a chlorate salt solution and then dried is extremely flammable, can burn explosively. Won't show up via metal detector or nude scanner. Negligible vapor pressure for sampling by "sniffer" devices. Not nearly as potent as high explosives, though, more like fireworks.
So for the exploding raiment entries we have the chlorate saturation from mythbusters etc and nitrocellulose cloth but has anyone thought of using trinitrotoluene as a yellow dye just like back in the not so good old days.
> dip ordinary clothing into the liquid to make the clothes themselves into explosives once dry
I believe this technique made its first appearance in "The Stainless Steel Rat Saves the World" (1972)
> I guess there's nothing to be done but to force everyone to fly naked
At last some good can come out of this!
My first thought was, hey, they've rediscovered guncotton! Then I thought, well, cordite's been in use for the last century or so in the artillery and in handguns, so it's no surprise that "Intelligence" so-called, has discovered it. The next thing they'll discover will be fire, or maybe the wheel, and then nobody'll be safe!
Nothing like a bunch of screwed-up psychos wearing official uniforms - or official uniforms animated by screwed-up psychos - to make people safe! Now where is my "Official Zombie-Killer's Manual" and badge, again? Don't tell me the terrorists ate it too!
And by the way, the ABC Universal Cypher defines "Terrorism" as "Traffic" while the Telegraph Code of 1880 defines "TERROR" as 6 and a quarter and another Telegraphic code defines "terrorism" as "Timber is scarce" and "terrifieth" as "Timbers". Nice to know they took terrorism - I mean traffic; I actually mean the scarcity of timber - as seriously as we do nowadays! It terrifieth me!
"If you see someone wear something, say something."
You can't call this a movie-plot threat as it was already used in a movie.
I want to say it was "Blown Away" but I won't swear to it and I don't have the movie lying around to check.
There was a scene where there is a woman who is important to the good guy (I forget the relationship) with an explosive-soaked dress and the bad guy has the detonator. It's been long enough I can't recall how he rescued her.
@Loren Pechtel - and afterwards he was blown away by her gratitude! :) He should never have sat down on that strange looking block while sitting her on his lap ... well, it's a bit too late to learn now what he wouldn't learn earlier, isn't it?
@ John Campbell
I seem to recall Ryan Air had some fun with the "fly naked" meme some ten (or so) years ago.
I don't know if the story is real or just an urban myth, but American Airlines at some point got nominated for a Chevy Nova award over a failed marketing campaign to promote their new leather chairs. They alledgeldy translated "Fly in Leather" to "Vuela en Cuero" in Spanish, which in Mexico was understood as "Fly Naked". If true, that would have been one visionary slogan.
I guess it's time to drop commercial aviation alltogether and prop up funding for teleportation research. Can't wait till some DoJ moron decides to press terrorist charges against Werner Heisenberg for "obstruction of technology development in the interest of national security".
I've been expecting that since the underwear bomber, but they went to the naked scans instead. Maybe they'll settle for strip searching us the old fashioned way instead....
I can give you a couple of stories that sound like "urban myths" but are actually true.
First many have heard of the Sinclar ZX80, 81 and Spectrum, but few remember the "one per desk" version of the Spectrum aimed at office rather than home use. Well an organisation variously called "The GPO", "British Telecom" and these days "BT" had it's own data services "Prestel" and "Telecom Gold" for SoHo and M2LSE organisations respectivly. Well they wanted to get in on what we now call the PC hardware market that was extramly lucrative at the time. They decided to do to the One Per Desk, what Tourch Computers had done to the BBC Model B from Acorn Computers. The BT re-cased One Per Desk was named "Tonto" by the marketing droids who wanted to portry it as "your personal assistant" as Tonto was to the Lone Ranger. The only problem was after the initial launch it was pointed out that "tonto" actually ment "idiot"....
Secondly many have heard of an organisation called GEC, well they went on a buying spree of other companies one of which was Plesse Systems. The combined subsiduary company was called GEC Plesse Telecoms that quickly got re-branded as GPT. So far so good, however they wanted to make a significant push into Europe so organised a massive dealer confrance in Paris France and paid for many of the attendies. Well as they wanted it to be a success they had got a firm of Image Consultants in to train up the sales people etc etc. Well as is the American way in such things they coached the employes to be Bold-n-Brassy and exude faux confidence. One such was to train the employees to say "Hi, Mike Smith, GPT!". Well one the first day and loads of contented bums on seats the first presentation started and the first presenter bounded over to the lecturn briming with confidence and gave the line which produced a mildly ammused look on many European faces. Intro over the next body leaped up and gave the line this time to a few laughs from the audiance. At the first break one of the more senior members of a major French distributor took one of the GPT seniors asside and told him that, "G P T sounds very much like the French for saying I have broken wind"...
GPT sounds very much like the French for saying I have broken wind
GPT when pronounced in French sounds exactly like "j'ai pété" indeed. Over the years, I have been a privileged witness of quite some hilarious, beit unintended "Inspecteur Clouseau" moments on the shopfloor. One of my all-time favorites was a Swiss PM who brought an audience of CxO's to their knees making "let's think first and then discuss the matter" sound like "let's stink first and then disgust the matter". He was never taken serious again and the project got canned a couple of months later.
On the occasion of a local townhall meeting at the late Sun Microsystems, some notoriously pompous and linguistically challenged French VP managed to kill off morale and make a stellar fool of himself in a speech that lasted about 5 minutes. For starters, he inadvertendly broke the news of a RIF (reduction in force) that was not supposed to be announced till a couple of weeks later and which apparently he was not aware of. This didn't go quite well with the troops which he then tried to calm down with the statement that "the remaining slots should focus on the business". Which unfortunately came out and was understood as that the remaining sluts should have more intercourse on the shopfloor. About half of the audience walked out and decided that it made more sense to go for a walk instead of returning to their cubicles or having themselves further insulted by a person perceived as a complete half-wit. In retrospect, it was just one of the many omens that the company was doomed.
In a somewhat broader context, I have always been surprised that anglo-saxon companies in general hardly ever pay any attention to possible other meanings of acronyms in different languages. "Common of the Shelf" (COTS) in Dutch is a homonym for "vomit", whereas the acronym for "service oriented architecture" (SOA) over here stands for sexually transmitted disease. It's always good fun at sales presentations, though.
@Remy Porter: If you put cotton fabric into nitric acid, you will obtain guncotton. You won't blow up an aircraft with it, unless you can also smuggle a solid container where you stuff your nitrated clothes after stripping them off e.g. in the lavatory, with a small hole for a fuse (e.g. your nitrated cotton shoe lace). Without the container it won't explode, just burn rapidly. So you will only cause a fire which probably would be controlled by the crew and in case you light the clothes still on you, you will die a horrible way. As containers suitable for producin a makeshift bomb aren't allowed on the plane, this way leads nowhere.
There was a harry harrison "SSR" book that used this plot device - moreover, the trigger was a different fluid applied to the armpits, which was harmless until allowed to cool (i.e. the clothing was removed)
When they tested this on Mythbusters the conclusion was that they would, most likely, survive.
(But they shouldn't expect much sympathy from the crew or other passengers for their injuries. Especially if the flight was diverted.)
This is World War II technology.
What you do is to take ordinary cotton shirts, jeans, etc. and treat with Nitric Acid.
This turns it into nitro-cellulose, which is an above-average high explosive.
[Operational details omitted.]
It is not true that this material is undetectable. Dogs can smell it from across the room, and most of the "sniffer machines" can detect it easily.
Major drawback: A lit cigarette will make this stuff detonate.
As the nice man from Sandia said about the al-Qaida guys,
"Their culture does not place a high value on safety."
Yesterday's satire is tomorrow's reality.
(caption: "On the way into the [United] States", speech bubble: "Don't you fear to get trouble at entry?")
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.