Essays: 2004 Archives

Who says safe computing must remain a pipe dream?

  • Bruce Schneier
  • CNET
  • December 9, 2004

Spanish translation

I am regularly asked what average Internet users can do to ensure their security. My first answer is usually, “Nothing—you’re screwed.”

But that’s not true, and the reality is more complicated. You’re screwed if you do nothing to protect yourself, but there are many things you can do to increase your security on the Internet.

Two years ago, I published a list of PC security recommendations. The idea was to give home users concrete actions they could take to improve security. This is an update of that list: a dozen things you can do to improve your security…

Desktop Google Finds Holes

  • Bruce Schneier
  • eWeek
  • November 29, 2004

Last month, Google released a beta version of its desktop search software: Google Desktop Search. Install it on your Windows machine, and it creates a searchable index of your data files, including word processing files, spreadsheets, presentations, e-mail messages, cached Web pages and chat sessions. It’s a great idea. Windows’ searching capability has always been mediocre, and Google fixes the problem nicely.

There are some security issues, though. The problem is that GDS indexes and finds documents that you may prefer not be found. For example, GDS searches your browser’s cache. This allows it to find old Web pages you’ve visited, including online banking summaries, personal messages sent from Web e-mail programs and password-protected personal Web pages…

Profile: "hinky"

  • Bruce Schneier
  • Boston Globe
  • November 24, 2004

ON DEC. 14, 1999, Ahmed Ressam tried to enter the United States from Canada at Port Angeles, Wash. He had a suitcase bomb in the trunk of his car. A US customs agent, Diana Dean, questioned him at the border. He was fidgeting, sweaty, and jittery. He avoided eye contact. In Dean’s own words, he was acting “hinky.” Ressam’s car was eventually searched, and he was arrested.

It wasn’t any one thing that tipped Dean off; it was everything encompassed in the slang term “hinky.” But it worked. The reason there wasn’t a bombing at Los Angeles International Airport around Christmas 1999 was because a trained, knowledgeable security person was paying attention…

What's Wrong With Electronic Voting Machines?

  • Bruce Schneier
  • OpenDemocracy
  • November 9, 2004

In the aftermath of the American presidential election on 2 November 2004, electronic voting machines are again in the news. Computerised machines lost votes, subtracted votes, and doubled some votes too. And because many of these machines have no paper audit trails, a large number of votes will never be counted.

While it is unlikely that deliberate voting-machine fraud changed the result of this presidential election, the internet is buzzing with rumours and allegations in a number of different jurisdictions and races. It is still too early to tell if any of these problems affected any individual state’s election, but the next few weeks will reveal whether any of the information crystallises into something significant…

Getting Out the Vote

Why is it so hard to run an honest election?

  • Bruce Schneier
  • San Francisco Chronicle
  • October 31, 2004

Four years after the Florida debacle of 2000 and two years after Congress passed the Help America Vote Act, voting problems are again in the news: confusing ballots, malfunctioning voting machines, problems over who’s registered and who isn’t. All this brings up a basic question: Why is it so hard to run an election?

A fundamental requirement for a democratic election is a secret ballot, and that’s the first reason. Computers regularly handle multimillion-dollar financial transactions, but much of their security comes from the ability to audit the transactions after the fact and correct problems that arise. Much of what they do can be done the next day if the system is down. Neither of these solutions works for elections…

Information Security: How Liable Should Vendors Be?

  • Bruce Schneier
  • Computerworld
  • October 28, 2004

An update to this essay was published in ENISA Quarterly in January 2007.

Information insecurity is costing us billions. We pay for it in theft: information theft, financial theft. We pay for it in productivity loss, both when networks stop working and in the dozens of minor security inconveniences we all have to endure. We pay for it when we have to buy security products and services to reduce those other two losses. We pay for security, year after year.

The problem is that all the money we spend isn’t fixing the problem. We’re paying, but we still end up with insecurities…

The Security of Checks and Balances

  • Bruce Schneier
  • The Sydney Morning Herald
  • October 26, 2004

Much of the political rhetoric surrounding the US presidential election centers around the relative security posturings of President George W. Bush and Senator John Kerry, with each side loudly proclaiming that his opponent will do irrevocable harm to national security.

Terrorism is a serious issue facing our nation in the early 21st century, and the contrasting views of these candidates is important. But this debate obscures another security risk, one much more central to the US: the increasing centralisation of American political power in the hands of the executive branch of the government…

Outside View: Security at the World Series

  • Bruce Schneier
  • UPI
  • October 22, 2004

The World Series is no stranger to security. Fans try to sneak into the ballpark without tickets or with counterfeit tickets. Often foods and alcohol are prohibited from being brought into the ballpark, to enforce the monopoly of the high-priced concessions.

Violence is always a risk: both small fights and larger-scale riots that result from fans from both teams being in such close proximity—like the one that almost happened during the sixth game of the American League Championship Series.

Today, the new risk is terrorism. Security at the Olympics cost $1.5 billion. Some $50 million each was spent at the Democratic and Republican conventions on security. There has been no public statement about the security bill for the World Series, but it’s reasonable to assume it will be impressive…

Bigger Brother

  • Bruce Schneier
  • The Baltimore Sun
  • October 4, 2004

The Baltimore housing department has a new tool to find homeowners who have been building rooftop decks without a permit: aerial mapping. Baltimore bought aerial photographs of the entire city and used software to correlate the images with databases of address information and permit records. Inspectors have just begun knocking on doors of residents who built decks without permission.

On the face of it, this is nothing new. Police always have been able to inspect buildings for permit violations. The difference is they would do it manually, and that limited its use. It simply wasn’t feasible for the police to automatically document every building code violation in any city. What’s different isn’t the police tactic but the efficiency of the process…

Does Big Brother want to watch?

  • Bruce Schneier
  • International Herald Tribune
  • October 4, 2004

Since the terrorist attacks of 2001, the Bush administration—specifically, the Department of Homeland Security—has wanted the world to agree on a standard for machine-readable passports. Countries whose citizens currently do not have visa requirements to enter the United States will have to issue passports that conform to the standard or risk losing their nonvisa status.

These future passports, currently being tested, will include an embedded computer chip. This chip will allow the passport to contain much more information than a simple machine-readable character font, and will allow passport officials to quickly and easily read that information. That is a reasonable requirement and a good idea for bringing passport technology into the 21st century…

Do Terror Alerts Work?

  • Bruce Schneier
  • The Rake
  • October 2004

How would we know? An essay by one of the world’s busiest security experts.

As I read the litany of terror threat warnings that the government has issued in the past three years, the thing that jumps out at me is how vague they are. The careful wording implies everything without actually saying anything. We hear “terrorists might try to bomb buses and rail lines in major U.S. cities this summer,” and there’s “increasing concern about the possibility of a major terrorist attack.” “At least one of these attacks could be executed by the end of the summer 2003.” Warnings are based on “uncorroborated intelligence,” and issued even though “there is no credible, specific information about targets or method of attack.” And, of course, “weapons of mass destruction, including those containing chemical, biological, or radiological agents or materials, cannot be discounted.”…

The Non-Security of Secrecy

  • Bruce Schneier
  • Communications of the ACM
  • October 2004

Considerable confusion exists between the different concepts of secrecy and security, which often causes bad security and surprising political arguments. Secrecy usually contributes only to a false sense of security.

In June 2004, the U.S. Department of Homeland Security urged regulators to keep network outage information secret. The Federal Communications Commission requires telephone companies to report large disruptions of telephone service, and wants to extend that to high-speed data lines and wireless networks. DHS fears that such information would give cyberterrorists a “virtual road map” to target critical infrastructures…

Saluting the data encryption legacy

  • Bruce Schneier
  • CNET
  • September 27, 2004

The Data Encryption Standard, or DES, was a mid-’70s brainchild of the National Bureau of Standards: the first modern, public, freely available encryption algorithm. For over two decades, DES was the workhorse of commercial cryptography.

Over the decades, DES has been used to protect everything from databases in mainframe computers, to the communications links between ATMs and banks, to data transmissions between police cars and police stations. Whoever you are, I can guarantee that many times in your life, the security of your data was protected by DES…

Academics locked out by tight visa controls

  • Bruce Schneier
  • San Jose Mercury News
  • September 20, 2004

U.S. Security Blocks Free Exchange of Ideas

Cryptography is the science of secret codes, and it is a primary Internet security tool to fight hackers, cyber crime, and cyber terrorism. CRYPTO is the world’s premier cryptography conference. It’s held every August in Santa Barbara.

This year, 400 people from 30 countries came to listen to dozens of talks. Lu Yi was not one of them. Her paper was accepted at the conference. But because she is a Chinese Ph.D. student in Switzerland, she was not able to get a visa in time to attend the conference…

City Cops' Plate Scanner is a License to Snoop

  • Bruce Schneier
  • New Haven Register
  • September 19, 2004

New Haven police have a new law enforcement tool: a license-plate scanner. Similar to a radar gun, it reads the license plates of moving or parked cars and links with remote police databases, immediately providing information about the car and owner. Right now the police check if there are any taxes owed on the car, if the car or license plate is stolen, and if the car is unregistered or uninsured. A car that comes up positive is towed.

On the face of it, this is nothing new. The police have always been able to run a license plate. The difference is they would do it manually, and that limited its use. It simply wasn’t feasible for the police to run the plates of every car in a parking garage, or every car that passed through an intersection. What’s different isn’t the police tactic, but the efficiency of the process…

Security Information Management Systems: Solution, or Part of the Problem?

  • Bruce Schneier
  • IEEE Security & Privacy
  • September/October 2004

View or Download in PDF Format

We in the computer security industry are guilty of over-hyping and under-delivering. Again and again, we tell customers that they need to buy this or that product in order to be secure. Again and again, customers buy the products and are still not secure.

Firewalls didn’t keep out network attackers, and ignored the fact that the notion of “perimeter” is severely flawed. Intrusion detection systems didn’t keep networks safe, and worms and viruses do considerable damage despite the prevalence of anti-virus products. Intrusion prevention systems are being hyped as the new solution, but we all know that they won’t prevent intrusions…

We Owe Much to DES

  • Bruce Schneier
  • eWeek
  • August 30, 2004

It was a historic moment when, last month, the National Institute of Standards and Technology proposed withdrawing the Data Encryption Standard as an encryption standard.

DES has been the most popular encryption algorithm for 25 years. Developed at IBM, it was chosen by the National Bureau of Standards (now NIST) as the government-standard encryption algorithm in 1976. Since then, it has become an international encryption standard and has been used in thousands of applications, despite concerns about its short key length.

In 1972, the NBS initiated a program to protect computer and communications data that included a standard encryption algorithm. IBM submitted an algorithm that used simple logical operations on small groups of bits and could be implemented efficiently in mid-1970s hardware. The algorithm’s key strength comes from an S-box, a nonlinear table-lookup specified by strings of constants…

How Long Can the Country Stay Scared?

  • Bruce Schneier
  • Minneapolis Star Tribune
  • August 27, 2004

Want to learn how to create and sustain psychosis on a national scale? Look carefully at the public statements made by the Department of Homeland Security.

Here are a few random examples: “Weapons of mass destruction, including those containing chemical, biological or radiological agents or materials, cannot be discounted.” “At least one of these attacks could be executed by the end of the summer 2003.” “These credible sources suggest the possibility of attacks against the homeland around the holiday season and beyond.”

The DHS’s threat warnings have been vague, indeterminate, and unspecific. The threat index goes from yellow to orange and back again, although no one is entirely sure what either level means. We’ve been warned that the terrorists might use helicopters, scuba gear, even cheap prescription drugs from Canada. New York and Washington, D.C., were put on high alert one day, and the next day told that the alert was based on information years old. The careful wording of these alerts allows them not to require any sound, confirmed, accurate intelligence information, while at the same time guaranteeing hysterical media coverage. This headline-grabbing stuff might make for good movie plots, but it doesn’t make us safer…

Olympic Security

  • Bruce Schneier
  • The Sydney Morning Herald
  • August 26, 2004

If you’re watching the Olympic games on television, you’ve already seen the unprecedented security surrounding the 2004 Games. You’re seen shots of guards and soldiers, and gunboats and frogmen patrolling the harbors.

But there’s a lot more security behind the scenes. Olympic press materials state that there is a system of 1250 infrared and high-resolution surveillance cameras mounted on concrete poles. Additional surveillance data is collected from sensors on 12 patrol boats, 4000 vehicles, 9 helicopters, four mobile command centres, and a blimp…

U.S. 'No-Fly' List Curtails Liberties

Intended as a counterterrorism tool, it doesn't work and tramples on travelers' rights

  • Bruce Schneier
  • Newsday
  • August 25, 2004

Imagine a list of suspected terrorists so dangerous that we can’t ever let them fly, yet so innocent that we can’t arrest them – even under the draconian provisions of the Patriot Act.

This is the federal government’s “no-fly” list. First circulated in the weeks after 9/11 as a counterterrorism tool, its details are shrouded in secrecy.

But, because the list is filled with inaccuracies and ambiguities, thousands of innocent, law-abiding Americans have been subjected to lengthy interrogations and invasive searches every time they fly, and sometimes forbidden to board airplanes…

An Easy Path for Terrorists

  • Bruce Schneier
  • Boston Globe
  • August 24, 2004

If you fly out of Logan Airport and don’t want to take off your shoes for the security screeners and get your bags opened up, pay attention. The US government is testing its “Trusted Traveler” program, and Logan is the fourth test airport. Currently, only American Airlines frequent fliers are eligible, but if all goes well the program will be opened up to more people and more airports.

Participants provide their name, address, phone number, and birth date, a set of fingerprints, and a retinal scan. That information is matched against law enforcement and intelligence databases. If the applicant is not on any terrorist watch list and is otherwise an upstanding citizen, he gets a card that allows him access to a special security lane. The lane doesn’t bypass the metal detector or X-ray machine for carry-on bags, but it bypasses more intensive secondary screening unless there’s an alarm of some kind…

Cryptanalysis of MD5 and SHA: Time for a New Standard

  • Bruce Schneier
  • Computerworld
  • August 19, 2004

At the Crypto 2004 conference in Santa Barbara, Calif., this week, researchers announced several weaknesses in common hash functions. These results, while mathematically significant, aren’t cause for alarm. But even so, it’s probably time for the cryptography community to get together and create a new hash standard.

One-way hash functions are a cryptographic construct used in many applications. They are used with public-key algorithms for both encryption and digital signatures. They are used in integrity checking. They are used in authentication. They have all sorts of applications in a great many different protocols. Much more than encryption algorithms, one-way hash functions are the workhorses of modern cryptography…

BOB on Board

  • Bruce Schneier
  • The Sydney Morning Herald
  • August 2, 2004

Last Tuesday’s bomb scare contains valuable security lessons, both good and bad, about how to achieve security in these dangerous times.

Ninety minutes after taking off from Sydney Airport, a flight attendant on a United Airlines flight bound for Los Angeles found an airsickness bag—presumably unused—in a lavatory with the letters “BOB” written on it.

The flight attendant decided that the letters stood for “Bomb On Board” and immediately alerted the captain, who decided the risk was serious enough to turn the plane around and land back in Sydney…

Security, Houston-Style

  • Bruce Schneier
  • The Sydney Morning Herald
  • July 30, 2004

Want to help fight terrorism? Want to be able to stop and detain suspicious characters? Or do you just want to ride your horse on ten miles of trails normally closed to the public? Then you might want to join the George Bush Intercontinental (IAH) Airport Rangers program. That’s right. Just fill out a form and undergo a background check, and you too can become a front-line fighter as Houston’s airport tries to keep the US of A safe and secure. No experience necessary. You don’t even have to be a US citizen.

No; it’s not a joke. The Airport Rangers program is intended to promote both security and community participation, according to the official description. It’s a volunteer mounted patrol that rides horses along the pristine wooded trails that form the perimeter of the 11,000-acre airport…

US-VISIT Is No Bargain

  • Bruce Schneier
  • eWeek
  • July 6, 2004

In the wake of the U.S. Department of Homeland Security’s awarding of its largest contract, for a system to fingerprint and to keep tabs on foreign visitors in the United States, it makes sense to evaluate our country’s response to terrorism. Are we getting good value for all the money that we’re spending?

US-VISIT is a government program to help identify the 23 million foreigners who visit the United States every year. It includes capturing fingerprints and taking photographs of all the visitors and building a database to store all this data. Citizens of 27 countries, mostly in Europe, who don’t need a visa to enter the United States are exempt. And visitors from those countries are expected to have passports with biometric data encoded on them in a few years…

Customers, Passwords, and Web Sites

  • Bruce Schneier
  • IEEE Security & Privacy
  • July/August 2004

View or Download in PDF Format

Criminals follow money. Today, more and more money is on the Internet: millions of people manage their bank, PayPal, or other accounts—and even their stock portfolios—online. It’s a tempting target—if criminals can access one of these accounts, they can steal a lot of money.

And almost all these accounts are protected only by passwords.

You already know that passwords are insecure. In my book Secrets and Lies (published way back in 2000), I wrote: “…password crackers can now break anything that you can reasonably expect a user to memorize.”…

Security and Compliance

  • Bruce Schneier
  • IEEE Security & Privacy
  • July/August 2004

View or Download in PDF Format

It’s been said that all business-to-business sales are motivated by either fear or greed. Traditionally, security products and services have been a fear sell: fear of burglars, murders, kidnappers, and—more recently—hackers. Despite repeated attempts by the computer security industry to position itself as a greed sell—”better Internet security will make your company more profitable because you can better manage your risks”—fear remains the primary motivator for the purchase of network security products and services…

Insider Risks in Elections

  • Paul Kocher and Bruce Schneier
  • Communications of the ACM
  • July 2004

Many discussions of voting systems and their relative integrity have been primarily technical, focusing on the difficulty of attacks and defenses. This is only half of the equation: it’s not enough to know how much it might cost to rig an election by attacking voting systems; we also need to know how much it would be worth to do so. Our illustrative example uses the most recent available U.S. data, but is otherwise is not intended to be specific to any particular political party.

In order to gain a clear majority of the House in 2002, Democrats would have needed to win 13 seats that went to Republicans. According to Associated Press voting data, Democrats could have added 13 seats by swinging 49,469 votes. This corresponds to changing just over 1% of the 4,310,198 votes in these races and under 1/1000 of the 70 million votes cast in contested House races. The Senate was even closer: switching 20,703 votes in Missouri and New Hampshire would have provided Democrats with the necessary two seats…

Voting Security and Technology

  • Bruce Schneier
  • IEEE Security & Privacy
  • July/August 2004

View or Download in PDF Format

Voting seems like the perfect application for technology, but actually applying it is harder than it first appears. To ensure that voters can vote honestly, they need anonymity, which requires a secret ballot. Through the centuries, different civilizations have done their best with the available technologies. Stones and pottery shards dropped in Greek vases led to paper ballots dropped in sealed boxes. Mechanical voting booths and punch cards replaced paper ballots for faster counting. Now, new computerized voting machines promise even more efficiency, and remote Internet voting promises even more convenience…

Unchecked Police And Military Power Is A Security Threat

  • Bruce Schneier
  • Minneapolis Star Tribune
  • June 24, 2004

As the U.S. Supreme Court decides three legal challenges to the Bush administration’s legal maneuverings against terrorism, it is important to keep in mind how critical these cases are to our nation’s security. Security is multifaceted; there are many threats from many different directions. It includes the security of people against terrorism, and also the security of people against tyrannical government.

The three challenges are all similar, but vary slightly. In one case, the families of 12 Kuwaiti and two Australian men imprisoned in Guantanamo Bay argue that their detention is an illegal one under U.S. law. In the other two cases, lawyers argue whether U.S. citizens—one captured in the United States and the other in Afghanistan—can be detained indefinitely without charge, trial or access to an attorney…

CLEARly Muddying the Fight Against Terror

  • Bruce Schneier
  • June 16, 2004

Danny Sigui lived in Rhode Island. After witnessing a murder, he called 911 and became a key witness in the trial. In the process, he unwittingly alerted officials of his immigration status. He was arrested, jailed and eventually deported.

In a misguided effort to combat terrorism, some members of Congress want to use the National Crime Information Center (NCIC) database to enforce federal civil immigration laws. The idea is that state and local police officers who check the NCIC database in routine situations, will be able to assist the federal government in enforcing our nation’s immigration laws…

The Witty Worm: A New Chapter in Malware

  • Bruce Schneier
  • Computerworld
  • June 2, 2004

If press coverage is any guide, then the Witty worm wasn’t all that successful. Blaster, SQL Slammer, Nimda, even Sasser made bigger headlines. Witty infected only about 12,000 machines, almost none of them home users. It didn’t seem like a big deal.

But Witty was a big deal (see story). It represented some scary malware firsts and is likely a harbinger of worms to come. IT professionals need to understand Witty and what it did.

Witty was the first worm to target a particular set of security products—in this case Internet Security System’s BlackICE and RealSecure. It infected and destroyed only computers that had particular versions of this software running…

Microsoft's Actions Speak Louder Than Words

  • Bruce Schneier
  • Network World
  • May 31, 2004

The security of your computer and network depends on two things: what you do to secure your computer and network, and what everyone else does to secure their computers and networks. It’s not enough for you to maintain a secure network. If other people don’t maintain their security, we’re all more vulnerable to attack. When many unsecure computers are connected to the Internet, worms spread faster and more extensively, distributed denial-of-service attacks are easier to launch, and spammers have more platforms from which to send e-mail. The more unsecure the average computer on the Internet is, the more unsecure your computer is…

Curb Electronic Surveillance Abuses

  • Bruce Schneier
  • Newsday
  • May 10, 2004

As technological monitoring grows more prevalent, court supervision is crucial

Years ago, surveillance meant trench-coated detectives following people down streets.

Today’s detectives are more likely to be sitting in front of a computer, and the surveillance is electronic. It’s cheaper, easier and safer. But it’s also much more prone to abuse. In the world of cheap and easy surveillance, a warrant provides citizens with vital security against a more powerful police.

Warrants are guaranteed by the Fourth Amendment and are required before the police can search your home or eavesdrop on your telephone calls. But what other forms of search and surveillance are covered by warrants is still unclear…

We Are All Security Customers

  • Bruce Schneier
  • CNET
  • May 4, 2004

National security is a hot political topic right now, as both presidential candidates are asking us to decide which one of them is better fit to secure the country.

Many large and expensive government programs—the CAPPS II airline profiling system, the US-VISIT program that fingerprints foreigners entering our country, and the various data-mining programs in research and development—take as a given the need for more security.

At the end of 2005, when many provisions of the controversial Patriot Act expire, we will again be asked to sacrifice certain liberties for security, as many legislators seek to make those provisions permanent…

Terrorist Threats and Political Gains

  • Bruce Schneier
  • Counterpunch
  • April 27, 2004

Posturing, pontifications, and partisan politics aside, the one clear generalization that emerges from the 9/11 hearings is that information—timely, accurate, and free-flowing—is critical in our nation’s fight against terrorism. Our intelligence and law-enforcement agencies need this information to better defend our nation, and our citizens need this information to better debate massive financial expenditures for anti-terrorist measures, changes in law that aid law enforcement and diminish civil liberties, and the upcoming Presidential election…

Hacking the Business Climate for Network Security

  • Bruce Schneier
  • IEEE Computer
  • April 2004

Computer security is at a crossroads. It’s failing, regularly, and with increasingly serious results. CEOs are starting to notice. When they finally get fed up, they’ll demand improvements. (Either that or they’ll abandon the Internet, but I don’t believe that is a likely possibility.) And they’ll get the improvements they demand; corporate America can be an enormously powerful motivator once it gets going.

For this reason, I believe computer security will improve eventually. I don’t think the improvements will come in the short term, and I think that they will be met with considerable resistance. This is because the engine of improvement will be fueled by corporate boardrooms and not computer-science laboratories, and as such won’t have anything to do with technology. Real security improvement will only come through liability: holding software manufacturers accountable for the security and, more generally, the quality of their products. This is an enormous change, and one the computer industry is not going to accept without a fight…

A National ID Card Wouldn't Make Us Safer

  • Bruce Schneier
  • Minneapolis Star Tribune
  • April 1, 2004

This essay also appeared, in a slightly different form, in The Mercury News.

As a security technologist, I regularly encounter people who say the United States should adopt a national ID card. How could such a program not make us more secure, they ask?

The suggestion, when it’s made by a thoughtful civic-minded person like Nicholas Kristof (Star-Tribune, March 18), often takes on a tone that is regretful and ambivalent: Yes, indeed, the card would be a minor invasion of our privacy, and undoubtedly it would add to the growing list of interruptions and delays we encounter every day; but we live in dangerous times, we live in a new world … …

America's Flimsy Fortress

  • Bruce Schneier
  • Wired
  • March 2004

Every day, some 82,000 foreign visitors set foot in the US with a visa, and since early this year, most of them have been fingerprinted and photographed in the name of security. But despite the money spent, the inconveniences suffered, and the international ill will caused, these new measures, like most instituted in the wake of September 11, are mostly ineffectual.

Terrorist attacks are very rare. So rare, in fact, that the odds of being the victim of one in an industrialized country are almost nonexistent. And most attacks affect only a few people. The events of September 11 were a statistical anomaly. Even counting the toll they took, 2,978 people in the US died from terrorism in 2001. That same year, 157,400 Americans died of lung cancer, 42,116 in road accidents, and 3,454 from malnutrition…

IDs and the Illusion of Security

  • Bruce Schneier
  • San Francisco Chronicle
  • February 3, 2004

German translation

In recent years there has been an increased use of identification checks as a security measure. Airlines always demand photo IDs, and hotels increasingly do so. They’re often required for admittance into government buildings, and sometimes even hospitals. Everywhere, it seems, someone is checking IDs. The ostensible reason is that ID checks make us all safer, but that’s just not so. In most cases, identification has very little to do with security.

Let’s debunk the myths:

First, verifying that someone has a photo ID is a completely useless security measure. All the Sept. 11 terrorists had photo IDs. Some of the IDs were real. Some were fake. Some were real IDs in fake names, bought from a crooked DMV employee in Virginia for $1,000 each. Fake driver’s licenses for all 50 states, good enough to fool anyone who isn’t paying close attention, are available on the Internet. Or if you don’t want to buy IDs online, just ask any teenager where to get a fake ID…

Slouching Towards Big Brother

  • Bruce Schneier
  • CNET
  • January 30, 2004

Last week the Supreme Court let stand the Justice Department’s right to secretly arrest noncitizen residents.

Combined with the government’s power to designate foreign prisoners of war as “enemy combatants” in order to ignore international treaties regulating their incarceration, and their power to indefinitely detain U.S. citizens without charge or access to an attorney, the United States is looking more and more like a police state.

Since the Sept. 11 attacks, the Justice Department has asked for, and largely received, additional powers that allow it to perform an unprecedented amount of surveillance of American citizens and visitors. The USA Patriot Act, passed in haste after Sept. 11, started the ball rolling…

Fingerprinting Visitors Won't Offer Security

  • Bruce Schneier
  • Newsday
  • January 14, 2004

Imagine that you’re going on vacation to some exotic country.

You get your visa, plan your trip and take a long flight. How would you feel if, at the border, you were photographed and fingerprinted? How would you feel if your biometrics stayed in that country’s computers for years? If your fingerprints could be sent back to your home country? Would you feel welcomed by that country, or would you feel like a criminal?

This month the U.S. government began giving such treatment to an expected 23 million visitors to the United States. The US-VISIT program is designed to capture biometric information at our borders. Only citizens of 27 countries who don’t need a visa to enter the United States, mostly Europeans, are exempt. Currently all 115 international airports and 14 seaports are covered, and over the next three years this program will be expanded to cover at least 50 land crossings and also to screen foreigners exiting the country…

Homeland Insecurity

The fact that U.S. intelligence agencies can't tell terrorists from children on passenger jets does little to inspire confidence.

  • Bruce Schneier
  • Salon
  • January 9, 2004

Security can fail in two different ways. It can fail to work in the presence of an attack: a burglar alarm that a burglar successfully defeats. But security can also fail to work correctly when there’s no attack: a burglar alarm that goes off even if no one is there.

Citing “very credible” intelligence regarding terrorism threats, U.S. intelligence canceled 15 international flights in the last couple of weeks, diverted at least one more flight to Canada, and had F-16s shadow others as they approached their final destinations.

These seem to have been a bunch of false alarms. Sometimes it was a case of mistaken identity. For example, one of the “terrorists” on an Air France flight was a child whose name matched that of a terrorist leader; another was a Welsh insurance agent. Sometimes it was a case of assuming too much; British Airways Flight 223 was detained once and canceled twice, on three consecutive days, presumably because that flight number turned up on some communications intercept somewhere. In response to the public embarrassment from these false alarms, the government is slowly leaking information about a particular person who didn’t show up for his flight, and two non-Arab-looking men who may or may not have had bombs. But these seem more like efforts to save face than the very credible evidence that the government promised…

Sidebar photo of Bruce Schneier by Joe MacInnis.