Entries Tagged "sports"

Page 5 of 5

Sponsor-Only Security at the 2012 London Olympics

If you want your security technology to be considered for the London Olympics, you have to be a major sponsor of the event.

…he casually revealed that because neither of these companies was a ‘major sponsor’ of the Olympics their technology could not be used.

Yes, you read that right, as far as the technology behind the security of the London Olympic Games is concerned best of breed and suitability for purpose do not come into, paying a large amount of money to the International Olympic Committee does.

I have repeatedly said that security is generally only part of a larger context, but this borders on ridiculous.

Posted on April 30, 2007 at 5:55 AMView Comments

Social Engineering Notes

This is a fantastic story of a major prank pulled off at the Super Bowl this year. Basically, five people smuggled more than a quarter of a ton of material into Dolphin Stadium in order to display their secret message on TV. A summary:

Just days after the Boston bomb scare, another team of Boston-based pranksters smuggled and distributed 2,350 suspicious light-up devices into the Super Bowl. Due to its attractiveness as a terrorist target, Dolphin Stadium was on a Level One security alert, a level usually reserved for Presidential inaugurations. By posing as media reporters, the pranksters were able to navigate 95 boxes through federal marshals, Homeland Security agents, bomb squads, police dogs, and a five-ton X-ray crane.

Given all the security, it’s amazing how easy it was for them to become part of the security perimeter with all that random stuff. But to those of us who follow this thing, it shouldn’t be. His observations are spot on:

1. Wear a suit.
2. Wear a Bluetooth headset.
3. Pretend to be talking loudly to someone on the other line.
4. Carry a clipboard.
5. Be white.

Again, no surprise here. But it makes you wonder what’s the point of annoying the hell out of ordinary citizens with security measures (like pat down searches) when the emperor has no clothes.

Someone who crashed the Oscars last year gave similar advice:

Show up at the theater, dressed as a chef carrying a live lobster, looking really concerned.

On a much smaller scale, here’s someone’s story of social engineering a bank branch:

I enter the first branch at approximately 9:00AM. Dressed in Dickies coveralls, a baseball cap, work boots and sunglasses I approach the young lady at the front desk.

“Hello,” I say. “John Doe with XYZ Pest Control, here to perform your pest inspection.?? I flash her the smile followed by the credentials. She looks at me for a moment, goes “Uhm… okay… let me check with the branch manager…” and picks up the phone. I stand around twiddling my thumbs and wait while the manager is contacted and confirmation is made. If all goes according to plan, the fake emails I sent out last week notifying branch managers of our inspection will allow me access.

It does.

Social engineering is surprisingly easy. As I said in Beyond Fear (page 144):

Social engineering will probably always work, because so many people are by nature helpful and so many corporate employees are naturally cheerful and accommodating. Attacks are rare, and most people asking for information or help are legitimate. By appealing to the victim’s natural tendencies, the attacker will usually be able to cozen what she wants.

All it takes is a good cover story.

EDITED TO ADD (4/20): The first commenter suggested that the Zug story is a hoax. I think he makes a good argument, and I have no evidence to refute it. Does anyone know for sure?

EDITED TO ADD (4/21): Wired concludes that the Super Bowl stunt happened, but that no one noticed. Engaget is leaning toward hoax.

Posted on April 20, 2007 at 6:41 AMView Comments

Movie Plot Threat in Vancouver

The idiocy of this is impressive:

A Vancouver Police computer crime investigator has warned the city that plans for a citywide wireless Internet system put the city at risk of terrorist attack during the 2010 Winter Olympic Games.

The problem? Well, the problem seems to be that terrorists might attend the Olympic games and use the Internet while they’re there.

“If you have an open wireless system across the city, as a bad guy I could sit on a bus with a laptop and do global crime,” Fenton explained. “It would be virtually impossible to find me.”

There’s also some scary stuff about SCADA systems, and the city putting some of its own service on the Internet. Clearly this guy has thought about the risks a lot, just not with any sense. He’s overestimating cyberterrorism. He’s overestimating how important this one particular method of wireless Internet access is. He’s overestimating how important the 2010 Winter Olympics is.

But the newspaper was happy to play along and spread the fear. The photograph accompanying the article is captioned: “Anyone with a laptop and wireless access could commit a terrorist act, police warn.”

Posted on February 21, 2007 at 6:51 AMView Comments

Dave Barry on Super Bowl Security

Funny:

Also, if you are planning to go to the Super Bowl game on Sunday, be aware that additional security measures will be in effect, as follows:

  • WHEN TO ARRIVE: All persons attending the game MUST arrive at the stadium no later than 7:45 a.m. yesterday. There will be NO EXCEPTIONS. I am talking to you, Prince.
  • PERSONAL BELONGINGS: Fans will not be allowed to take anything into the stadium except medically required organs. If you need, for example, both kidneys, you will be required to produce a note from your doctor, as well as your actual doctor.
  • TAILGATING: There will be no tailgating. This is to thwart the terrorists, who are believed to have been planning a tailgate-based attack (code name ”Death Hibachi”) involving the detonation of a nuclear bratwurst capable of leveling South Florida, if South Florida was not already so level to begin with.
  • TALKING: There will be no talking.
  • PERMITTED CHEERS: The National Football League, in conjunction with the Department of Homeland Security, the FBI, the CIA and Vice President Cheney, has approved the following three cheers for use during the game: (1) ”You suck, ref!” (2) ”Come on, (Name of Team)!” (3) “You suck, Prince!”

Back in 2004, I wrote a more serious essay on security at the World Series.

Posted on February 6, 2007 at 7:31 AMView Comments

Doping in Professional Sports

The big news in professional bicycle racing is that Floyd Landis may be stripped of his Tour de France title because he tested positive for a banned performance-enhancing drug. Sidestepping the entire issue of whether professional athletes should be allowed to take performance-enhancing drugs, how dangerous those drugs are, and what constitutes a performance-enhancing drug in the first place, I’d like to talk about the security and economic issues surrounding the issue of doping in professional sports.

Drug testing is a security issue. Various sports federations around the world do their best to detect illegal doping, and players do their best to evade the tests. It’s a classic security arms race: improvements in detection technologies lead to improvements in drug detection evasion, which in turn spur the development of better detection capabilities. Right now, it seems that the drugs are winning; in places, these drug tests are described as “intelligence tests”: if you can’t get around them, you don’t deserve to play.

But unlike many security arms races, the detectors have the ability to look into the past. Last year, a laboratory tested Lance Armstrong’s urine and found traces of the banned substance EPO. What’s interesting is that the urine sample tested wasn’t from 2005; it was from 1999. Back then, there weren’t any good tests for EVO in urine. Today there are, and the lab took a frozen urine sample—who knew that labs save urine samples from athletes?—and tested it. He was later cleared—the lab procedures were sloppy—but I don’t think the real ramifications of the episode were ever well understood. Testing can go back in time.

This has two major effects. One, doctors who develop new performance-enhancing drugs may know exactly what sorts of tests the anti-doping laboratories are going to run, and they can test their ability to evade drug detection beforehand. But they cannot know what sorts of tests will be developed in the future, and athletes cannot assume that just because a drug is undetectable today it will remain so years later.

Two, athletes accused of doping based on years-old urine samples have no way of defending themselves. They can’t resubmit to testing; it’s too late. If I were an athlete worried about these accusations, I would deposit my urine “in escrow” on a regular basis to give me some ability to contest an accusation.

The doping arms race will continue because of the incentives. It’s a classic Prisoner’s Dilemma. Consider two competing athletes: Alice and Bob. Both Alice and Bob have to individually decide if they are going to take drugs or not.

Imagine Alice evaluating her two options:

“If Bob doesn’t take any drugs,” she thinks, “then it will be in my best interest to take them. They will give me a performance edge against Bob. I have a better chance of winning.

“Similarly, if Bob takes drugs, it’s also in my interest to agree to take them. At least that way Bob won’t have an advantage over me.

“So even though I have no control over what Bob chooses to do, taking drugs gives me the better outcome, regardless of what his action.”

Unfortunately, Bob goes through exactly the same analysis. As a result, they both take performance-enhancing drugs and neither has the advantage over the other. If they could just trust each other, they could refrain from taking the drugs and maintain the same non-advantage status—without any legal or physical danger. But competing athletes can’t trust each other, and everyone feels he has to dope—and continues to search out newer and more undetectable drugs—in order to compete. And the arms race continues.

Some sports are more vigilant about drug detection than others. European bicycle racing is particularly vigilant; so are the Olympics. American professional sports are far more lenient, often trying to give the appearance of vigilance while still allowing athletes to use performance-enhancing drugs. They know that their fans want to see beefy linebackers, powerful sluggers, and lightning-fast sprinters. So, with a wink and a nod, they only test for the easy stuff.

For example, look at baseball’s current debate on human growth hormone: HGH. They have serious tests, and penalties, for steroid use, but everyone knows that players are now taking HGH because there is no urine test for it. There’s a blood test in development, but it’s still some time away from working. The way to stop HGH use is to take blood tests now and store them for future testing, but the players’ union has refused to allow it and the baseball commissioner isn’t pushing it.

In the end, doping is all about economics. Athletes will continue to dope because the Prisoner’s Dilemma forces them to do so. Sports authorities will either improve their detection capabilities or continue to pretend to do so—depending on their fans and their revenues. And as technology continues to improve, professional athletes will become more like deliberately designed racing cars.

This essay originally appeared on Wired.com.

Posted on August 10, 2006 at 5:18 AMView Comments

Basketball Prank

On March 4, University of California Berkeley (Cal) played a basketball game against the University of Southern California (USC). With Cal in contention for the PAC-10 title and the NCAA tournament at stake, the game was a must-win.

Enter “Victoria.”

Victoria was a hoax UCLA co-ed, created by Cal’s Rally Committee. For the previous week, “she” had been chatting with Gabe Pruitt, USC’s starting guard, over AOL Instant Messenger. It got serious. Pruitt and several of his teammates made plans to go to Westwood after the game so that they could party with Victoria and her friends.

On Saturday, at the game, when Pruitt was introduced in the starting lineup, the chants began: “Victoria, Victoria.” One of the fans held up a sign with her phone number.

The look on Pruitt’s face when he turned to the bench after the first Victoria chant was priceless. The expression was unlike anything ever seen in collegiate or pro sports. Never did a chant by the opposing crowd have such an impact on a visiting player. Pruitt was in total shock. (This is the only picture I could find.)

The chant “Victoria” lasted all night. To add to his embarrassment, transcripts of their IM conversations were handed out to the bench before the game: “You look like you have a very fit body.” “Now I want to c u so bad.”

Pruitt ended up a miserable 3-for-13 from the field.

(See also here and here.)

Security morals? First, this is the cleverest social engineering attack I’ve read about in a long time. Second, authentication is hard in little text windows—but it’s no less important. (Although even if this were a real co-ed recruited for the ruse, authentication wouldn’t have helped.) And third, you can hoodwink college basketball players if you get them thinking with their hormones.

Posted on March 14, 2006 at 12:11 PMView Comments

Lance Armstrong Accused of Doping

Lance Armstrong has been accused of using a banned substance while racing the Tour de France. From a security perspective, this isn’t very interesting. Blood and urine tests are used to detect banned substances all the time. But what is interesting is that the urine sample was from 1999, and the test was done in 2005.

Back in 1999, there was no test for the drug EPO. Now there is. Someone took a old usine sample—who knew that they stored old urine samples?—and ran the new test.

This ability of a security mechanism to go back in time is interesting, and similar to police exhuming dead bodies for new forensic analysis, or a new cryptographic technique permitting decades-old encrypted messages to be read.

It also has some serious ramifications for athletes considering using banned substances. Not only do they have to evade any tests that exist today, but they have to at least think about how they could evade any tests that might be invented in the future. You could easily imagine athletes being stripped of their records, medals, and titles decades in the future after past transgressions are discovered.

On the other hand, athletes accused of using banned substances in the past have limited means by which to defend themselves. Perhaps they will start storing samples of their own blood and urine in escrow, year after year, so they’d have well-stored and untainted bodily fluids with which to refute charges of past transgressions.

Posted on September 7, 2005 at 6:32 AM

World Series Security

The World Series is no stranger to security. Fans try to sneak into the ballpark without tickets, or with counterfeit tickets. Often foods and alcohol are prohibited from being brought into the ballpark, to enforce the monopoly of the high-priced concessions. Violence is always a risk: both small fights and larger-scale riots that result from fans from both teams being in such close proximity—like the one that almost happened during the sixth game of the AL series.

Today, the new risk is terrorism. Security at the Olympics cost $1.5 billion. $50 million each was spent at the Democratic and Republican conventions. There has been no public statement about the security bill for the World Series, but it’s reasonable to assume it will be impressive.

In our fervor to defend ourselves, it’s important that we spend our money wisely. Much of what people think of as security against terrorism doesn’t actually make us safer. Even in a world of high-tech security, the most important solution is the guy watching to keep beer bottles from being thrown onto the field.

Generally, security measures that defend specific targets are wasteful, because they can be avoided simply by switching targets. If we completely defend the World Series from attack, and the terrorists bomb a crowded shopping mall instead, little has been gained.

Even so, some high-profile locations, like national monuments and symbolic buildings, and some high-profile events, like political conventions and championship sporting events, warrant additional security. What additional measures make sense?

ID checks don’t make sense. Everyone has an ID. Even the 9/11 terrorists had IDs. What we want is to somehow check intention; is the person going to do something bad? But we can’t do that, so we check IDs instead. It’s a complete waste of time and money, and does absolutely nothing to make us safer.

Automatic face recognition systems don’t work. Computers that automatically pick terrorists out of crowds are a great movie plot device, but doesn’t work in the real world. We don’t have a comprehensive photographic database of known terrorists. Even worse, the face recognition technology is so faulty that it often can’t make the matches even when we do have decent photographs. We tried it at the 2001 Super Bowl; it was a failure.

Airport-like attendee screening doesn’t work. The terrorists who took over the Russian school sneaked their weapons in long before their attack. And screening fans is only a small part of the solution. There are simply too many people, vehicles, and supplies moving in and out of a ballpark regularly. This kind of security failed at the Olympics, as reporters proved again and again that they could sneak all sorts of things into the stadiums undetected.

What does work is people: smart security officials watching the crowds. It’s called “behavior recognition,�? and it requires trained personnel looking for suspicious behavior. Does someone look out of place? Is he nervous, and not watching the game? Is he not cheering, hissing, booing, and waving like a sports fan would?

This is what good policemen do all the time. It’s what Israeli airport security does. It works because instead of relying on checkpoints that can be bypassed, it relies on the human ability to notice something that just doesn’t feel right. It’s intuition, and it’s far more effective than computerized security solutions.

Will this result in perfect security? Of course not. No security measures are guaranteed; all we can do is reduce the odds. And the best way to do that is to pay attention. A few hundred plainclothes policemen, walking around the stadium and watching for anything suspicious, will provide more security against terrorism than almost anything else we can reasonably do.

And the best thing about policemen is that they’re adaptable. They can deal with terrorist threats, and they can deal with more common security issues, too.

Most of the threats at the World Series have nothing to do with terrorism; unruly or violent fans are a much more common problem. And more likely than a complex 9/11-like plot is a lone terrorist with a gun, a bomb, or something that will cause panic. But luckily, the security measures ballparks have already put in place to protect against the former also help protect against the latter.

Originally published by UPI.

Posted on October 25, 2004 at 6:31 PMView Comments

1 3 4 5

Sidebar photo of Bruce Schneier by Joe MacInnis.