Page 61 of 80
EDITED TO ADD (1/8): This post has generated much more controversy than I expected. Yes, it’s in very poor taste. No, I don’t agree with the sentiment in the words. And no, I don’t know anything about the provenance of the lyrics or the sentiment of the person who wrote or sang them.
I probably should have said that, instead of just posting the link.
I apologize to anyone I offended by including this link. And I am going to close comments on this thread.
The U.S. Coast Guard is talking about licensing boaters. It’s being talked about as an antiterrorism measure, in typical incoherent ways:
The United States already has endured terrorism using small civilian craft, albeit overseas: In 2000, suicide bombers in the port of Aden, Yemen, used an inflatable boat to blow themselves up next to the U.S. Navy destroyer USS Cole, killing 17 sailors and wounding 39 others.
Terrorism experts point to other ways small boats potentially could assist in attacks for example, a speedboat could deposit saboteurs at the outlet pipes of a nuclear power plant, or hijackers aboard a cruise ship. In a nightmare scenario, suicide bombers in a crowded harbor could use small watercraft to detonate a tanker carrying ultra-volatile liquefied natural gas, causing a powerful explosion that could kill thousands.
And how exactly is licensing watercraft supposed to help?
There are lots of good reasons to license boats and boaters, just as there are to license cars and drivers. But counterterrorism is not one of them.
The Privacy Office of the Department of Homeland Security has issued a report on MATRIX: The Multistate Anti-Terrorism Information Exchange. MATRIX is a now-defunct data mining and data sharing program among federal, state, and local law enforcement agencies, one of the many data-mining programs going on in government (TIA—Total Information Awareness—being the most famous, and Tangram being the newest).
The report is short, and very critical of the program’s inattention to privacy and lack of transparency. That’s probably why it was released to the public just before Christmas, burying it in the media.
Last month I posted about Ted Kaczynski’s pencil-and-paper cryptography. It seems that he invented his own cipher, which the police couldn’t crack until they found a description of the code amongst his personal papers.
The link I found was from KPIX, a CBS affiliate in the San Francisco area. Some time after writing it, I was contacted by the station and asked to comment on some other pieces of the Unabomber’s cryptography for a future story (video online).
There were five new pages of Unabomber evidence that I talked about (1, 2, 3, 4, and 5). All five pages were presented to me as being pages written by the Unabomber, but it seems pretty obvious to me that pages 4 and 5, rather than being Kaczynski’s own key, are notes written by a cryptanalyst trying to break the Unabomber’s code.
In any case, it’s all fascinating.
This is interesting: A Wal-Mart store in Mitchell, South Dakota receives a bomb threat. The store managers decide not to evacuate while the police search for the bomb. Presumably, they decided that the loss of revenue due to an evacuation was not worth the additional security of an evacuation:
During the nearly two-hour search Wal-Mart officials opted not to evacuated the busy discount store even though police recomended [sic] they do so. Wal-Mart officials said the call was a hoax and not a threat.
I think this is a good sign. It shows that people are thinking rationally about security trade-offs, and not thoughtlessly being terrorized.
Remember, though: security trade-offs are based on agenda. From the perspective of the Wal-Mart managers, the store’s revenues are the most important; most of the risks of the bomb threat are externalities.
Of course, the store employees have a different agenda—there is no upside to staying open, and only a downside due to the additional risk—and they didn’t like the decision:
The incident has family members of Wal-Mart employees criticizing store officials for failing to take police’s recommendation to evacuate.
Voorhees has worked at the Mitchell discount chain since Wal-Mart Supercenter opened in 2001. Her daughter, Charlotte Goode, 36, said Voorhees called her Sunday, crying and upset as she relayed the story.
“It’s right before Christmas. They were swamped with people,” she said. “To me, they endangerd [sic] the community, customers and associates. They put making a buck ahead of public safety.”
If you’ve traveled abroad recently, you’ve been investigated. You’ve been assigned a score indicating what kind of terrorist threat you pose. That score is used by the government to determine the treatment you receive when you return to the U.S. and for other purposes as well.
Curious about your score? You can’t see it. Interested in what information was used? You can’t know that. Want to clear your name if you’ve been wrongly categorized? You can’t challenge it. Want to know what kind of rules the computer is using to judge you? That’s secret, too. So is when and how the score will be used.
U.S. customs agencies have been quietly operating this system for several years. Called Automated Targeting System, it assigns a “risk assessment” score to people entering or leaving the country, or engaging in import or export activity. This score, and the information used to derive it, can be shared with federal, state, local and even foreign governments. It can be used if you apply for a government job, grant, license, contract or other benefit. It can be shared with nongovernmental organizations and individuals in the course of an investigation. In some circumstances private contractors can get it, even those outside the country. And it will be saved for 40 years.
Little is known about this program. Its bare outlines were disclosed in the Federal Register in October. We do know that the score is partially based on details of your flight record—where you’re from, how you bought your ticket, where you’re sitting, any special meal requests—or on motor vehicle records, as well as on information from crime, watch-list and other databases.
Civil liberties groups have called the program Kafkaesque. But I have an even bigger problem with it. It’s a waste of money.
The idea of feeding a limited set of characteristics into a computer, which then somehow divines a person’s terrorist leanings, is farcical. Uncovering terrorist plots requires intelligence and investigation, not large-scale processing of everyone.
Additionally, any system like this will generate so many false alarms as to be completely unusable. In 2005 Customs & Border Protection processed 431 million people. Assuming an unrealistic model that identifies terrorists (and innocents) with 99.9% accuracy, that’s still 431,000 false alarms annually.
The number of false alarms will be much higher than that. The no-fly list is filled with inaccuracies; we’ve all read about innocent people named David Nelson who can’t fly without hours-long harassment. Airline data, too, are riddled with errors.
The odds of this program’s being implemented securely, with adequate privacy protections, are not good. Last year I participated in a government working group to assess the security and privacy of a similar program developed by the Transportation Security Administration, called Secure Flight. After five years and $100 million spent, the program still can’t achieve the simple task of matching airline passengers against terrorist watch lists.
In 2002 we learned about yet another program, called Total Information Awareness, for which the government would collect information on every American and assign him or her a terrorist risk score. Congress found the idea so abhorrent that it halted funding for the program. Two years ago, and again this year, Secure Flight was also banned by Congress until it could pass a series of tests for accuracy and privacy protection.
In fact, the Automated Targeting System is arguably illegal, as well (a point several congressmen made recently); all recent Department of Homeland Security appropriations bills specifically prohibit the department from using profiling systems against persons not on a watch list.
There is something un-American about a government program that uses secret criteria to collect dossiers on innocent people and shares that information with various agencies, all without any oversight. It’s the sort of thing you’d expect from the former Soviet Union or East Germany or China. And it doesn’t make us any safer from terrorism.
This essay, without the links, was published in Forbes. They also published a rebuttal by William Baldwin, although it doesn’t seen to rebut any of the actual points.
Here’s an odd division of labor: a corporate data consultant argues for more openness, while a journalist favors more secrecy.
It’s only odd if you don’t understand security.
Definitely worth reading:
Though data mining has many valuable uses, it is not well suited to the terrorist discovery problem. It would be unfortunate if data mining for terrorism discovery had currency within national security, law enforcement, and technology circles because pursuing this use of data mining would waste taxpayer dollars, needlessly infringe on privacy and civil liberties, and misdirect the valuable time and energy of the men and women in the national security community.
I’ve already written about the DHS’s database of top terrorist targets and how dumb it is. Important sites are not on the list, and unimportant ones are. The reason is pork, of course; states get security money based on this list, so every state wants to make sure they have enough sites on it. And over the past five years, states with Republican congressmen got more money than states without.
Here’s another article on this general topic, centering around an obscure quantity: the square root of terrorist intent:
The Department of Homeland Security is the home of many mysteries. There is, of course, the color-coded system for gauging the threat of an attack. And there is the department database of national assets to protect against a terrorist threat, which includes Old MacDonald’s Petting Zoo in Woodville, Ala., and the Apple and Pork Festival in Clinton, Ill.
And now Jim O’Brien, the director of the Office of Emergency Management and Homeland Security in Clark County, Nev., has discovered another hard-to-fathom DHS notion: a mathematical value purporting to represent the square root of terrorist intent. The figure appears deep in the mind-numbingly complex risk-assessment formulas that the department used in 2006 to decide the likelihood that a place is or will become a terrorist target—an all-important estimate outside the Beltway, because greater slices of the federal anti-terrorism pie go to the locations with the highest scores. Overall, the department awarded $711 million in high-risk urban counterterrorism grants last year.
[…]
As O’Brien reviewed the risk-assessment formulas—a series of calculations that runs into the billions—he found himself unable to account for several factors, the terrorist-intent notion principal among them. “I have a Ph.D. I think I understand formulas,” he says. “Take the square root of terrorist intent? Now, give me a break.” The whole notion, O’Brien says, is a contradiction in terms: “How can you quantify what somebody is thinking?”
Other designations for variables in the formula are almost befuddling, O’Brien says, such as the “attractiveness factor,” which seeks to establish how terrorists might prefer one sort of target over another, and the “chatter factor,” which tries to gauge the intent of potential terror plotters based on communication intercepts.
“One man’s garbage is another man’s treasure,” he says. “So I don’t know how you measure attractiveness.” The chatter factor, meanwhile, leaves O’Brien entirely in the dark: “I’m not sure what that means.”
What I said last time still applies:
We’re never going to get security right if we continue to make it a parody of itself.
Sidebar photo of Bruce Schneier by Joe MacInnis.