Entries Tagged "sports"

Page 4 of 6

The Futility of Defending the Targets

This is just silly:

Beaver Stadium is a terrorist target. It is most likely the No. 1 target in the region. As such, it deserves security measures commensurate with such a designation, but is the stadium getting such security?

[..]

When the stadium is not in use it does not mean it is not a target. It must be watched constantly. An easy solution is to assign police officers there 24 hours a day, seven days a week. This is how a plot to destroy the Brooklyn Bridge was thwarted—police presence. Although there are significant costs to this, the costs pale in comparison if the stadium is destroyed or damaged.

The idea is to create omnipresence, which is a belief in everyone’s minds (terrorists and pranksters included) that the stadium is constantly being watched so that any attempt would be futile.

Actually, the Brooklyn Bridge plot failed because the plotters were idiots and the plot—cutting through cables with blowtorches—was dumb. That, and the all-too-common police informant who egged the plotters on.

But never mind that. Beaver Stadium is Pennsylvania State University’s football stadium, and this article argues that it’s a potential terrorist target that needs 24/7 police protection.

The problem with that kind of reasoning is that it makes no sense. As I said in an article that will appear in New Internationalist:

To be sure, reasonable arguments can be made that some terrorist targets are more attractive than others: aeroplanes because a small bomb can result in the death of everyone aboard, monuments because of their national significance, national events because of television coverage, and transportation because of the numbers of people who commute daily. But there are literally millions of potential targets in any large country (there are five million commercial buildings alone in the US), and hundreds of potential terrorist tactics; it’s impossible to defend every place against everything, and it’s impossible to predict which tactic and target terrorists will try next.

Defending individual targets only makes sense if the number of potential targets is few. If there are seven terrorist targets and you defend five of them, you seriously reduce the terrorists’ ability to do damage. But if there are a million terrorist targets and you defend five of them, the terrorists won’t even notice. I tend to dislike security measures that merely cause the bad guys to make a minor change in their plans.

And the expense would be enormous. Add up these secondary terrorist targets—stadiums, theaters, churches, schools, malls, office buildings, anyplace where a lot of people are packed together—and the number is probably around 200,000, including Beaver Stadium. Full-time police protection requires people, so that’s 1,000,000 policemen. At an encumbered cost of $100,000 per policeman per year, probably a low estimate, that’s a total annual cost of $100B. (That’s about what we’re spending each year in Iraq.) On the other hand, hiring one out of every 300 Americans to guard our nation’s infrastructure would solve our unemployment problem. And since policemen get health care, our health care problem as well. Just make sure you don’t accidentally hire a terrorist to guard against terrorists—that would be embarrassing.

The whole idea is nonsense. As I’ve been saying for years, what works is investigation, intelligence, and emergency response:

We need to defend against the broad threat of terrorism, not against specific movie plots. Security is most effective when it doesn’t make arbitrary assumptions about the next terrorist act. We need to spend more money on intelligence and investigation: identifying the terrorists themselves, cutting off their funding, and stopping them regardless of what their plans are. We need to spend more money on emergency response: lessening the impact of a terrorist attack, regardless of what it is. And we need to face the geopolitical consequences of our foreign policy and how it helps or hinders terrorism.

Posted on October 9, 2009 at 6:37 AMView Comments

Reporting Unruly Football Fans via Text Message

This system is available in most NFL stadiums:

Fans still are urged to complain to an usher or call a security hotline in the stadium to report unruly behavior. But text-messaging lines—typically advertised on stadium scoreboards and on signs where fans gather—are aimed at allowing tipsters to surreptitiously alert security personnel via cellphone without getting involved with rowdies or missing part of a game.

As of this week, 29 of the NFL’s 32 teams had installed a text-message line or telephone hotline. Three clubs have neither: the New Orleans Saints, St. Louis Rams and Tennessee Titans. Ahlerich says he will “strongly urge” all clubs to have text lines in place for the 2009 season. A text line will be available at the Super Bowl for the first time when this season’s championship game is played at Tampa’s Raymond James Stadium on Feb. 1.

“If there’s someone around you that’s just really ruining your day, now you don’t have to sit there in silence,” says Jeffrey Miller, the NFL’s director of strategic security. “You can do this. It’s very easy. It’s quick. And you get an immediate response.”

The article talks a lot about false alarms and prank calls, but—in general—this seems like a good use of technology.

Posted on January 8, 2009 at 6:44 AMView Comments

Anti-Terrorism Stupidity at Yankee Stadium

They’re confiscating sunscreen at Yankee Stadium:

The team contends that sunscreen has long been on the list of stadium contraband, but there is no mention of it on the Yankee Web site.

Four weeks ago, Stadium officials decided that sunscreen of all sizes and varieties would not be permitted, a security supervisor told The Post before last night’s game.

“There have been a lot of complaints,” he said. “We tell them to apply once and then throw it out.”

For fans who bring babies or young children to cheer on the home team, the guard had suggested they “beg” to take the sunblock in.

Seeing the giant bag full of confiscated sunscreen Saturday, one steaming Yankee fan asked whether he could take one of the tubes and apply it before heading into the park.

“Absolutely not,” the guard told him. “What if you get a rash? You might sue the Yankees.”

Next, I suppose, is confiscating liquids at pools.

We’ve collectively lost our minds.

This story has a happy ending, though. A day after The New York Post published this story, Yankee Stadium reversed its ban. Now, if only the Post had that same effect on airport security.

Posted on July 24, 2008 at 6:50 AMView Comments

High-School Football Prank Provokes Terrorism Fears

Okay, so it was a stupid (and dangerous) stunt:

A 17-year-old Hopewell High student was apparently acting on a dare when he did a fly-over prank at a Hopewell High football game Friday, at one point dipping below the stadium lights.

Charlotte-Mecklenburg Schools officials said Sunday that the teen pilot and two teen passengers flew the length of the field three times around 8 p.m. The plane reportedly came within feet of a flag pole.

On the final pass, a pair of tennis shoes and a football dropped from the single-engine Cessna 172 into the end zone, officials said.

But this is just funny:

“My immediate reaction was that we were going to have a terrorist act of some sort,” said Vincent “Bud” Cesena, head of CMS law enforcement, who was among the 4,000 people in the stands.

Yeah, because the terrorists are going to target high-school football games.

Posted on November 13, 2007 at 6:01 AMView Comments

World Series Ticket Website Hacked?

Maybe:

The Colorado Rockies will try again to sell World Series tickets through their Web site starting on Tuesday at noon.

Spokesman Jay Alves said tonight that the failure of Monday’s ticket sales happened because the system was brought down today by an “external malicious attack.”

There was a presale that “went well”:

The Colorado Rockies had a chance Sunday to test their online-sales operation in advance.

Season-ticket holders who had previously registered were able to log in with a special password to buy extra tickets.

Alves said the presale went well, with no problems.

But some people found glitches, such as being told to “enable cookies” and to set their computer security to the “lowest level.” And some fans couldn’t log in at all.

Alves explained that those who saw a “page cannot be displayed” message had “IP addresses that we blocked due to suspicious/malicious activity to our website during the last 24 to 48 hours. As an example, if several inquiries came from a single IP address they were blocked.”

Certainly scalpers have an incentive to attack this system.

EDITED TO ADD (10/28): The FBI is investigating.

Posted on October 25, 2007 at 11:52 AMView Comments

Spying in Football

The New England Patriots, one of the two or three best teams in the last five years, have been accused of stealing signals from the other team.

The “Game Operations Manual” states that “no video recording devices of any kind are permitted to be in use in the coaches’ booth, on the field, or in the locker room during the game.” The manual states that “all video shooting locations must be enclosed on all sides with a roof overhead.” NFL security officials confiscated a camera and videotape from a New England video assistant on the Patriots’ sideline when it was suspected he was recording the Jets’ defensive signals. Taping any signals is prohibited. The toughest part usually is finding evidence to support an allegation.

I remember when the NFL changed the rules to allow a radio link from the quarterback’s helmet to the sidelines. A smart team could not only eavesdrop on the other team, but selectively jam the signal when it would be most critical. The rules said that if one team’s radio link didn’t work, the other team had to turn its off, but that’s a minor consideration if you know it’s coming.

Funny parody.

EDITED TO ADD (9/15): The team and coach both have been fined.

And this is a really good conversation on the topic.

EDITED TO ADD (9/18): Ed Felten comments.

Posted on September 13, 2007 at 7:10 AMView Comments

Basketball Referees and Single Points of Failure

Sports referees are supposed to be fair and impartial. They’re not supposed to favor one team over another. And they’re most certainly not supposed to have a financial interest in the outcome of a game.

Tim Donaghy, referee for the National Basketball Association, has been accused of both betting on basketball games and fixing games for the mob. He has confessed to far less—gambling in general, and selling inside information on players, referees and coaches to a big-time professional gambler named James “Sheep” Battista. But the investigation continues, and the whole scandal is an enormous black eye for the sport. Fans like to think that the game is fair and that the winning team really is the winning team.

The details of the story are fascinating and well worth reading. But what interests me more are its general lessons about risk and audit.

What sorts of systems—IT, financial, NBA games or whatever—are most at risk of being manipulated? The ones where the smallest change can have the greatest impact, and the ones where trusted insiders can make that change.

Of all major sports, basketball is the most vulnerable to manipulation. There are only five players on the court per team, fewer than in other professional team sports; thus, a single player can have a much greater effect on a basketball game than he can in the other sports. Star players like Michael Jordan, Kobe Bryant and LeBron James can carry an entire team on their shoulders. Even baseball great Alex Rodriguez can’t do that.

Because individual players matter so much, a single referee can affect a basketball game more than he can in any other sport. Referees call fouls. Contact occurs on nearly every play, any of which could be called as a foul. They’re called “touch fouls,” and they are mostly, but not always, ignored. The refs get to decide which ones to call.

Even more drastically, a ref can put a star player in foul trouble immediately—and cause the coach to bench him longer throughout the game—if he wants the other side to win. He can set the pace of the game, low-scoring or high-scoring, based on how he calls fouls. He can decide to invalidate a basket by calling an offensive foul on the play, or give a team the potential for some extra points by calling a defensive foul. There’s no formal instant replay. There’s no second opinion. A ref’s word is law—there are only three of them—and a crooked ref has enormous power to control the game.

It’s not just that basketball referees are single points of failure, it’s that they’re both trusted insiders and single points of catastrophic failure.

These sorts of vulnerabilities exist in many systems. Consider what a terrorist-sympathizing Transportation Security Administration screener could do to airport security. Or what a criminal CFO could embezzle. Or what a dishonest computer-repair technician could do to your computer or network. The same goes for a corrupt judge, police officer, customs inspector, border-control officer, food-safety inspector and so on.

The best way to catch corrupt trusted insiders is through audit. The particular components of a system that have the greatest influence on the performance of that system need to be monitored and audited, even if the probability of compromise is low. It’s after the fact, but if the likelihood of detection is high and the penalties (fines, jail time, public disgrace) are severe, it’s a pretty strong deterrent. Of course, the counterattack is to target the auditing system. Hackers routinely try to erase audit logs that contain evidence of their intrusions.

Even so, audit is the reason we want open-source code reviews and verifiable paper trails in voting machines; otherwise, a single crooked programmer could single-handedly change an election. It’s also why the Securities and Exchange Commission closely monitors trades by brokers: They are in an ideal position to get away with insider trading. The NBA claims it monitors referees for patterns that might indicate abuse; there’s still no answer to why it didn’t detect Donaghy.

Most companies focus the bulk of their IT-security monitoring on external threats, but they should be paying more attention to internal threats. While a company may inherently trust its employees, those trusted employees have far greater power to affect corporate systems and are often single points of failure. And trusted employees can also be compromised by external elements, as Tom Donaghy was by Battista and possibly the Mafia.

All systems have trusted insiders. All systems have catastrophic points of failure. The key is recognizing them, and building monitoring and audit systems to secure them.

This is my 50th essay for Wired.com.

Posted on September 6, 2007 at 4:38 AMView Comments

1 2 3 4 5 6

Sidebar photo of Bruce Schneier by Joe MacInnis.