October 15, 2008
by Bruce Schneier
A free monthly newsletter providing summaries, analyses, insights, and commentaries on security: computer and otherwise.
For back issues, or to subscribe, visit <http://www.schneier.com/crypto-gram.html>.
You can read this issue on the web at <http://www.schneier.com/crypto-gram-0810.html>. These same essays appear in the "Schneier on Security" blog: <http://www.schneier.com/blog>. An RSS feed is available.
In this issue:
Most counterterrorism policies fail, not because of tactical problems, but because of a fundamental misunderstanding of what motivates terrorists in the first place. If we're ever going to defeat terrorism, we need to understand what drives people to become terrorists in the first place.
Conventional wisdom holds that terrorism is inherently political, and that people become terrorists for political reasons. This is the "strategic" model of terrorism, and it's basically an economic model. It posits that people resort to terrorism when they believe -- rightly or wrongly -- that terrorism is worth it; that is, when they believe the political gains of terrorism minus the political costs are greater than if they engaged in some other, more peaceful form of protest. It's assumed, for example, that people join Hamas to achieve a Palestinian state; that people join the PKK to attain a Kurdish national homeland; and that people join al-Qaida to, among other things, get the United States out of the Persian Gulf.
If you believe this model, the way to fight terrorism is to change that equation, and that's what most experts advocate. Governments tend to minimize the political gains of terrorism through a no-concessions policy; the international community tends to recommend reducing the political grievances of terrorists via appeasement, in hopes of getting them to renounce violence. Both advocate policies to provide effective nonviolent alternatives, like free elections.
Historically, none of these solutions has worked with any regularity. Max Abrahms, a predoctoral fellow at Stanford University's Center for International Security and Cooperation, has studied dozens of terrorist groups from all over the world. He argues that the model is wrong. In a paper published this year in International Security that -- sadly -- doesn't have the title "Seven Habits of Highly Ineffective Terrorists," he discusses, well, seven habits of highly ineffective terrorists. These seven tendencies are seen in terrorist organizations all over the world, and they directly contradict the theory that terrorists are political maximizers:
Terrorists, he writes, (1) attack civilians, a policy that has a lousy track record of convincing those civilians to give the terrorists what they want; (2) treat terrorism as a first resort, not a last resort, failing to embrace nonviolent alternatives like elections; (3) don't compromise with their target country, even when those compromises are in their best interest politically; (4) have protean political platforms, which regularly, and sometimes radically, change; (5) often engage in anonymous attacks, which precludes the target countries making political concessions to them; (6) regularly attack other terrorist groups with the same political platform; and (7) resist disbanding, even when they consistently fail to achieve their political objectives or when their stated political objectives have been achieved.
Abrahms has an alternative model to explain all this: People turn to terrorism for social solidarity. He theorizes that people join terrorist organizations worldwide in order to be part of a community, much like the reason inner-city youths join gangs in the United States.
The evidence supports this. Individual terrorists often have no prior involvement with a group's political agenda, and often join multiple terrorist groups with incompatible platforms. Individuals who join terrorist groups are frequently not oppressed in any way, and often can't describe the political goals of their organizations. People who join terrorist groups most often have friends or relatives who are members of the group, and the great majority of terrorist are socially isolated: unmarried young men or widowed women who weren't working prior to joining. These things are true for members of terrorist groups as diverse as the IRA and al-Qaida.
For example, several of the 9/11 hijackers planned to fight in Chechnya, but they didn't have the right paperwork so they attacked America instead. The mujahedeen had no idea whom they would attack after the Soviets withdrew from Afghanistan, so they sat around until they came up with a new enemy: America. Pakistani terrorists regularly defect to another terrorist group with a totally different political platform. Many new al-Qaida members say, unconvincingly, that they decided to become a jihadist after reading an extreme, anti-American blog, or after converting to Islam, sometimes just a few weeks before. These people know little about politics or Islam, and they frankly don't even seem to care much about learning more. The blogs they turn to don't have a lot of substance in these areas, even though more informative blogs do exist.
All of this explains the seven habits. It's not that they're ineffective; it's that they have a different goal. They might not be effective politically, but they are effective socially: They all help preserve the group's existence and cohesion.
This kind of analysis isn't just theoretical; it has practical implications for counterterrorism. Not only can we now better understand who is likely to become a terrorist, we can engage in strategies specifically designed to weaken the social bonds within terrorist organizations. Driving a wedge between group members -- commuting prison sentences in exchange for actionable intelligence, planting more double agents within terrorist groups -- will go a long way to weakening the social bonds within those groups.
We also need to pay more attention to the socially marginalized than to the politically downtrodden, like unassimilated communities in Western countries. We need to support vibrant, benign communities and organizations as alternative ways for potential terrorists to get the social cohesion they need. And finally, we need to minimize collateral damage in our counterterrorism operations, as well as clamping down on bigotry and hate crimes, which just creates more dislocation and social isolation, and the inevitable calls for revenge.
Airport security found a jar of pasta sauce in my luggage last month. It was a 6-ounce jar, above the limit; the official confiscated it, because allowing it on the airplane with me would have been too dangerous. And to demonstrate how dangerous he really thought that jar was, he blithely tossed it in a nearby bin of similar liquid bottles and sent me on my way.
There are two classes of contraband at airport security checkpoints: the class that will get you in trouble if you try to bring it on an airplane, and the class that will cheerily be taken away from you if you try to bring it on an airplane. This difference is important: Making security screeners confiscate anything from that second class is a waste of time. All it does is harm innocents; it doesn't stop terrorists at all.
Let me explain. If you're caught at airport security with a bomb or a gun, the screeners aren't just going to take it away from you. They're going to call the police, and you're going to be stuck for a few hours answering a lot of awkward questions. You may be arrested, and you'll almost certainly miss your flight. At best, you're going to have a very unpleasant day.
This is why articles about how screeners don't catch every -- or even a majority -- of guns and bombs that go through the checkpoints don't bother me. The screeners don't have to be perfect; they just have to be good enough. No terrorist is going to base his plot on getting a gun through airport security if there's a decent chance of getting caught, because the consequences of getting caught are too great.
Contrast that with a terrorist plot that requires a 12-ounce bottle of liquid. There's no evidence that the London liquid bombers actually had a workable plot, but assume for the moment they did. If some copycat terrorists try to bring their liquid bomb through airport security and the screeners catch them -- like they caught me with my bottle of pasta sauce -- the terrorists can simply try again. They can try again and again. They can keep trying until they succeed. Because there are no consequences to trying and failing, the screeners have to be 100 percent effective. Even if they slip up one in a hundred times, the plot can succeed.
The same is true for knitting needles, pocketknives, scissors, corkscrews, cigarette lighters and whatever else the airport screeners are confiscating this week. If there's no consequence to getting caught with it, then confiscating it only hurts innocent people. At best, it mildly annoys the terrorists.
To fix this, airport security has to make a choice. If something is dangerous, treat it as dangerous and treat anyone who tries to bring it on as potentially dangerous. If it's not dangerous, then stop trying to keep it off airplanes. Trying to have it both ways just distracts the screeners from actually making us safer.
According to U.S. government documents, fear of terrorism could cause a psychosomatic epidemic:
NSA -- and others -- snooping on cell phone calls with off-the-shelf technology:
The NSA teams up with the Chinese government to limit Internet anonymity:
The Pentagon's World of Warcraft Movie-Plot threat:
TSA employees are bypassing airport screening.
I can think of specific instances where the ability to unlock your door over the Internet can be useful, but in most places it's not a good idea.
India using brain scans to prove guilt in court.
People have been asking me to comment about Sarah Palin's Yahoo e-mail account being hacked. I've already written about the security problems with "secret questions" back in 2005:
Spykee is your own personal robot spy. It takes pictures and movies that you can watch on the Internet in real time or save for later. You can even talk with whoever you're spying on via Skype. Only $300.
Security maxims from Roger Johnston. Funny, and all too true.
Another bomb scare. Hot dogs this time.
The Hackers Choice has released a tool allowing people to clone and modify electronic passports. The problem is self-signed certificates. A CA is not a great solution, and the link gives a good explanation as to why. "So what's the solution? We know that humans are good at Border Control. In the end they protected us well for the last 120 years. We also know that humans are good at pattern matching and image recognition. Humans also do an excellent job 'assessing' the person and not just the passport. Take the human part away and passport security falls apart."
Hand grenades are now weapons of mass destruction:
MI6 camera -- including secrets -- sold on eBay. The buyer turned the camera in to the police.
"Clickjacking" is a stunningly sexy name, but the vulnerability is really just a variant of cross-site scripting. We don't know how bad it really is, because the details are still being withheld. But the name alone is causing dread. Here's a good Q&A on the vulnerability:
Turns out you can add anyone's number to -- or remove anyone's number from -- the Canadian do-not-call list. You can also add (but not remove) numbers to the U.S. do-not-call list, though only up to three at a time, and you have to provide a valid e-mail address to confirm the addition. Here's my idea. If you're a company, add every one of your customers to the list. That way, none of your competitors will be able to cold call them.
Chinese monitoring Skype messages:
Interesting paper by Adam Shostack on threat modeling at Microsoft:
Elcomsoft is claiming that the WPA protocol is dead, just because they can speed up brute-force cracking by 100 times using a hardware accelerator. Why exactly is this news? Yes, weak passwords are weak -- we already know that. And strong WPA passwords are still strong. This seems like yet another blatant attempt to grab some press attention with a half-baked cryptanalytic result.
Clever counterterrorism attack against the IRA: set up a laundromat, and watch who has bomb residue on their clothes:
There's a new chip-and-pin scam in the UK. The card readers were hacked when they were built, "either during the manufacturing process at a factory in China, or shortly after they came off the production line." It's being called a "supply chain hack." Sophisticated stuff, and yet another demonstration that these all-computer security systems are full of risks.
BART, the San Francisco subway authority, has been debating allowing passengers to bring drinks on trains. There are all sorts of good reasons why or why not -- convenience, problems with spills, and so on -- but one reason that makes no sense is that terrorists may bring flammable liquids on board. Yet that is exactly what BART managers said. No big news -- we've seen stupid things like this regularly since 9/11 -- but this time people responded: "Added Director Tom Radulovich, 'If somebody wants to break the law and bring flammable liquids on, they can. It's not like al Qaeda is waiting in their caves for us to have a sippy-cup rule.' Directing his comments to BART administrators, he said, 'You know, it's just fearmongering and you should be ashamed.' Terrorist fear mongering seems to be working less well.
Guess the year: "Murderous organizations have increased in size and scope; they are more daring, they are served by the most terrible weapons offered by modern science, and the world is nowadays threatened by new forces which, if recklessly unchained, may some day wreck universal destruction. The Orsini bombs were mere children's toys compared with the later developments of infernal machines. Between 1858 and 1898 the dastardly science of destruction had made rapid and alarming strides..."
No, that wasn't a typo. "Between 1858 and 1898...." This quote is from Major Arthur Griffith, "Mysteries of Police and Crime," London, 1898, II, p. 469. It's quoted in: Walter Laqueur, "A History of Terrorism," New Brunswick/London, Transaction Publishers, 2002.
Remember when the U.S. government said it was only spying on terrorists? Anyone with any common sense knew it was lying -- power without oversight is always abused -- but even I didn't think it was this bad:
"Faulk says he and others in his section of the NSA facility at Fort Gordon routinely shared salacious or tantalizing phone calls that had been intercepted, alerting office mates to certain time codes of 'cuts' that were available on each operator's computer.
"'Hey, check this out,' Faulk says he would be told, 'there's good phone sex or there's some pillow talk, pull up this call, it's really funny, go check it out. It would be some colonel making pillow talk and we would say, "Wow, this was crazy",' Faulk told ABC News."
Warrants are a security device. They protect us against government abuse of power.
Schneier is speaking at the 30th International Conference of Data Protection and Privacy Commissioners on 15 October in Strasbourg, France.
Schneier is speaking at the European Security and Information System Congress on 17 October in Monaco.
Schneier is speaking at RSA Europe on 28 October in London.
Schneier is speaking at the 22nd Large Installation System Administration Conference on 13 November in San Diego, CA.
Schneier was interviewed by Telecom Asia:
Schneier was interviewed by the Irish Times:
My essay on chemical plants and security for the Guardian. Nothing I haven't said before.
Nice paragraph on the limitations of risk management in this occasionally interesting interview with Nicholas Taleb:
"Because then you get a Maginot Line problem. [After World War I, the French erected concrete fortifications to prevent Germany from invading again -- a response to the previous war, which proved ineffective for the next one.] You know, they make sure they solve that particular problem, the Germans will not invade from here. The thing you have to be aware of most obviously is scenario planning, because typically if you talk about scenarios, you'll overestimate the probability of these scenarios. If you examine them at the expense of those you don't examine, sometimes it has left a lot of people worse off, so scenario planning can be bad. I'll just take my track record. Those who did scenario planning have not fared better than those who did not do scenario planning. A lot of people have done some kind of "make-sense" type measures, and that has made them more vulnerable because they give the illusion of having done your job. This is the problem with risk management. I always come back to a classical question. Don't give a fool the illusion of risk management. Don't ask someone to guess the number of dentists in Manhattan after asking him the last four digits of his Social Security number. The numbers will always be correlated. I actually did some work on risk management, to show how stupid we are when it comes to risk."
In a blatant attempt to get some PR, a researcher at PMC Ciphers has figured out that encrypting data with ECB mode results in ciphertext patterns.
Yeah, we already knew that.
For the record, I doghoused PMC Ciphers back in 2003: "PMC Ciphers. The theory description is so filled with pseudo-cryptography that it's funny to read. Hypotheses are presented as conclusions. Current research is misstated or ignored. The first link is a technical paper with four references, three of them written before 1975. Who needs thirty years of cryptographic research when you have polymorphic cipher theory?"
I didn't realize it at the time, but PMC Ciphers responded to my doghousing them. Funny stuff.
This is an abomination: "The Maryland State Police classified 53 nonviolent activists as terrorists and entered their names and personal information into state and federal databases that track terrorism suspects, the state police chief acknowledged yesterday."
Why did they do that? "Both Hutchins and Sheridan said the activists' names were entered into the state police database as terrorists partly because the software offered limited options for classifying entries."
I know that once we had this "either you're with us or with the terrorists" mentality, but don't you think that -- just maybe -- the software should allow for a little bit more nuance?
We engage in risk management all the time, but it only makes sense if we do it right.
"Risk management" is just a fancy term for the cost-benefit tradeoff associated with any security decision. It's what we do when we react to fear, or try to make ourselves feel secure. It's the fight-or-flight reflex that evolved in primitive fish and remains in all vertebrates. It's instinctual, intuitive and fundamental to life, and one of the brain's primary functions.
Some have hypothesized that humans have a "risk thermostat" that tries to maintain some optimal risk level. It explains why we drive our motorcycles faster when we wear a helmet, or are more likely to take up smoking during wartime. It's our natural risk management in action.
The problem is our brains are intuitively suited to the sorts of risk management decisions endemic to living in small family groups in the East African highlands in 100,000 BC, and not to living in the New York City of 2008. We make systematic risk management mistakes -- miscalculating the probability of rare events, reacting more to stories than data, responding to the feeling of security rather than reality, and making decisions based on irrelevant context. And that risk thermostat of ours? It's not nearly as finely tuned as we might like it to be.
Like a rabbit that responds to an oncoming car with its default predator avoidance behavior -- dart left, dart right, dart left, and at the last moment jump -- instead of just getting out of the way, our Stone Age intuition doesn't serve us well in a modern technological society. So when we in the security industry use the term "risk management," we don't want you to do it by trusting your gut. We want you to do risk management consciously and intelligently, to analyze the tradeoff and make the best decision.
This means balancing the costs and benefits of any security decision -- buying and installing a new technology, implementing a new procedure or forgoing a common precaution. It means allocating a security budget to mitigate different risks by different amounts. It means buying insurance to transfer some risks to others. It's what businesses do, all the time, about everything. IT security has its own risk management decisions, based on the threats and the technologies.
There's never just one risk, of course, and bad risk management decisions often carry an underlying tradeoff. Terrorism policy in the U.S. is based more on politics than actual security risk, but the politicians who make these decisions are concerned about the risks of not being re-elected.
Many corporate security decisions are made to mitigate the risk of lawsuits rather than address the risk of any actual security breach. And individuals make risk management decisions that consider not only the risks to the corporation, but the risks to their departments' budgets, and to their careers.
You can't completely remove emotion from risk management decisions, but the best way to keep risk management focused on the data is to formalize the methodology. That's what companies that manage risk for a living -- insurance companies, financial trading firms and arbitrageurs -- try to do. They try to replace intuition with models, and hunches with mathematics.
The problem in the security world is we often lack the data to do risk management well. Technological risks are complicated and subtle. We don't know how well our network security will keep the bad guys out, and we don't know the cost to the company if we don't keep them out. And the risks change all the time, making the calculations even harder. But this doesn't mean we shouldn't try.
You can't avoid risk management; it's fundamental to business just as to life. The question is whether you're going to try to use data or whether you're going to just react based on emotions, hunches and anecdotes.
This essay appeared as the first half of a point-counterpoint with Marcus Ranum in Information Security magazine.
There are hundreds of comments -- many of them interesting -- on these topics on my blog. Search for the story you want to comment on, and join in.
Since 1998, CRYPTO-GRAM has been a free monthly newsletter providing summaries, analyses, insights, and commentaries on security: computer and otherwise. You can subscribe, unsubscribe, or change your address on the Web at <http://www.schneier.com/crypto-gram.html>. Back issues are also available at that URL.
Please feel free to forward CRYPTO-GRAM, in whole or in part, to colleagues and friends who will find it valuable. Permission is also granted to reprint CRYPTO-GRAM, as long as it is reprinted in its entirety.
CRYPTO-GRAM is written by Bruce Schneier. Schneier is the author of the best sellers "Beyond Fear," "Secrets and Lies," and "Applied Cryptography," and an inventor of the Blowfish and Twofish algorithms. He is the Chief Security Technology Officer of BT (BT acquired Counterpane in 2006), and is on the Board of Directors of the Electronic Privacy Information Center (EPIC). He is a frequent writer and lecturer on security topics. See <http://www.schneier.com>.
Crypto-Gram is a personal newsletter. Opinions expressed are not necessarily those of BT.
Copyright (c) 2008 by Bruce Schneier.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.