April 15, 2006
A free monthly newsletter providing summaries, analyses, insights, and commentaries on security: computer and otherwise.
For back issues, or to subscribe, visit <http://www.schneier.com/crypto-gram.html>.
You can read this issue on the web at <http://www.schneier.com/crypto-gram-0604.html>. These same essays appear in the "Schneier on Security" blog: <http://www.schneier.com/blog>. An RSS feed is available.
In this issue:
NOTE: If you have a blog, please spread the word.
For a while now, I have been writing about our penchant for "movie-plot threats": terrorist fears based on very specific attack scenarios. Terrorists with crop dusters, terrorists exploding baby carriages in subways, terrorists filling school buses with explosives -- these are all movie-plot threats. They're good for scaring people, but it's just silly to build national security policy around them.
But if we're going to worry about unlikely attacks, why can't they be exciting and innovative ones? If Americans are going to be scared, shouldn't they be scared of things that are really scary? "Blowing up the Super Bowl" is a movie plot to be sure, but it's not a very good movie. Let's kick this up a notch.
It is in this spirit I announce the (possibly First) Movie-Plot Threat Contest. Entrants are invited to submit the most unlikely, yet still plausible, terrorist attack scenarios they can come up with.
Your goal: cause terror. Make the American people notice. Inflict lasting damage on the U.S. economy. Change the political landscape, or the culture. The more grandiose the goal, the better.
Assume an attacker profile on the order of 9/11: 20 to 30 unskilled people, and about $500,000 with which to buy skills, equipment, etc.
Post your movie plots here on this blog.
Judging will be by me, swayed by popular acclaim in the blog comments section. The prize will be an autographed copy of Beyond Fear. And if I can swing it, a phone call with a real live movie producer.
Entries close at the end of the month -- April 30.
This is not an April Fool's joke, although it's in the spirit of the season. The purpose of this contest is absurd humor, but I hope it also makes a point. Terrorism is a real threat, but we're not any safer through security measures that require us to correctly guess what the terrorists are going to do next.
Post your entries, and read the others, here:
There are hundreds of ideas here:
It seems like every time someone tests airport security, airport security fails. In tests between November 2001 and February 2002, screeners missed 70 percent of knives, 30 percent of guns, and 60 percent of (fake) bombs. And recently, testers were able to smuggle bomb-making parts through airport security in 21 of 21 attempts. It makes you wonder why we're all putting our laptops in a separate bin and taking off our shoes. (Although we should all be glad that Richard Reid wasn't the "underwear bomber.")
The failure to detect bomb-making parts is easier to understand. Break up something into small enough parts, and it's going to slip past the screeners pretty easily. The explosive material won't show up on the metal detector, and the associated electronics can look benign when disassembled. This isn't even a new problem. It's widely believed that the Chechen women who blew up the two Russian planes in August 2004 probably smuggled their bombs aboard the planes in pieces.
But guns and knives? That surprises most people.
Airport screeners have a difficult job, primarily because the human brain isn't naturally adapted to the task. We're wired for visual pattern matching, and are great at picking out something we know to look for -- for example, a lion in a sea of tall grass.
But we're much less adept at detecting random exceptions in uniform data. Faced with an endless stream of identical objects, the brain quickly concludes that everything is identical and there's no point in paying attention. By the time the exception comes around, the brain simply doesn't notice it. This psychological phenomenon isn't just a problem in airport screening: It's been identified in inspections of all kinds, and is why casinos move their dealers around so often. The tasks are simply mind-numbing.
To make matters worse, the smuggler can try to exploit the system. He can position the weapons in his baggage just so. He can try to disguise them by adding other metal items to distract the screeners. He can disassemble bomb parts so they look nothing like bombs. Against a bored screener, he has the upper hand.
And, as has been pointed out again and again in essays on the ludicrousness of post-9/11 airport security, improvised weapons are a huge problem. A rock, a battery for a laptop, a belt, the extension handle off a wheeled suitcase, fishing line, the bare hands of someone who knows karate...the list goes on and on.
Technology can help. X-ray machines already randomly insert "test" bags into the stream -- keeping screeners more alert. Computer-enhanced displays are making it easier for screeners to find contraband items in luggage, and eventually the computers will be able to do most of the work. It makes sense: Computers excel at boring repetitive tasks. They should do the quick sort, and let the screeners deal with the exceptions.
Sure, there'll be a lot of false alarms, and some bad things will still get through. But it's better than the alternative.
And it's likely good enough. Remember the point of passenger screening. We're not trying to catch the clever, organized, well-funded terrorists. We're trying to catch the amateurs and the incompetent. We're trying to catch the unstable. We're trying to catch the copycats. These are all legitimate threats, and we're smart to defend against them. Against the professionals, we're just trying to add enough uncertainty into the system that they'll choose other targets instead.
The terrorists' goals have nothing to do with airplanes; their goals are to cause terror. Blowing up an airplane is just a particular attack designed to achieve that goal. Airplanes deserve some additional security because they have catastrophic failure properties: If there's even a small explosion, everyone on the plane dies. But there's a diminishing return on investments in airplane security. If the terrorists switch targets from airplanes to shopping malls, we haven't really solved the problem.
What that means is that a basic cursory screening is good enough. If I were investing in security, I would fund significant research into computer-assisted screening equipment for both checked and carry-on bags, but wouldn't spend a lot of money on invasive screening procedures and secondary screening. I would much rather have well-trained security personnel wandering around the airport, both in and out of uniform, looking for suspicious actions.
When I travel in Europe, I never have to take my laptop out of its case or my shoes off my feet. Those governments have had far more experience with terrorism than the U.S. government, and they know when passenger screening has reached the point of diminishing returns. (They also implemented checked-baggage security measures decades before the United States did -- again recognizing the real threat.)
And if I were investing in security, I would invest in intelligence and investigation. The best time to combat terrorism is before the terrorist tries to get on an airplane. The best countermeasures have value regardless of the nature of the terrorist plot or the particular terrorist target.
In some ways, if we're relying on airport screeners to prevent terrorism, it's already too late. After all, we can't keep weapons out of prisons. How can we ever hope to keep them out of airports?
A version of this essay originally appeared on Wired.com.
The remote town of Dillingham, Alaska is probably the most watched town in the country. There are 80 surveillance cameras for the 2,400 people, which translates to one camera for every 30 people.
The cameras were bought, I assume, because the town couldn't think of anything else to do with the $202,000 Homeland Security grant they received. (One of the problems of giving this money out based on political agenda, rather than by where the actual threats are.)
But they got the money, and they spent it. And now they have to justify the expense. Here's the movie-plot threat the Dillingham Police Chief uses to explain why the expense was worthwhile:
"'Russia is about 800 miles that way,' he says, arm extending right.
"'Seattle is about 1,200 miles back that way.' He points behind him.
"'So if I have the math right, we're closer to Russia than we are to Seattle.'
"Now imagine, he says: What if the bad guys, whoever they are, manage to obtain a nuclear device in Russia, where some weapons are believed to be poorly guarded. They put the device in a container and then hire organized criminals, 'maybe Mafiosi,' to arrange a tramp steamer to pick it up. The steamer drops off the container at the Dillingham harbor, complete with forged paperwork to ship it to Seattle. The container is picked up by a barge.
"'Ten days later,' the chief says, 'the barge pulls into the Port of Seattle.'
"Thompson pauses for effect.
"'Phoooom," he says, his hands blooming like a flower."
The first problem with the movie plot is that it's just plain silly. But the second problem, which you might have to look back to notice, is that those 80 cameras will do nothing to stop his imagined attack.
We are all security consumers. We spend money, and we expect security in return. This expenditure was a waste of money, and as a U.S. taxpayer, I am pissed that I'm getting such a lousy deal.
Crypto-Gram is currently in its ninth year of publication. Back issues cover a variety of security-related topics, and can all be found on <http://www.schneier.com/crypto-gram-back.html>. These are a selection of articles that appeared in this calendar month in other years.
Mitigating Identity Theft:
Hacking the Papal Election:
National ID Cards:
Stealing an Election:
Automated Denial-of-Service Attacks Using the U.S. Post Office:
National Crime Information Center (NCIC) Database Accuracy:
How to Think About Security:
Is 1028 Bits Enough?
Liability and Security
Natural Advantages of Defense: What Military History Can Teach Network Security, Part 1
Cryptography: The Importance of Not Being Different:
Threats Against Smart Cards:
Attacking Certificates with Computer Viruses:
There are basically four ways to eavesdrop on a telephone call.
One, you can listen in on another phone extension. This is the method preferred by siblings everywhere. If you have the right access, it's the easiest. While it doesn't work for cell phones, cordless phones are vulnerable to a variant of this attack: A radio receiver set to the right frequency can act as another extension.
Two, you can attach some eavesdropping equipment to the wire with a pair of alligator clips. It takes some expertise, but you can do it anywhere along the phone line's path -- even outside the home. This used to be the way the police eavesdropped on your phone line. These days it's probably most often used by criminals. This method doesn't work for cell phones, either.
Three, you can eavesdrop at the telephone switch. Modern phone equipment includes the ability for someone to listen in this way. Currently, this is the preferred police method. It works for both land lines and cell phones. You need the right access, but if you can get it, this is probably the most comfortable way to eavesdrop on a particular person.
Four, you can tap the main trunk lines, eavesdrop on the microwave or satellite phone links, etc. It's hard to eavesdrop on one particular person this way, but it's easy to listen in on a large chunk of telephone calls. This is the sort of big-budget surveillance that organizations like the National Security Agency do best. They've even been known to use submarines to tap undersea phone cables.
That's basically the entire threat model for traditional phone calls. And when most people think about IP telephony -- voice over internet protocol, or VOIP -- that's the threat model they probably have in their heads.
Unfortunately, phone calls from your computer are fundamentally different from phone calls from your telephone. Internet telephony's threat model is much closer to the threat model for IP-networked computers than the threat model for telephony.
And we already know the threat model for IP. Data packets can be eavesdropped on *anywhere* along the transmission path. Data packets can be intercepted in the corporate network, by the internet service provider and along the backbone. They can be eavesdropped on by the people or organizations that own those computers, and they can be eavesdropped on by anyone who has successfully hacked into those computers. They can be vacuumed up by nosy hackers, criminals, competitors and governments.
It's comparable to threat No. 3 above, but with the scope vastly expanded.
My greatest worry is the criminal attacks. We already have seen how clever criminals have become over the past several years at stealing account information and personal data. I can imagine them eavesdropping on attorneys, looking for information with which to blackmail people. I can imagine them eavesdropping on bankers, looking for inside information with which to make stock purchases. I can imagine them stealing account information, hijacking telephone calls, committing identity theft. On the business side, I can see them engaging in industrial espionage and stealing trade secrets. In short, I can imagine them doing all the things they could never have done with the traditional telephone network.
This is why encryption for VOIP is so important. VOIP calls are vulnerable to a variety of threats that traditional telephone calls are not. Encryption is one of the essential security technologies for computer data, and it will go a long way toward securing VOIP.
The last time this sort of thing came up, the U.S. government tried to sell us something called "key escrow." Basically, the government likes the idea of everyone using encryption, as long as it has a copy of the key. This is an amazingly insecure idea for a number of reasons, mostly boiling down to the fact that when you provide a means of access into a security system, you greatly weaken its security.
A recent case in Greece demonstrated that perfectly: Criminals used a cell-phone eavesdropping mechanism already in place, designed for the police to listen in on phone calls. Had the call system been designed to be secure in the first place, there never would have been a backdoor for the criminals to exploit.
Fortunately, there are many VOIP-encryption products available. Skype has built-in encryption. Phil Zimmermann is releasing Zfone, an easy-to-use open-source product. There's even a VOIP Security Alliance.
Encryption for IP telephony is important, but it's not a panacea. Basically, it takes care of threats No. 2 through No. 4, but not threat No. 1. Unfortunately, that's the biggest threat: eavesdropping at the end points. No amount of IP telephony encryption can prevent a Trojan or worm on your computer -- or just a hacker who managed to get access to your machine -- from eavesdropping on your phone calls, just as no amount of SSL or e-mail encryption can prevent a Trojan on your computer from eavesdropping -- or even modifying -- your data.
So, as always, it boils down to this: We need secure computers and secure operating systems even more than we need secure transmission.
Why key escrow is a bad idea:
Greek wiretapping story:
VOIP Security Alliance:
This essay originally appeared on Wired.com.
From TechDirt: "Last summer, the surprising news came out that Japanese nuclear secrets leaked out, after a contractor was allowed to connect his personal virus-infested computer to the network at a nuclear power plant. The contractor had a file sharing app on his laptop as well, and suddenly nuclear secrets were available to plenty of kids just trying to download the latest hit single. It's only taken about nine months for the government to come up with its suggestion on how to prevent future leaks of this nature: begging all Japanese citizens not to use file sharing systems -- so that the next time this happens, there won't be anyone on the network to download such documents."
Even if their begging works, it solves the wrong problem. Sad.
Last year, the Department of Homeland Security finally got around to appointing its DHS Data Privacy and Integrity Advisory Committee. It was mostly made up of industry insiders instead of anyone with any real privacy experience. (Lance Hoffman from George Washington University was the most notable exception.)
And now, we have something from that committee. On March 7th they published their Framework for Privacy Analysis of Programs, Technologies, and Applications.
It's surprisingly good.
I like that it is a series of questions a program manager has to answer: about the legal basis for the program, its efficacy against the threat, and its effects on privacy. I am particularly pleased that their questions on pages 3-4 are very similar to the "five steps" I wrote about in Beyond Fear. I am thrilled that the document takes a "trade-off" approach; the last question asks: "Should the program proceed? Do the benefits of the program...justify the costs to privacy interests....?"
I think this is a good starting place for any technology or program with respect to security and privacy. And I hope the DHS actually follows the recommendations in this report.
Framework for Privacy Analysis of Programs, Technologies, and Applications
My five steps:
Of course RFID chips can carry viruses. They're just little computers.
Movie theaters want to jam cell phones.
Massive surveillance in an online gaming world.
Yossi Oren and Adi Shamir have written a paper describing a power attack against RFID tags. This is great work by Yossi Oren and Adi Shamir. From the abstract: "Power Analysis of RFID Tags: Compared to standard power analysis attacks, this attack is unique in that it requires no physical contact with the device under attack. While the specific attack described here requires the attacker to actually transmit data to the tag under attack, the power analysis part itself requires only a receive antenna. This means that a variant of this attack can be devised such that the attacker is completely passive while it is acquiring the data, making the attack very hard to detect." My prediction of the industry's response: downplay the results and pretend it's not a problem.
The 3rd Annual Nigerian E-mail Conference. Funny.
The chairman of Qantas was stopped at airport security. She had airplane blueprints. Oh, and she was a woman -- which cast immediate suspicion on her story.
Really good article by a reporter who has been covering improvised explosive devices in Iraq:
There are some deliberately fake 300, 600, and 1000 euro notes being made in Germany as an advertisement. They're being passed as real:
Really interesting article by Robert X. Cringely on the lack of federal funding for security technologies. I think his analysis is dead on.
Australian bank fraud: I really wish this article had more details about the crime. Basically, a criminal ring used an authentication failure with fax transmissions to steal (unsuccessfully, as it turned out) $150 million Australian dollars.
Rare outbreak of security common sense in London. They're rejecting passenger screening in their subways.
Who needs terrorists? We can cause terror all by ourselves.
"Terrorist with Nuke" movie plot. It sounds like this New Scientist writer is trying to write a novel.
Enigma? I don't know what this is, but it sure looks a lot like an Enigma. And it's beautiful.
A couple -- living together, I assume -- and engaged to be married, shared a computer. He used Firefox to visit a bunch of dating sites, being smart enough not to have the browser save his password. But Firefox did save the names of the sites it was told never to save the password for. She happened to stumble on this list. The details are left to the imagination, but they broke up.
Creative Home Engineering can make secret doors and hidden passageways for your home. "Pull a favorite book from your library shelf and watch a cabinet section recess to reveal a hidden passageway. Twist a candlestick and your fireplace rotates, granting access to a hidden room." Who cares about the security properties? I want one.
A hacker working for al Qaeda, called Irhabi 007, has been captured. Assuming the British authorities are to be believed, he definitely was a terrorist. And he used the Internet, both as a communication tool and to break into networks. But this does not make him a cyberterrorist.
The police used profiles on MySpace to identify six suspects in a rape/robbery.
Chameleon weapons: you can't detect them, because they look normal:
An Economic Analysis of Airport Security Screening. The authors use game theory to investigate the optimal screening policy, in a scenario when there are different social groups (separated by felons, race, religion, etc.) with different preferences for crime and/or terrorism.
Cubicle Farms are a Terrorism Risk
I don't know if this "Internet Hash Project" is an April Fool's Day joke, but it's funny all the same.
Last month the Government Accounting Office released three new reports on homeland security.
It's a really clever idea: bolts and latches that fasten and unfasten in response to remote computer commands. But the security comment is funny: "But everything is locked down with codes, and the radio signals are scrambled, so this is fully secured against hackers." Clearly this guy knows nothing about computer security.
Interesting paper on phishing, and why it works.
Undercover investigators were able to smuggle radioactive materials into the U.S. It set off alarms at border checkpoints, but the smugglers had forged import licenses from the Nuclear Regulatory Commission, based on an image of the real document they found on the Internet. Unfortunately, the border agents had no way to confirm the validity of import licenses. I've written about this problem before, and it's one I think will get worse in the future. Verification systems are often the weakest link of authentication. Improving authentication tokens won't improve security unless the verification systems improve as well.
Security applications of time-reversed acoustics. I simply don't have the science to evaluate this.
Iowa lawmakers are proposing "I'm Not the Criminal You're Looking For" card, for victims of identity theft. I think it's a great idea, and it reminds me of something I wrote about in Beyond Fear: "In Singapore, some names are so common that the police issue He's-not-the-guy-we're-looking-for documents exonerating innocent people with the same names as wanted criminals." It's not perfect. Of course it will be forged; all documents are forged. This is a still good idea, even though it's not perfect.
Good information from EPIC on the security of tax data in the IRS.
A man in the UK was detained for singing along with a Clash song. Basically, his taxi driver turned him in.
You've all heard of the "No Fly List." Did you know that there's a "No-Buy List" as well?
Last week the San Francisco Chronicle broke the story that Air Force One's defenses were exposed on a public Internet site:
Stolen military goods are being sold in the markets in Afghanistan, including hard drives filled with classified data.
What if your vendor won't sell you a security upgrade? Good article:
Really nice social engineering example. Watch an escaped convict convince a police officer he's not that guy. Note his repeated efforts to ensure that if he's stopped again, he can rely on the cop to vouch for him.
Intersting technical details about NSA's warrantless surveillance, and AT&T's help:
You've all seen CAPTCHAs. Those are those distorted pictures of letters and numbers you sometimes see on web forms. The idea is that it's hard for computers to identify the characters, but easy for people to do. The goal of CAPTCHAs is to authenticate that there's a person sitting in front of the computer.
KittenAuth works with images. The system shows you nine pictures of cute little animals, and the person authenticates himself by clicking on the three kittens. A computer clicking at random has only a 1 in 84 chance of guessing correctly.
Of course you could increase the security by adding more images or requiring the person to choose more images. Another worry -- which I didn't see mentioned -- is that the computer could brute-force a static database. If there are only a small fixed number of actual kittens, the computer could be told -- by a person -- that they're kittens. Then, the computer would know that whenever it sees that image it's a kitten.
Still, it's an interesting idea that warrants more research.
Sometimes I wonder about "security experts." Here's one who thinks Google Earth is a terrorism risk because it allows people to learn the GPS coordinates of soccer stadiums.
Basically, Klaus Dieter Matschke is worried because Google Earth provides the location of buildings within 20 meters, whereas before coordinates had an error range of one kilometer. He's worried that this information will provide terrorists with the exact target coordinates for missile attacks.
I have no idea how anyone could print this drivel. Anyone can attend a football game with a GPS receiver in his pocket and get the coordinates down to one meter. Or buy a map.
Google Earth is not the problem; the problem is the availability of short-range missiles on the black market.
English blog entry on the topic:
There's a new kind of door lock from the Israeli company E-Lock. It responds to sound. Instead of carrying a key, you carry a small device that makes a series of quick knocking sounds. Just touching it to the door causes the door to open; there's no keyhole. The device, called a "KnocKey," has a keypad and can be programmed to require a PIN before operation -- for even greater security.
Clever idea, but there's the usual security hyperbole: "Since there is no keyhole or contact point on the door, this unique mechanism offers a significantly higher level of security than existing technology."
More accurate would be to say that the security vulnerabilities are different from existing technology. We know a lot about the vulnerabilities of conventional locks, but we know very little about the security of this system. But don't confuse this lack of knowledge with increased security.
Bruce Schneier is speaking at the Symposium on Business Information Security, on April 21 in Minneapolis:
Bruce Schneier is speaking at CardTech/SecureTech, on May 3rd, in San Francisco.
Bruce Schneier and Toby Weir-Jones spoke at the InfoWorld Webcast entitled Managed Compliance Reporting: Best Practices to Streamline Device Management & Demonstrate Compliance. Rebroadcast is available.
Counterpane is hiring. Among other things, we're looking for a database and systems analyst, a senior Java software engineer, and a SOC intelligence officer.
Monolith is an open-source program that can XOR two files together to create a third file, and -- of course -- can XOR that third file with one of the original two to create the other original file.
The website wonders about the copyright implications of all of this: "Things get interesting when you apply Monolith to copyrighted files. For example, munging two copyrighted files will produce a completely new file that, in most cases, contains no information from either file. In other words, the resulting Mono file is not "owned" by the original copyright holders (if owned at all, it would be owned by the person who did the munging). Given that the Mono file can be combined with either of the original, copyrighted files to reconstruct the other copyrighted file, this lack of Mono ownership may be seem hard to believe."
The website then postulates this as a mechanism to get around copyright law:
"What does this mean? This means that Mono files can be freely distributed.
"So what? Mono files are useless without their corresponding Basis files, right? And the Basis files are copyrighted too, so they cannot be freely distributed, right? There is one more twist to this idea. What happens when we use Basis files that are freely distributable? For example, we could use a Basis file that is in the public domain or one that is licensed for free distribution. Now we are getting somewhere.
"None of the aforementioned properties of Mono files change when we use freely distributable Basis files, since the same arguments hold. Mono files are still not copyrighted by the people who hold the copyrights over the corresponding Element files. Now we can freely distribute Mono files and Basis files.
"Interesting? Not really. But what you can do with these files, in the privacy of your own home, might be interesting, depending on your proclivities. For example, you can use the Mono files and the Basis files to reconstruct the Element files."
Clever, but it won't hold up in court. In general, technical hair splitting is not an effective way to get around the law. My guess is that anyone who distributes that third file -- they call it a "Mono" file -- along with instructions on how to recover the copyrighted file is going to be found guilty of copyright violation.
The correct way to solve this problem is through law, not technology.
It's called iJacking: grabbing laptops out of their owners' hands and then run away. There seems to be a wave of this type of crime at Internet cafes in San Francisco.
It's obvious why these thefts are occurring. Laptops are valuable, easy to steal, and easy to fence. If we want to "solve" this problem, we need to modify at least one of those characteristics. Some Internet cafes are providing locking cables for their patrons, in an attempt to make them harder to steal. But that will only mean that the muggers will follow their victims out of the cafes. Laptops will become less valuable over time, but that really isn't a good solution. The only thing left is to make them harder to fence.
This isn't an easy problem. There are a bunch of companies that make solutions that help people recover stolen laptops. There are programs that "phone home" if a laptop is stolen. There are programs that hide a serial number on the hard drive somewhere. There are non-removable tags users can affix to their computers with ID information. But until this kind of thing becomes common, the crimes will continue.
Reminds me of the problem of bicycle thefts.
There's a helicopter shuttle that runs from Lower Manhattan to Kennedy Airport. It's basically a luxury item: for $139 you can avoid the drive to the airport. But, of course, security screeners are required for passengers, and that's causing some concern:
"At the request of U.S. Helicopter's executives, the federal Transportation Security Administration set up a checkpoint, with X-ray and bomb-detection machines, to screen passengers and their luggage at the heliport.
"The security agency is spending $560,000 this year to operate the checkpoint with a staff of eight screeners and is considering adding a checkpoint at the heliport at the east end of 34th Street. The agency's involvement has drawn criticism from some elected officials.
"'The bottom line here is that there are not enough screeners to go around, ' said Senator Charles E. Schumer, Democrat of New York. 'The fact that we are taking screeners that are needed at airports to satisfy a luxury market on the government's dime is a problem. '"
This is not a security problem; it's an economics problem. And it's a good illustration of the concept of "externalities." An externality is an effect of a decision not borne by the decision-maker. In this example, U.S. Helicopter made a business decision to offer this service at a certain price. And customers will make a decision about whether or not the service is worth the money. But there is more to the cost than the $139. The cost of that checkpoint is an externality to both U.S. Helicopter and its customers, because the $560,000 spent on the security checkpoint is paid for by taxpayers. Taxpayers are effectively subsidizing the true cost of the helicopter trip.
The only way to solve this is for the government to bill the airline passengers for the cost of security screening. It wouldn't be much per ticket, maybe $15. And it would be much less at major airports, because the economies of scale are so much greater.
The article even points out that customers would gladly pay the extra $15 because of another externality: the people who decide whether or not to take the helicopter trip are not the people actually paying for it.
"Bobby Weiss, a self-employed stock trader and real estate broker who was U.S. Helicopter's first paying customer yesterday, said he would pay $300 for a round trip to Kennedy, and he expected most corporate executives would, too.
"'It's $300, but so what? It goes on the expense account, ' said Mr. Weiss, adding that he had no qualms about the diversion of federal resources to smooth the path of highfliers. 'Maybe a richer guy may save a little time at the expense of a poorer guy who spends a little more time in line. '"
What Mr. Weiss is saying is that the costs -- both the direct cost and the cost of the security checkpoint -- are externalities to him, so he really doesn't care. Exactly.
There are hundreds of comments -- many of them interesting -- on these topics on my blog. Search for the story you want to comment on, and join in.
CRYPTO-GRAM is a free monthly newsletter providing summaries, analyses, insights, and commentaries on security: computer and otherwise. You can subscribe, unsubscribe, or change your address on the Web at <http://www.schneier.com/crypto-gram.html>. Back issues are also available at that URL.
Comments on CRYPTO-GRAM should be sent to firstname.lastname@example.org. Permission to print comments is assumed unless otherwise stated. Comments may be edited for length and clarity.
Please feel free to forward CRYPTO-GRAM to colleagues and friends who will find it valuable. Permission is granted to reprint CRYPTO-GRAM, as long as it is reprinted in its entirety.
CRYPTO-GRAM is written by Bruce Schneier. Schneier is the author of the best sellers "Beyond Fear," "Secrets and Lies," and "Applied Cryptography," and an inventor of the Blowfish and Twofish algorithms. He is founder and CTO of Counterpane Internet Security Inc., and is a member of the Advisory Board of the Electronic Privacy Information Center (EPIC). He is a frequent writer and lecturer on security topics. See <http://www.schneier.com>.
Counterpane is the world's leading protector of networked information - the inventor of outsourced security monitoring and the foremost authority on effective mitigation of emerging IT threats. Counterpane protects networks for Fortune 1000 companies and governments world-wide. See <http://www.counterpane.com>.
Crypto-Gram is a personal newsletter. Opinions expressed are not necessarily those of Counterpane Internet Security, Inc.
Copyright (c) 2006 by Bruce Schneier.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.