Entries Tagged "terrorism"

Page 12 of 80

The Terrorist Risk of Food Trucks

This is idiotic:

Public Intelligence recently posted a Powerpoint presentation from the NYC fire department (FDNY) discussing the unique safety issues mobile food trucks present. Along with some actual concerns (many food trucks use propane and/or gasoline-powered generators to cook; some *gasp* aren’t properly licensed food vendors), the presenter decided to toss in some DHS speculation on yet another way terrorists might be killing us in the near future.

The rest of the article explains why the DHS believes we should be terrified of food trucks. And then it says:

The DHS’ unfocused “terrorvision” continues to see a threat in every situation and the department seems to be busying itself crafting a response to every conceivable “threat.” The problem with this “method” is that it turns any slight variation of “everyday activity” into something suspicious. The number of “terrorist implications” grows exponentially while the number of solutions remains the same. This Powerpoint is another example of good, old-fashioned fear mongering, utilizing public servants to spread the message.

Hear hear.

Someone needs to do something; the DHS is out of control.

Posted on November 15, 2012 at 6:45 AMView Comments

How To Tell if Your Hotel Guest Is a Terrorist

From the Department of Homeland Security, a handy list of 19 suspicious behaviors that could indicate that a hotel guest is actually a terrorist.

I myself have done several of these.

More generally, this is another example of why all the “see something say something” campaigns fail: “If you ask amateurs to act as front-line security personnel, you shouldn’t be surprised when you get amateur security.

Posted on November 9, 2012 at 1:32 PMView Comments

How Terrorist Groups Disband

Interesting research from RAND:

Abstract: How do terrorist groups end? The evidence since 1968 indicates that terrorist groups rarely cease to exist as a result of winning or losing a military campaign. Rather, most groups end because of operations carried out by local police or intelligence agencies or because they join the political process. This suggests that the United States should pursue a counterterrorism strategy against al Qa’ida that emphasizes policing and intelligence gathering rather than a “war on terrorism” approach that relies heavily on military force.

This, of course, should surprise no one. Remember the work of Max Abrahms.

Posted on November 9, 2012 at 6:41 AMView Comments

Hacking TSA PreCheck

I have a hard time getting worked up about this story:

I have X’d out any information that you could use to change my reservation. But it’s all there, PNR, seat assignment, flight number, name, ect. But what is interesting is the bolded three on the end. This is the TSA Pre-Check information. The number means the number of beeps. 1 beep no Pre-Check, 3 beeps yes Pre-Check. On this trip as you can see I am eligible for Pre-Check. Also this information is not encrypted in any way.

What terrorists or really anyone can do is use a website to decode the barcode and get the flight information, put it into a text file, change the 1 to a 3, then use another website to re-encode it into a barcode. Finally, using a commercial photo-editing program or any program that can edit graphics replace the barcode in their boarding pass with the new one they created. Even more scary is that people can do this to change names. So if they have a fake ID they can use this method to make a valid boarding pass that matches their fake ID. The really scary part is this will get past both the TSA document checker, because the scanners the TSA use are just barcode decoders, they don’t check against the real time information. So the TSA document checker will not pick up on the alterations. This means, as long as they sub in 3 they can always use the Pre-Check line.

What a dumb way to design the system. It would be easier—and far more secure—if the boarding pass checker just randomly chose 10%, or whatever percentage they want, of PreCheck passengers to send through regular screening. Why go through the trouble of encoding it in the barcode and then reading it?

And—of course—this means that you can still print your own boarding pass.

On the other hand, I think the PreCheck level of airport screening is what everyone should get, and that the no-fly list and the photo ID check add nothing to security. So I don’t feel any less safe because of this vulnerability.

Still, I am surprised. Is this the same in other countries? Lots of countries scan my boarding pass before allowing me through security: France, the Netherlands, the UK, Japan, even Uruguay at Montevideo Airport when I flew out of there yesterday. I always assumed that those systems were connected to the airlines’ reservation databases. Does anyone know?

Posted on October 26, 2012 at 6:46 AMView Comments

Stoking Cyber Fears

A lot of the debate around President Obama’s cybsersecurity initiative centers on how much of a burden it would be on industry, and how that should be financed. As important as that debate is, it obscures some of the larger issues surrounding cyberwar, cyberterrorism, and cybersecurity in general.

It’s difficult to have any serious policy discussion amongst the fear mongering. Secretary Panetta’s recent comments are just the latest; search the Internet for “cyber 9/11,” “cyber Pearl-Harbor,” “cyber Katrina,” or—my favorite—”cyber Armageddon.”

There’s an enormous amount of money and power that results from pushing cyberwar and cyberterrorism: power within the military, the Department of Homeland Security, and the Justice Department; and lucrative government contracts supporting those organizations. As long as cyber remains a prefix that scares, it’ll continue to be used as a bugaboo.

But while scare stories are more movie-plot than actual threat, there are real risks. The government is continually poked and probed in cyberspace, from attackers ranging from kids playing politics to sophisticated national intelligence gathering operations. Hackers can do damage, although nothing like the cyberterrorism rhetoric would lead you to believe. Cybercrime continues to rise, and still poses real risks to those of us who work, shop, and play on the Internet. And cyberdefense needs to be part of our military strategy.

Industry has definitely not done enough to protect our nation’s critical infrastructure, and federal government may need more involvement. This should come as no surprise; the economic externalities in cybersecurity are so great that even the freest free market would fail.

For example, the owner of a chemical plant will protect that plant from cyber attack up to the value of that plant to the owner; the residual risk to the community around the plant will remain. Politics will color how government involvement looks: market incentives, regulation, or outright government takeover of some aspects of cybersecurity.

None of this requires heavy-handed regulation. Over the past few years we’ve heard calls for the military to better control Internet protocols; for the United States to be able to “kill” all or part of the Internet, or to cut itself off from the greater Internet; for increased government surveillance; and for limits on anonymity. All of those would be dangerous, and would make us less secure. The world’s first military cyberweapon, Stuxnet, was used by the United States and Israel against Iran.

In all of this government posturing about cybersecurity, the biggest risk is a cyber-war arms race; and that’s where remarks like Panetta’s lead us. Increased government spending on cyberweapons and cyberdefense, and an increased militarization of cyberspace, is both expensive and destabilizing. Fears lead to weapons buildups, and weapons beg to be used.

I would like to see less fear mongering, and more reasoned discussion about the actual threats and reasonable countermeasures. Pushing the fear button benefits no one.

This essay originally appeared in the New York Times “Room for Debate” blog. Here are the other essays on the topic.

Posted on October 19, 2012 at 7:45 AMView Comments

Master Keys

Earlier this month, a retired New York City locksmith was selling a set of “master keys” on eBay:

Three of the five are standard issue for members of the FDNY, and the set had a metal dog tag that was embossed with an FDNY lieutenant’s shield number, 6896.

The keys include the all-purpose “1620,” a master firefighter key that with one turn could trap thousands of people in a skyscraper by sending all the elevators to the lobby and out of service, according to two FDNY sources. And it works for buildings across the city.

That key also allows one to open locked subway entrances, gain entry to many firehouses and get into boxes at construction jobs that house additional keys to all areas of the site.

The ring sold to The Post has two keys used by official city electricians that would allow access to street lamps, along with the basement circuit-breaker boxes of just about any large building.

Of course there’s the terrorist tie-in:

“With all the anti-terrorism activities, with all the protection that the NYPD is trying to provide, it’s astounding that you could get hold of this type of thing,” he said.

He walked The Post through a couple of nightmare scenarios that would be possible with the help of such keys.

“Think about the people at Occupy Wall Street who hate the NYPD, hate the establishment. They would love to have a set. Wouldn’t it be nice to walk in and disable Chase’s elevators?” he said.

Or, he said, “I could open the master box at construction sites, which hold the keys and the building plans. Once you get inside, you can steal, vandalize or conduct terrorist activities.”

The Huffington Post piled on:

“We cannot let anyone sell the safety of over 8 million people so easily,” New York City Public Advocate Bill de Blasio said in a statement. “Having these keys on the open market literally puts lives at risk. The billions we’ve spent on counter-terrorism have been severely undercut by this breech [sic].”

Sounds terrible. But—good news—the locksmith has stopped selling them. (On the other hand, the press has helpfully published a photograph of the keys, so you can make your own, even if you didn’t win the eBay auction.)

I found only one story that failed to hype the threat.

The current bit of sensationalism aside, this is fundamentally a hard problem. Master keys are only useful if they’re widely applicable—and if they’re widely applicable, they need to be distributed widely. This means that 1) they can’t be kept secret, and 2) they’re very expensive to update. I could easily imagine an electronic lock solution that would be much more adaptable, but electronic locks come with their own vulnerabilities, since the electronics are something else that can fail. I don’t know if a more complex system would be better in the end.

Posted on October 15, 2012 at 7:02 AMView Comments

Using Agent-Based Simulations to Evaluate Security Systems

Kay Hamacher and Stefan Katzenbeisser, “Public Security: Simulations Need to Replace Conventional Wisdom,” New Security Paradigms Workshop, 2011.

Abstract: Is more always better? Is conventional wisdom always the right guideline in the development of security policies that have large opportunity costs? Is the evaluation of security measures after their introduction the best way? In the past, these questions were frequently left unasked before the introduction of many public security measures. In this paper we put forward the new paradigm that agent-based simulations are an effective and most likely the only sustainable way for the evaluation of public security measures in a complex environment. As a case-study we provide a critical assessment of the power of Telecommunications Data Retention (TDR), which was introduced in most European countries, despite its huge impact on privacy. Up to now it is unknown whether TDR has any benefits in the identification of terrorist dark nets in the period before an attack. The results of our agent-based simulations suggest, contrary to conventional wisdom, that the current practice of acquiring more data may not necessarily yield higher identification rates.

Both the methodology and the conclusions are interesting.

Posted on September 26, 2012 at 7:11 AMView Comments

Estimating the Probability of Another 9/11

This statistical research says once per decade:

Abstract: Quantities with right-skewed distributions are ubiquitous in complex social systems, including political conflict, economics and social networks, and these systems sometimes produce extremely large events. For instance, the 9/11 terrorist events produced nearly 3000 fatalities, nearly six times more than the next largest event. But, was this enormous loss of life statistically unlikely given modern terrorism’s historical record? Accurately estimating the probability of such an event is complicated by the large fluctuations in the empirical distribution’s upper tail. We present a generic statistical algorithm for making such estimates, which combines semi-parametric models of tail behavior and a non-parametric bootstrap. Applied to a global database of terrorist events, we estimate the worldwide historical probability of observing at least one 9/11-sized or larger event since 1968 to be 11-35%. These results are robust to conditioning on global variations in economic development, domestic versus international events, the type of weapon used and a truncated history that stops at 1998. We then use this procedure to make a data-driven statistical forecast of at least one similar event over the next decade.

Article about the research.

Posted on September 13, 2012 at 1:20 PMView Comments

Stopping Terrorism

Nice essay on the futility of trying to prevent another 9/11:

“Never again.” It is as simplistic as it is absurd. It is as vague as it is damaging. No two words have provided so little meaning or context; no catchphrase has so warped policy discussions that it has permanently confused the public’s understanding of homeland security. It convinced us that invulnerability was a possibility.

The notion that policies should focus almost exclusively on preventing the next attack has also masked an ideological battle within homeland-security policy circles between “never again” and its antithesis, commonly referred to as “shit happens” but in polite company known as “resiliency.” The debate isn’t often discussed this way, and not simply because of the bad language. Time has not only eased the pain of that day, but there have also been no significant attacks. “Never again” has so infiltrated public discourse that to even acknowledge a trend away from prevention is considered risky, un-American. Americans don’t do “Keep Calm and Carry On.” But if they really want security, the kind of security that is sustainable and realistic, then they are going to have to.

There’s a lot of good material in this essay.

And on a related topic, an essay and commentary on overhyping the threat of terrorism at the London Olympics.

Posted on September 12, 2012 at 12:55 PMView Comments

1 10 11 12 13 14 80

Sidebar photo of Bruce Schneier by Joe MacInnis.