Schneier on Security

A blog covering security and security technology.

Friday Squid Blogging: Dentyne Ice Squid Ad

Weird.

Posted on November 6, 2009 at 4:13 PM • 4 Comments • View Blog Reactions

Interview with Me

On CNet.com.

Posted on November 6, 2009 at 2:35 PM • 1 Comments • View Blog Reactions

The Doghouse: ADE 651

A divining rod to find explosives in Iraq:

ATSC’s promotional material claims that its device can find guns, ammunition, drugs, truffles, human bodies and even contraband ivory at distances up to a kilometer, underground, through walls, underwater or even from airplanes three miles high. The device works on “electrostatic magnetic ion attraction,” ATSC says.

To detect materials, the operator puts an array of plastic-coated cardboard cards with bar codes into a holder connected to the wand by a cable. “It would be laughable,” Colonel Bidlack said, “except someone down the street from you is counting on this to keep bombs off the streets.”

Proponents of the wand often argue that errors stem from the human operator, who they say must be rested, with a steady pulse and body temperature, before using the device.

Then the operator must walk in place a few moments to “charge” the device, since it has no battery or other power source, and walk with the wand at right angles to the body. If there are explosives or drugs to the operator’s left, the wand is supposed to swivel to the operator’s left and point at them.

If, as often happens, no explosives or weapons are found, the police may blame a false positive on other things found in the car, like perfume, air fresheners or gold fillings in the driver’s teeth.

Complete quackery, sold by Cumberland Industries:

Still, the Iraqi government has purchased more than 1,500 of the devices, known as the ADE 651, at costs from $16,500 to $60,000 each. Nearly every police checkpoint, and many Iraqi military checkpoints, have one of the devices, which are now normally used in place of physical inspections of vehicles.

James Randi says:

This Foundation will give you our million-dollar prize upon the successful testing of the ADE651® device. Such test can be performed by anyone, anywhere, under your conditions, by you or by any appointed person or persons, in direct satisfaction of any or all of the provisions laid out above by you.

No one will respond to this, because the ADE651® is a useless, quack, device which cannot perform any other function than separating naïve persons from their money. It’s a fake, a scam, a swindle, and a blatant fraud. The manufacturers, distributors, vendors, advertisers, and retailers of the ADE651® device are criminals, liars, and thieves who will ignore this challenge because they know the device, the theory, the described principles of operation, and the technical descriptions given, are nonsense, lies, and fraudulent.

And he quotes from the Cumberland Industries literature (not online, unfortunately):

Ignores All Known Concealment Methods. By programming the detection cards to specifically target a particular substance, (through the proprietary process of electro-static matching of the ionic charge and structure of the substance), the ADE651® will “by-pass” all known attempts to conceal the target substance. It has been shown to penetrate Lead, other metals, concrete, and other matter (including hiding in the body) used in attempts to block the attraction.

No Consumables nor Maintenance Contracts Required. Unlike Trace Detectors that require the supply of sample traps, the ADE651® does not utilize any consumables (exceptions include: cotton-gloves and cleanser) thereby reducing the operational costs of the equipment. The equipment is Operator maintained and requires no ongoing maintenance service contracts. It comes with a hardware three year warranty. Since the equipment is powered electro statically, there are no batteries or conventional power supplies to change or maintain.

One interesting point is that the effectiveness of this device depends strongly on what the bad guys think about its effectiveness. If the bad guys think it works, they have to find someone who is 1) willing to kill himself, and 2) rational enough to keep his cool while being tested by one of these things. I'll bet that the ADE651 makes it harder to recruit suicide bombers.

But what happened to the days when you could buy a divining rod for $100?

Posted on November 6, 2009 at 6:55 AM • 49 Comments • View Blog Reactions

Mossad Hacked Syrian Official's Computer

It was unattended in a hotel room at the time:

Israel's Mossad espionage agency used Trojan Horse programs to gather intelligence about a nuclear facility in Syria the Israel Defense Forces destroyed in 2007, the German magazine Der Spiegel reported Monday.

According to the magazine, Mossad agents in London planted the malware on the computer of a Syrian official who was staying in the British capital; he was at a hotel in the upscale neighborhood of Kensington at the time.

The program copied the details of Syria's illicit nuclear program and sent them directly to the Mossad agents' computers, the report said.

Remember the evil maid attack: if an attacker gets hold of your computer temporarily, he can bypass your encryption software.

Posted on November 5, 2009 at 12:48 PM • 17 Comments • View Blog Reactions

The Problems with Unscientific Security

From the Open Access Journal of Forensic Psychology, by a whole list of authors: "A Call for Evidence-Based Security Tools":

Abstract: Since the 2001 attacks on the twin towers, policies on security have changed drastically, bringing about an increased need for tools that allow for the detection of deception. Many of the solutions offered today, however, lack scientific underpinning.

We recommend two important changes to improve the (cost) effectiveness of security policy. To begin with, the emphasis of deception research should shift from technological to behavioural sciences. Secondly, the burden of proof should lie with the manufacturers of the security tools. Governments should not rely on ecurity tools that have not passed scientific scrutiny, and should only employ those methods that have been proven effective. After all, the use of tools that do not work will only get us further from the truth.

One excerpt:

In absence of systematic research, users will base their evaluation on data generated by field use. Because people tend to follow heuristics rather than the rules of probability theory, perceived effectiveness can substantially differ from true effectiveness (Tversky & Kahneman, 1973). For example, one well-known problem associated with field studies is that of selective feedback. Investigative authorities are unlikely to receive feedback from liars who are erroneously considered truthful. They will occasionally receive feedback when correctly detecting deception, for example through confessions (Patrick & Iacono, 1991; Vrij, 2008). The perceived effectiveness that follows from this can be further reinforced through confirmation bias: Evidence confirming one's preconception is weighted more heavily than evidence contradicting it (Lord, Ross, & Lepper, 1979). As a result, even techniques that perform at chance level may be perceived as highly effective (Iacono, 1991). This unwarranted confidence can have profound effects on citizens' safety and civil liberty: Criminals may escape detection while innocents may be falsely accused. The Innocence Project (Unvalidated or improper science, no date) demonstrates that unvalidated or improper forensic science can indeed lead to wrongful convictions (see also Saks & Koehler, 2005).

Article on the paper.

Posted on November 5, 2009 at 6:11 AM • 23 Comments • View Blog Reactions

Fear and Overreaction

It's hard work being prey. Watch the birds at a feeder. They're constantly on alert, and will fly away from food -- from easy nutrition -- at the slightest movement or sound. Given that I've never, ever seen a bird plucked from a feeder by a predator, it seems like a whole lot of wasted effort against not very big a threat.

Assessing and reacting to risk is one of the most important things a living creature has to deal with. The amygdala, an ancient part of the brain that first evolved in primitive fishes, has that job. It's what's responsible for the fight-or-flight reflex. Adrenaline in the bloodstream, increased heart rate, increased muscle tension, sweaty palms; that's the amygdala in action. And it works fast, faster than consciousnesses: show someone a snake and their amygdala will react before their conscious brain registers that they're looking at a snake.

Fear motivates all sorts of animal behaviors. Schooling, flocking, and herding are all security measures. Not only is it less likely that any member of the group will be eaten, but each member of the group has to spend less time watching out for predators. Animals as diverse as bumblebees and monkeys both avoid food in areas where predators are common. Different prey species have developed various alarm calls, some surprisingly specific. And some prey species have even evolved to react to the alarms given off by other species.

Evolutionary biologist Randolph Nesse has studied animal defenses, particularly those that seem to be overreactions. These defenses are mostly all-or-nothing; a creature can't do them halfway. Birds flying off, sea cucumbers expelling their stomachs, and vomiting are all examples. Using signal detection theory, Nesse showed that all-or-nothing defenses are expected to have many false alarms. "The smoke detector principle shows that the overresponsiveness of many defenses is an illusion. The defenses appear overresponsive because they are 'inexpensive' compared to the harms they protect against and because errors of too little defense are often more costly than errors of too much defense."

So according to the theory, if flight costs 100 calories, both in flying and lost eating time, and there's a 1 in 100 chance of being eaten if you don't fly away, it's smarter for survival to use up 10,000 calories repeatedly flying at the slightest movement even though there's a 99 percent false alarm rate. Whatever the numbers happen to be for a particular species, it has evolved to get the trade-off right.

This makes sense, until the conditions that the species evolved under change quicker than evolution can react to. Even though there are far fewer predators in the city, birds at my feeder react as if they were in the primal forest. Even birds safe in a zoo's aviary don't realize that the situation has changed.

Humans are both no different and very different. We, too, feel fear and react with our amygdala, but we also have a conscious brain that can override those reactions. And we too live in a world very different from the one we evolved in. Our reflexive defenses might be optimized for the risks endemic to living in small family groups in the East African highlands in 100,000 BC, not 2009 New York City. But we can go beyond fear, and actually think sensibly about security.

Far too often, we don't. We tend to be poor judges of risk. We overact to rare risks, we ignore long-term risks, we magnify risks that are also morally offensive. We get risks wrong -- threats, probabilities, and costs -- all the time. When we're afraid, really afraid, we'll do almost anything to make that fear go away. Both politicians and marketers have learned to push that fear button to get us to do what they want.

One night last month, I was awoken from my hotel-room sleep by a loud, piercing alarm. There was no way I could ignore it, but I weighed the risks and did what any reasonable person would do under the circumstances: I stayed in bed and waited for the alarm to be turned off. No point getting dressed, walking down ten flights of stairs, and going outside into the cold for what invariably would be a false alarm -- serious hotel fires are very rare. Unlike the bird in an aviary, I knew better.

You can disagree with my risk calculus, and I'm sure many hotel guests walked downstairs and outside to the designated assembly point. But it's important to recognize that the ability to have this sort of discussion is uniquely human. And we need to have the discussion repeatedly, whether the topic is the installation of a home burglar alarm, the latest TSA security measures, or the potential military invasion of another country. These things aren't part of our evolutionary history; we have no natural sense of how to respond to them. Our fears are often calibrated wrong, and reason is the only way we can override them.

This essay first appeared on DarkReading.com.

Posted on November 4, 2009 at 7:12 AM • 58 Comments • View Blog Reactions

Zero-Tolerance Policies

Recent stories have documented the ridiculous effects of zero-tolerance weapons policies in a Delaware school district: a first-grader expelled for taking a camping utensil to school, a 13-year-old expelled after another student dropped a pocketknife in his lap, and a seventh-grader expelled for cutting paper with a utility knife for a class project. Where's the common sense? the editorials cry.

These so-called zero-tolerance policies are actually zero-discretion policies. They're policies that must be followed, no situational discretion allowed. We encounter them whenever we go through airport security: no liquids, gels or aerosols. Some workplaces have them for sexual harassment incidents; in some sports a banned substance found in a urine sample means suspension, even if it's for a real medical condition. Judges have zero discretion when faced with mandatory sentencing laws: three strikes for drug offences and you go to jail, mandatory sentencing for statutory rape (underage sex), etc. A national restaurant chain won't serve hamburgers rare, even if you offer to sign a waiver. Whenever you hear "that's the rule, and I can't do anything about it" -- and they're not lying to get rid of you -- you're butting against a zero discretion policy.

These policies enrage us because they are blind to circumstance. Editorial after editorial denounced the suspensions of elementary school children for offenses that anyone with any common sense would agree were accidental and harmless. The Internet is filled with essays demonstrating how the TSA's rules are nonsensical and sometimes don't even improve security. I've written some of them. What we want is for those involved in the situations to have discretion.

However, problems with discretion were the reason behind these mandatory policies in the first place. Discretion is often applied inconsistently. One school principal might deal with knives in the classroom one way, and another principal another way. Your drug sentence could depend considerably on how sympathetic your judge is, or on whether she's having a bad day.

Even worse, discretion can lead to discrimination. Schools had weapons bans before zero-tolerance policies, but teachers and administrators enforced the rules disproportionally against African-American students. Criminal sentences varied by race, too. The benefit of zero-discretion rules and laws is that they ensure that everyone is treated equally.

Zero-discretion rules also protect against lawsuits. If the rules are applied consistently, no parent, air traveler or defendant can claim he was unfairly discriminated against.

So that's the choice. Either we want the rules enforced fairly across the board, which means limiting the discretion of the enforcers at the scene at the time, or we want a more nuanced response to whatever the situation is, which means we give those involved in the situation more discretion.

Of course, there's more to it than that. The problem with the zero-tolerance weapons rules isn't that they're rigid, it's that they're poorly written.

What constitutes a weapon? Is it any knife, no matter how small? Should the penalties be the same for a first grader and a high school student? Does intent matter? When an aspirin carried for menstrual cramps becomes "drug possession," you know there's a badly written rule in effect.

It's the same with airport security and criminal sentencing. Broad and simple rules may be simpler to follow -- and require less thinking on the part of those enforcing them -- but they're almost always far less nuanced than our complex society requires. Unfortunately, the more complex the rules are, the more they're open to interpretation and the more discretion the interpreters have.

The solution is to combine the two, rules and discretion, with procedures to make sure they're not abused. Provide rules, but don't make them so rigid that there's no room for interpretation. Give the people in the situation -- the teachers, the airport security agents, the policemen, the judges -- discretion to apply the rules to the situation. But -- and this is the important part -- allow people to appeal the results if they feel they were treated unfairly. And regularly audit the results to ensure there is no discrimination or favoritism. It's the combination of the four that work: rules plus discretion plus appeal plus audit.

All systems need some form of redress, whether it be open and public like a courtroom or closed and secret like the TSA. Giving discretion to those at the scene just makes for a more efficient appeals process, since the first level of appeal can be handled on the spot.

Zachary, the Delaware first grader suspended for bringing a combination fork, spoon and knife camping utensil to eat his lunch with, had his punishment unanimously overturned by the school board. This was the right decision; but what about all the other students whose parents weren't as forceful or media-savvy enough to turn their child's plight into a national story? Common sense in applying rules is important, but so is equal access to that common sense.

This essay originally appeared on the Minnesota Public Radio website.

Posted on November 3, 2009 at 11:17 AM • 46 Comments • View Blog Reactions

Detecting Terrorists by Smelling Fear

Really:

The technology relies on recognising a pheromone - or scent signal - produced in sweat when a person is scared.

Researchers hope the ''fear detector'' will make it possible to identify individuals at check points who are up to no good.

Terrorists with murder in mind, drug smugglers, or criminals on the run are likely to be very fearful of being discovered.

Seems like yet another technology that will be swamped with false positives.

And is there any justification to the hypothesis that terrorists will be more afraid than anyone else? And do we know why people tend to feel fear? Is it because they're up to no good, or because of more benign reasons -- like they're scared of something? This link from emotion to intent is very tenuous.

Posted on November 3, 2009 at 6:12 AM • 72 Comments • View Blog Reactions

The FBI and Wiretaps

To aid their Wall Street investigations, the FBI used DCSNet, their massive surveillance system.

Prosecutors are using the FBI's massive surveillance system, DCSNet, which stands for Digital Collection System Network. According to Wired magazine, this system connects FBI wiretapping rooms to switches controlled by traditional land-line operators, internet-telephony providers and cellular companies. It can be used to instantly wiretap almost any communications device in the U.S. -- wireless or tethered. In other words, you and I have no privacy. The government can listen in on any call made in the continental U.S. (This is all well and good if you trust every government employee. But what if an attorney general running for higher office will do anything to finger a high-profile target? Or what if a prosecutor has a personal grudge he'd like to fulfill? It seems to me it would be easy for this power to fall into the wrong hands.)

Posted on November 2, 2009 at 8:57 AM • 33 Comments • View Blog Reactions

Friday Squid Blogging: Humboldt Squid in Canada

They're washing ashore on Vancouver Island.

Scientists have begun attaching tracking devices to squid off the coast of Vancouver Island to find out why the marine animals have wandered so far from their traditional territory.

They also hope to find out why the squid have been beaching themselves and dying by the hundreds this summer near the town of Tofino on the island's west coast.

Two great batches of Humboldt squid washed ashore, one in August then another in September. The Humboldt is a species of squid that, up to now, has been associated with waters warmer than those found off Vancouver Island.

Posted on October 30, 2009 at 4:15 PM • 5 Comments • View Blog Reactions

Article on Me

Article on me from a Luxembourg magazine.

Posted on October 30, 2009 at 2:30 PM • 13 Comments • View Blog Reactions

Attacking U.S. Critical Infrastructure

Squirrel terrorists.

We have a cognitive bias to exaggerate risks caused by other humans, and downplay risks caused by animals (and, even more, by natural phenomena.)

Posted on October 30, 2009 at 12:36 PM • 35 Comments • View Blog Reactions

Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.