book cover

September 2008
John Wiley & Sons
336 Pages
ISBN: 0470395354


This document is also available in PDF format.

What the Terrorists Want


There have been many more incidents since I wrote this--all false alarms. I've stopped keeping a list.

The chemical unreality of the plot:

This essay also makes the same point that we're overreacting, as well as describing a 1995 terrorist plot that was remarkably similar in both materials and modus operandi--and didn't result in a complete ban on liquids:

My previous related writings:

This essay originally appeared in Wired:,71642-0.html

Movie-Plot Threats

This essay was originally published in Wired:,1367,68789,00.html

Fixing Intelligence Failures

My original articles:

Data Mining for Terrorists

This essay originally appeared on,70357-0.html


Its return:

GAO report:


Base rate fallacy:

The New York Times on the NSA eavesdropping program:

The Architecture of Security

The New York Times article about the change:

This essay originally appeared on,71968-0.html

The War on the Unexpected

Ad campaigns:

Administration comments:



Public campaigns:

Law protecting tipsters:

Successful tips:

This essay originally appeared on

Some links didn't make it into the original article. There's this creepy "if you see a father holding his child's hands, call the cops" campaign:

There's this story of an iPod found on an airplane:

There's this story of an "improvised electronics device" trying to get through airport security:

This is a good essay on the "war on electronics":

Portrait of the Modern Terrorist as an Idiot

There are a zillion links associated with this essay. You can find them on the online version:

This essay originally appeared on

Correspondent Inference Theory and Terrorism

Cognitive biases:

This essay originally appeared on

The Security Threat of Unchecked Presidential Power

This essay was published on December 21, 2005 as an op-ed in the Minneapolis Star Tribune:

Here's the opening paragraph of the Yoo memo. Remember, think of this power in the hands of your least favorite politician when you read it:

"You have asked for our opinion as to the scope of the President's authority to take military action in response to the terrorist attacks on the United States on September 11, 2001. We conclude that the President has broad constitutional power to use military force. Congress has acknowledged this inherent executive power in both the War Powers Resolution, Pub. L. No. 93-148, 87 Stat. 555 (1973), codified at 50 U.S.C. §§ 1541-1548 (the "WPR"), and in the Joint Resolution passed by Congress on September 14, 2001, Pub. L. No. 107-40, 115 Stat. 224 (2001). Further, the President has the constitutional power not only to retaliate against any person, organization, or State suspected of involvement in terrorist attacks on the United States, but also against foreign States suspected of harboring or supporting such organizations. Finally, the President may deploy military force preemptively against terrorist organizations or the States that harbor or support them, whether or not they can be linked to the specific terrorist incidents of September 11."

There's a similar reasoning in the Braybee memo, which was written in 2002 about torture:

Yoo memo:

Braybee memo:

This story has taken on a life of its own. But there are about a zillion links and such listed here:

I am especially amused by the bit about NSA shift supervisors making decisions legally reserved for the FISA court.

NSA and Bush's Illegal Eavesdropping

A version of this essay originally appeared in Salon:

Text of FISA:

Summary of annual FISA warrants:

Rockefeller's secret memo:

Much more here:

Private Police Forces

This op-ed originally appeared in the Minneapolis Star-Tribune:

Recognizing "Hinky" vs. Citizen Informants


RIT story:

Casino security and the "Just Doesn't Look Right (JDLR)" principle:


The blog post has many more links to the specific things mentioned in the essay:

When I posted this on my blog, I got a lot of negative comments from Libertarians who believe that somehow, the market makes private policemen more responsible to the public than government policemen. I'm sorry, but this is nonsense. Best Buy is going to be responsive to its customers; an apartment complex is going to be responsive to its renters. Petty criminals who prey on those businesses are an economic externality; they're not going to enter into the economic arguments. After all, people might be more likely to shop at Best Buy if their security guards save them money by keeping crime down--who cares if they crack a few non-customer heads while doing it.

None of this is meant to imply that public police forces are magically honorable and ethical; just that the economic forces are different. So people can consider carefully which is the lesser of two evils, here's Radley Balko's paper "Overkill: The Rise of Paramilitary Police Raids in America":

And an interactive map of public police raids gone bad:

Dual-Use Technologies and the Equities Issue

Estonia's cyberwar:

Cyberwar, cyberterrorism, etc.:

NSA and DHS cybersecurity initiatives:

This essay originally appeared on

Identity-Theft Disclosure Laws

California's SB 1386:

Existing state disclosure laws:

HR 4127 - Data Accountability and Trust Act:

HR 3997:

ID Analytics study:

My essay on identity theft:

A version of this essay originally appeared on,70690-0.html

Academic Freedom and Security

This essay was originally published in the San Jose Mercury News:

Sensitive Security Information (SSI)

Background on SSI:

TSA's Regulation on the Protection of SSI:

Controversies surrounding SSI:

My essay explaining why secrecy is often bad for security:

The Director of the National Security Archive at George Washington University on the problems of too much secrecy:

Fingerprinting Foreigners

A version of this essay originally appeared in Newsday:

Office of Homeland Security webpage for the program:

News articles:


Brazil fingerprints U.S. citizens in retaliation:

U.S. Medical Privacy Law Gutted

News article:

Swire's essay:

Airport Passenger Screening

A version of this essay originally appeared on,70470-0.html

No-Fly List

Additional information:,1848,58386,00.html

Kennedy's story:

Getting off the list by using your middle name:

This essay originally appeared in Newsday:

Trusted Traveler Program

This essay originally appeared in The Boston Globe:

Screening People with Clearances

This essay originally appeared on,71906-0.html

Forge Your Own Boarding Pass

This is my 30th essay for,72045-0.html


Older mentions of the vulnerability:

No-fly list:

Our Data, Ourselves

This essay previously appeared on

The Value of Privacy

A version of this essay originally appeared on,70886-0.html

Daniel Solove comments:

The Future of Privacy

This essay was originally published in the Minneapolis Star-Tribune:

Privacy and Power

The inherent value of privacy:

Erik Crespo story:

Cameras catch a policeman:

Security and control:

This essay originally appeared on

Commentary/rebuttal by David Brin:

Security vs. Privacy

McConnell article from New Yorker:

Trading off security and privacy:

False dichotomy:

Donald Kerr's comments:

Related essays:

This essay originally appeared on

Is Big Brother a Big Deal?

This essay appeared in the May 2007 issue of Information Security, as the second half of a point/counterpoint with Marcus Ranum:

Marcus's half:

How to Fight

Privacy International's Stupid Security Awards:

Stupid Security Blog:

Companies Cry "Security" to Get A Break From the Government:

Gilmore's suit:

Relevant Minnesota pharmacist rules:

How you can help right now:

Tell Congress to Get Airline Security Plan Under Control!

TIA Update: Ask Your Senators to Support the Data-Mining Moratorium Act of 2003!

Congress Takes Aim at Your Privacy

Total Information Awareness: Public Hearings Now!

Don't Let the INS Violate Your Privacy

Demand the NCIC Database Be Accurate

Citizens' Guide to the FOIA

Toward Universal Surveillance

This essay originally appeared on CNet:

Kafka and the Digital Person

The book's website:

Order the book on Amazon:

CCTV Cameras

CCTV research:

London's cameras:

CCTV abuses:

Orwellian cameras:

Privacy concerns:

Surveillance in China:

This essay was:

Anonymity and Accountability

This essay originally appeared in Wired:,70000-0.html

Kelly's original essay:

Gary T. Marx on anonymity:

Facebook and Data Control

This essay originally appeared on,71815-0.html

Facebook privacy policy:

The Death of Ephemeral Conversation

This essay originally appeared on

Automated Targeting System

News articles:

Federal Register posting:

Comments from civil liberties groups:

Automated terror profiling:

No-fly list:

Secure Flight:

Total Information Awareness:

ATS may be illegal:,72250-0.html

This essay, without the links, was published in Forbes:

They also published a rebuttal by William Baldwin, although it doesn't seem to rebut any of the actual points. "Here's an odd division of labor: a corporate data consultant argues for more openness, while a journalist favors more secrecy." It's only odd if you don't understand security.

Anonymity and the Netflix Dataset

2001 IEEE paper:

De-anonymizing the AOL data:

Census data de-anonymization:

Anonymous cell phone data:

Wholesale surveillance and data collection:

This essay originally appeared on

Does Secrecy Help Protect Personal Information?

This essay appeared in the January 2007 issue of Information Security, as the second half of a point/counterpoint with Marcus Ranum:

Marcus's half:

Risks of Data Reuse

Individual data and the Japanese internment:

Marketing databases:

Secure Flight:

Florida disenfranchisement in 2000:

This article originally appeared on

National ID Cards

This essay originally appeared in the Minneapolis Star Tribune:

Kristof's essay in the The New York Times:

My earlier essay on National ID cards:

My essay on identification and security:

REAL-ID: Costs and Benefits


The REAL-ID Act: National Impact Analysis:

There's REAL-ID news. Maine became the first state to reject REAL-ID. This means that a Maine state driver's license will not be recognized as valid for federal purposes, although I'm sure the Feds will back down over this. My guess is that Montana will become the second state to reject REAL-ID, and New Mexico will be the third.

More info on REAL-ID:

RFID Passports

The Security of RFID Passports

Government announcement:

RFID privacy problems:

My previous writings on RFID passports:

This essay previously appeared on,1848,69453,00.html

Multi-Use ID Cards

This essay originally appeared on,70167-0.html

Giving Driver's Licenses to Illegal Immigrants

This op-ed originally appeared in the Detroit Free Press:

Voting Technology and Security

This essay originally appeared on

How to Steal an Election:

Florida 13:

Value of stolen elections:


Voter suppression:

ID requirements:

Foxtrot cartoon:

Avi Rubin wrote a good essay on voting for Forbes as well:

Computerized and Electronic Voting

CRS Report on Electronic Voting:

Voting resource pages:

Bills in U.S. Congress to force auditable balloting:

Virginia story:

Indiana story:

Nevada story:

California Secretary of State's statement on e-voting paper trail requirement:

Maryland story:

More opinions:

Voter Confidence and Increased Accessibility Act of 2003,1294,61298,00.html

My older essays on this topic:

Why Election Technology is Hard

This essay originally appeared in the San Francisco Chronicle: or

Also read Avi Rubin's op-ed on the subject:

Electronic Voting Machines

A version of this essay appeared on


Florida 13th:

This essay originally appeared on,72124-0.html

Hacking the Papal Election

Rules for a papal election:

There's a picture of choir dress on this page:

First Responders

This essay originally appeared on

In blog comments, people pointed out that training and lack of desire to communicate are bigger problems than technical issues. This is certainly true. Just giving first responders interoperable radios won't automatically solve the problem; they need to want to talk to other groups as well.

Minneapolis rescue workers:

Utah rescue-worker deaths:

1996 report:

Dennis Smith:

9/11 Commission Report:

Wasted security measures:

Minnesota and interoperable communications:

Stanek quote:


Conference of Mayors report:

Collective action problem:

Jerry Brito paper:

Me on overly specific terrorism defense:

More research:

Security at the Olympics

News articles:

A version of this essay originally appeared in the Sydney Morning Herald, during the Olympics:

Blaster and the August 14th Blackout

A preliminary version of this essay appeared on

Interim Report: Causes of the August 14th Blackout in the United States and Canada:

The relevant data is on pages 28-29 of the report.

FirstEnergy was hit by Slammer:

How worms can infect internal networks:

Blackout not caused by worm:

News article on the report:

Geoff Shively talked about possible Blaster/blackout links just a few days after the blackout:

Avian Flu and Disaster Planning

Family disaster planning:

Disaster Recovery Journal:

Bird flu:

Blogger comments:

Man-eating badgers:

A good rebuttal to this essay:

This essay originally appeared on

Economics and Information Security

Links to all the WEIS papers are available here:

Ross Anderson's, "Why Information Security Is Hard--An Economic Perspective":

Aligning Interest with Capability

This essay originally appeared on,71032-0.html

National Security Consumers

This essay originally appeared, in a shorter form, on

Liabilities and Software Vulnerabilities

Schmidt's comments:

SlashDot thread on Schmidt's concerns:

Dan Farber has a good commentary on my essay:

This essay originally appeared on,1848,69247,00.html

There has been some confusion about this in the comments--both in Wired and on my blog--that somehow this means that software vendors will be expected to achieve perfection and that they will be 100% liable for anything short of that. Clearly that's ridiculous, and that's not the way liabilities work. But equally ridiculous is the notion that software vendors should be 0% liable for defects. Somewhere in the middle there is a reasonable amount of liability, and that's what I want the courts to figure out.

Howard Schmidt writes: "It is unfortunate that my comments were reported inaccurately; at least Dan Farber has been trying to correct the inaccurate reports with his blog I do not support PERSONAL LIABILITY for the developers NOR do I support liability against vendors. Vendors are nothing more than people (employees included) and anything against them hurts the very people who need to be given better tools, training and support."

Howard wrote this essay on the topic, to explain what he really thinks. He is against software liabilities.

But the first sentence of his last paragraph nicely sums up what's wrong with this argument: "In the end, what security requires is the same attention any business goal needs." If security is to be a business goal, then it needs to make business sense. Right now, it makes more business sense not to produce secure software products than it does to produce secure software products. Any solution needs to address that fundamental market failure, instead of simply wishing it were true.


Apple and the iPhone:

Shapiro and Varian's book:

Microsoft and Trusted Computing:


This essay previously appeared on

Third Parties Controlling Information

Internet Archive:

Greatest Journal:

Other hacks:

This essay originally appeared on

Who Owns Your Computer?

This essay originally appeared on,70802-0.html

Trusted computing:

A Security Market for Lemons

Risks of data in small packages:

Secustick and review:

Snake oil:

"A Market for Lemons":

Kingston USB drive:

Slashdot thread:

This essay originally appeared in Wired:

Websites, Passwords, and Consumers


The Trojan:

A shorter version of this essay originally appeared in IEEE Security and Privacy:

The Feeling and Reality of Security

Getting security trade-offs wrong:

Cognitive biases that affect security:

"In Praise of Security Theater":

The security lemon's market:

Airline security and agenda:

This essay originally appeared on

Behavioral Assessment Profiling

This article originally appeared in The Boston Globe:

In Praise of Security Theater

This essay appeared on, and is dedicated to my new godson, Nicholas Quillen Perry:,72561-0.html

Infant abduction:

Blog entry URL:

CYA Security

Airplane security:

Searching bags in subways:

No-fly list:

More CYA security:


This essay originally appeared on,72774-0.html


Dan Cooper and the Cooper Vane:

Green-card lawyers:,1283,19098,00.html

This essay originally appeared on,72887-0.html

Blog entry URL:

Rare Risk and Overreactions

Irrational reactions:

Risks of school shootings from 2000:

Crime statistics--strangers vs. acquaintances:

Me on the psychology of risk and security:

Risk of shark attacks:

Ashcroft speech:

Me on security theater:

Baseball beer ban:

Nicholas Taub essay:

VA Tech and gun control:

VA Tech hindsight:

John Stewart video:

Me on movie-plot threats:

Another opinion:

This essay originally appeared on, my 42nd essay on that site:

French translation:

Tactics, Targets, and Objectives

Safari security advice:

School shooter security advice:

Burglar security advice:

Me on terrorism:

Learning behavior in tigers:

This essay originally appeared on

The Security Mindset



CSE484 blog:

Britney Spears's medical records:

This essay originally appeared on


My Open Wireless Network

RIAA data:

Rulings on "stealing" bandwidth:

Amusing story of someone playing with a bandwidth stealer:



This essay originally appeared on

It has since generated a lot of controversy:

Opposing essays:

And here are supporting essays:

Presumably there will be a lot of back and forth in the blog comments section here as well:

Debating Full Disclosure

This essay originally appeared on CSOOnline:

It was part of a series of essays on the topic. Marcus Ranum wrote against the practice of disclosing vulnerabilities:

Mark Miller of Microsoft wrote in favor of responsible disclosure:

These are sidebars to a very interesting article in CSO Magazine, "The Chilling Effect," about the confluence of forces that are making it harder to research and disclose vulnerabilities in web-based software:

All the links are worth reading in full.

A Simplified Chinese translation by Xin Li:

Doping in Professional Sports

Armstrong's case:

Baseball and HGH:

This essay originally appeared on,71566-0.html

Do We Really Need a Security Industry?

Complexity and security:

Commentary on essay:

This essay originally appeared in Wired:

Basketball Referees and Single Points of Failure

This is my 50th essay for

Chemical Plant Security and Externalities



This essay previously appeared on

Mitigating Identity Theft

This essay was previously published on CNet:

LifeLock and Identity Theft



Fraud alerts:

The New York Times article:


Identity theft:

Free credit reports:

Defending yourself:

This essay originally appeared in Wired:


California law:


Who pays for identity theft:

Me on semantic attacks:

Me on economics and security:

Me on identity theft:

Discussion of my essay:

This essay originally appeared in Wired:,1283,69076,00.html

Bot Networks

This essay originally appeared on,71471-0.html



1.5-million-node bot network:


Allowing the entertainment industry to hack:

Clarke's comments:

This essay originally appeared in Wired:


Automated law enforcement:,2933,64688,00.html

Mullen's essay:

Berman legislation:


My previous essay on cyberterrorism:

Militaries and Cyberwar

My interview in the Iranian newspaper (to be honest, I have no idea what it says):

The Truth About Chinese Hackers

Article originally published in Discovery Tech:

Safe Personal Computing

Others have disagreed with these recommendations:

My original essay on the topic:

This essay previously appeared on CNet:

How to Secure Your Computer, Disks, and Portable Drives

This essay previously appeared on

Why was the U.K. event such a big deal? Certainly the scope: 40% of the British population. Also the data: bank account details; plus information about children. There's already a larger debate on the issue of a database on kids that this feeds into. And it's a demonstration of government incompetence (think Hurricane Katrina). In any case, this issue isn't going away anytime soon. Prime Minister Gordon Brown has apologized. The head of the Revenue and Customs office has resigned. More fallout is probably coming. U.K.'s privacy Chernobyl:

U.S. VA privacy breach:

PGP Disk:

Choosing a secure password:

Risks of losing small memory devices:

Laptop snatching:

Microsoft BitLocker:


Crossing Borders with Laptops and PDAs

My advice on choosing secure passwords:

This essay originally appeared in The Guardian:

Choosing Secure Passwords

Analyzing 24,000 MySpace passwords:,72300-0.html

Choosing passwords:


Password Safe:

This essay originally appeared on,72458-0.html

Secrecy, Security, and Obscurity

Kerckhoffs' Paper (in French):

Another essay along similar lines:

More on Two-Factor Authentication

This essay previously appeared in Network World as a "Face Off":

Joe Uniejewski of RSA Security wrote an opposing position:

Another rebuttal:,1759,1782435,00.asp

My original essay:

Home Users: A Public Health Problem?

This essay is the first half of a point/counterpoint with Marcus Ranum in the September 2007 issue of Information Security. You can read his reply here:

Security Products: Suites vs. Best-of-Breed

This essay originally appeared as the second half of a point/counterpoint with Marcus Ranum in Information Security:

Marcus's half:

Separating Data Ownership and Device Ownership

New timing attack on RSA:

My essay on side-channel attacks:

My paper on data/device separation:

Street-performer protocol: an alternative to DRM:

Ontario lottery fraud:

This essay originally appeared on,72196-0.html


California reports:

Commentary and blog posts:

California's recertification requirements:

DefCon reports:

US-VISIT database vulnerabilities:

RFID passport hacking:

How common are bugs:

Diebold patch:

Brian Snow on assurance:

Books on secure software development:

Microsoft's SDL:

DHS's Build Security In program:

This essay originally appeared on

Sony's DRM Rootkit: The Real Story

This essay originally appeared in Wired:,1848,69601,00.html

There are a lot of links in this essay. You can see them on Wired's page. Or here:

These are my other blog posts on this:

There are lots of other links in these posts.

The Storm Worm

This essay originally appeared on

Fast flux:

Storm's attacks:

Stewart's analysis:


The Ethics of Vulnerability Research

This was originally published in InfoSecurity Magazine, as part of a pointcounterpoint with Marcus Ranum. You can read Marcus's half here:

Is Penetration Testing Worth It?

This essay appeared in the March 2007 issue of Information Security, as the first half of a point/counterpoint with Marcus Ranum:

Marcus's half:

Anonymity and the Tor Network

This essay previously appeared on


Onion routing:

Egerstad's work:

Sassaman's paper:

Anonymity research:

Dark Web:

Tor users:

Tor server operator shuts down after police raid:

Tools for identifying the source of Tor data:

Kill Switches and Remote Control

Kill switches:

Digital Manners Policies:

This essay originally appeared on

up to Schneier on Security

Sidebar photo of Bruce Schneier by Joe MacInnis.