This article demonstrates what I like about Matt Blaze's physical security writing that I don't like about Schneier's.
Both are computer security experts by training, but Blaze's writing has a concrete engineering-driven perspective that Schneier's lacks. Schneier's writing always "feels" right, but leaves you with the sense that's it's not based on any operational reality.
It's probably not a coincidence that Matt Blaze has done formal research on physical security topics (safecracking, wiretapping, etc) --- in addition to being a bona fide computer scientist.
First of all I must say I don't believe in these kind of unpredictable systems: rarely doing this 'select randomly the process from a set of processes' works better than using the best process in the set.
But I don't think this applies:
But terrorist organizations -- especially those employing
suicide bombers -- have very different goals and incentives
from those of smugglers, fare beaters and tax cheats.
Groups like Al Qaeda aim to cause widespread disruption and
terror by whatever means they can, even at great cost to
individual members. In particular, they are willing and
able to sacrifice -- martyr -- the very lives of their
solders in the service of that goal. The fate of any
individual terrorist is irrelevant as long as the loss
contributes to terror and disruption.
Training a terrorist has a cost, and he should succeed the "fate of any individual terrorist is not irrelevant". The terrorist group does not have an infinite number of terrorists (as he correctly concedes in the next paragraph).
So random screening works, not because that influences the behavior even of those who aren't checked, but because makes executing the attack more expensive to overcome the possibility of being detained in the random test.
Of course random screening is not as good as full screening, but from a realistic point of view is the only thing you can apply without shutting down world economy.
Another thing to note - Matt Blaze typically approaches security scenarios with a different cost/benefit perspective than Schneier, for example Blaze writes:
"The TSA's much maligned "three ounce" liquid rule is, in fact, a nice example of good security engineering of this kind. "
Schneier, on the other hand, considers the inconvenience to travelers to be not worth the hassle. He always seems to fail to recognize the principles of defense-in-depth, and over-emphasizes the importance of stopping the terrorist before they launch an attack. I say this as someone who has ready pretty much every essay and book he has ever written, sometimes multiple times.
". Banning box cutters since 9/11, or taking off our shoes since Richard Reid, has not made us any safer. And a long-term prohibition against liquid carry-ons won't make us safer, either. It's not just that there are ways around the rules, it's that focusing on tactics is a losing proposition."
o Banning box-cutters (and other sharp devices) has made it much more difficult to bring on an _effective_ weapon on board a plane. Nobody is denying that you can still fashion a shiv, of some kind - but the amount of damage you can do with a roughly fashioned hand weapon, versus something designed to kill lots of people at close range, is enough to deter people from trying to do so. Note - one of the principal reasons for banning box cutters and their like is so that the _other_ passengers on the plane have a pretty straightforward mechanism for subduing a malevolent passenger.
o Banning Large amounts of liquids, in the face of Liquid Bombs being _actually designed_ just makes good sense. Likewise banning powdered substances (PETN) from being brought onto planes makes sense now that we know that there are active attempts to use this vector.
Focusing on tactics is actually a very effective proposition - It's actually pretty damn difficult to bring down a plane these days from inside - not impossible, I'm sure there are a lot of vectors still left, but they are getting pretty few and far between. Not to say you don't still try and stop attacks at their source, but, if one gets by - you hope that further lines of defense will stop them.
The problem is that with non-random screening the terrorists can be much more efficient. They can get a pool of candidates together and send them on flights without any explosives on them. They can then find out which of the guys get screened at a rate less than chance and send those on the actual attack. That's why random screening is the best system possible because any other system would have to be perfect, otherwise any flaw can be detected on dry runs and exploited for the attack.
This was thoroughly explored last time the TSA tried to be smart about screening and implemented its Computer-Assisted Passenger Screening System. MIT article exploring it:
It seems to me that the right approach should always have a significant random element, not as a deterrent, but as a check on how well the non-random component is working. The random part will examine in depth to find anything that should have been found in the non-random part but wasn't (say, body searches to find large metal objects making it through the x-ray screen at the airport). Without that you would be blind to defects in the system.
I think this article isn't talking about random vs. profiled (which is what the mit paper is about), but random vs. 100% (where there 100% has been analyzed carefully to be sufficient to detect large bombs, etc.).
the best terrorist strategy (as long as they have enough volunteers)
Do they have enough volunteers? The Shoe Bomber and the Undie Bomber, compared with the team that pulled off 9/11, are a couple of amateurish mooks. If these are the best men that al-Qaeda can send against the United States, they must not have a very deep bench.
If you recall, at least one of the 9/11 hijackers almost missed his flight because he was late. Al-Qaeda is not sending its best men for these missions. Why would an organization send its best men if they are going to end up dead or in jail?
It doesn't make sense. You send the worst people possible that have a chance of pulling it off.
That's just it... the people who pulled off 9/11 were a bunch of amateurish mooks. A bunch of amateurish mooks with an 18 in the Luck department is still dangerous.
Just as in this case, there were any number of measures already in place that could have stopped 9/11, if they had only been followed. More rules are not the answer.
Paradoxically, the best terrorist strategy (as long as they have enough volunteers) under unpredictable screening may be to prepare a cadre of suicide bombers for the least rigorous screening to which they might be subjected, and not, as the strategy assumes, for the most rigorous. Sent on their way, each will either succeed at destroying a plane or be caught, but either outcome serves the terrorists' objective. ...
We might reflexively assume that any passenger screening system needs to be 100% effective at detecting all possible weapons and dangerous objects, an obviously difficult task. But, fortunately, that's not the requirement. Instead, the mechanisms need only be highly effective at detecting objects that can create actual terror under the conditions they will be subjected to in an actual flight. That is, in order to have meaningful security screening, we first must understand what it realistically takes to bring down an airplane. The security system can then be designed specifically to eliminate the preconditions for successful terrorism.
The TSA's much maligned "three ounce" liquid rule is, in fact, a nice example of good security engineering of this kind. ...
The idea that Matt Blaze thinks the three-ounce rule is sensible was surprising to me; I hit it, jumped back to the top, and re-read the whole article. What's the flaw in his reasoning? The three-ounce rule always seemed like one of the more ridiculous TSA measures.
The problem with this post is his answer to the question "What do we do when we detect a terrorist through random screening?" His answer is "shut down all commercial aviation until the the most rigorous screening possible can henceforth be applied universally, effectively creating the same kind of havoc that occurs after a successful attack", and his whole post rests on this point, but I think it's totally flawed.
- Shutting down commercial flight is better outcome (for the defender) than the the destruction of 9/11
- There are alternative responses, such as heightened screening, tighter in-flight security, or checking passenger lists for people with known connections to the terrorist caught.
The article hinges on the proposition that a failed attack still serves the terrorist network's purposes. Seriously, can you imagine a terrorist being briefed like this?
"Well, if you succeed, you may shock the world and rally the Muslim nations to our cause, while drawing the Great Satan into an unwinnable war costing over a trillion dollars. If you fail... well, you're going to cause a lot of air travellers to be a little annoyed for five minutes."
There is this idea that terrorists are like devils, delighting in causing misfortune of any kind. I don't think that's the case. Al-Qaeda has concrete goals, like advancing Wahabbi ideology or ejecting the USA from the holy places. Failed missions don't support that, do they?
It's perfectly possible that an organization headed by the government whose primary focus is the security of airline passengers is completely incompetent and ineffective.
But is it not also possible that the TSA is purposefully putting on the guise of an incompetent governmental entity? That would seem like an excellent strategy to take, as it follows the principles in Sun Tzu's Art of War to the letter. If you are strong, appear weak, if you are weak, appear strong, etc.
If these terrorists think they can easily game the system, it will likely lead them to be less cautious, exactly as stated in the article:
Paradoxically, the best terrorist strategy (as long as they have enough volunteers) under unpredictable screening may be to prepare a cadre of suicide bombers for the least rigorous screening to which they might be subjected, and not, as the strategy assumes, for the most rigorous.
That seems like a good thing to me, and if this is the TSA's actual strategy, it's a smart one. Say one thing publicly, but do another privately.
But is it not also possible that the TSA is purposefully putting on the guise of an incompetent governmental entity?
It's extremely unlikely. For one thing, appearing incompetent in order to encourage the incautious, freelancers, amateurs and copycats is essentially using the public as bait - if you happen to miss one, people die. As a strategy it's morally and probably legally questionable.
Personally, my take on the "unpredictable security measures" is that what's really being said is "things are pretty chaotic here and we don't really have a well-though-out plan in place, but we're going to try to cover that up by claiming that the inconsistency is actually intentional".
[+] [-] tptacek|16 years ago|reply
Both are computer security experts by training, but Blaze's writing has a concrete engineering-driven perspective that Schneier's lacks. Schneier's writing always "feels" right, but leaves you with the sense that's it's not based on any operational reality.
It's probably not a coincidence that Matt Blaze has done formal research on physical security topics (safecracking, wiretapping, etc) --- in addition to being a bona fide computer scientist.
[+] [-] rogersm|16 years ago|reply
But I don't think this applies:
Training a terrorist has a cost, and he should succeed the "fate of any individual terrorist is not irrelevant". The terrorist group does not have an infinite number of terrorists (as he correctly concedes in the next paragraph).So random screening works, not because that influences the behavior even of those who aren't checked, but because makes executing the attack more expensive to overcome the possibility of being detained in the random test.
Of course random screening is not as good as full screening, but from a realistic point of view is the only thing you can apply without shutting down world economy.
[+] [-] ghshephard|16 years ago|reply
"The TSA's much maligned "three ounce" liquid rule is, in fact, a nice example of good security engineering of this kind. "
Schneier, on the other hand, considers the inconvenience to travelers to be not worth the hassle. He always seems to fail to recognize the principles of defense-in-depth, and over-emphasizes the importance of stopping the terrorist before they launch an attack. I say this as someone who has ready pretty much every essay and book he has ever written, sometimes multiple times.
For example:
http://www.schneier.com/blog/archives/2006/08/terrorism_secu...
". Banning box cutters since 9/11, or taking off our shoes since Richard Reid, has not made us any safer. And a long-term prohibition against liquid carry-ons won't make us safer, either. It's not just that there are ways around the rules, it's that focusing on tactics is a losing proposition."
o Banning box-cutters (and other sharp devices) has made it much more difficult to bring on an _effective_ weapon on board a plane. Nobody is denying that you can still fashion a shiv, of some kind - but the amount of damage you can do with a roughly fashioned hand weapon, versus something designed to kill lots of people at close range, is enough to deter people from trying to do so. Note - one of the principal reasons for banning box cutters and their like is so that the _other_ passengers on the plane have a pretty straightforward mechanism for subduing a malevolent passenger.
o Banning Large amounts of liquids, in the face of Liquid Bombs being _actually designed_ just makes good sense. Likewise banning powdered substances (PETN) from being brought onto planes makes sense now that we know that there are active attempts to use this vector.
Focusing on tactics is actually a very effective proposition - It's actually pretty damn difficult to bring down a plane these days from inside - not impossible, I'm sure there are a lot of vectors still left, but they are getting pretty few and far between. Not to say you don't still try and stop attacks at their source, but, if one gets by - you hope that further lines of defense will stop them.
[+] [-] pedrocr|16 years ago|reply
This was thoroughly explored last time the TSA tried to be smart about screening and implemented its Computer-Assisted Passenger Screening System. MIT article exploring it:
http://groups.csail.mit.edu/mac/classes/6.805/student-papers...
[+] [-] zmimon|16 years ago|reply
[+] [-] alterego|16 years ago|reply
[+] [-] sethg|16 years ago|reply
Do they have enough volunteers? The Shoe Bomber and the Undie Bomber, compared with the team that pulled off 9/11, are a couple of amateurish mooks. If these are the best men that al-Qaeda can send against the United States, they must not have a very deep bench.
[+] [-] mattm|16 years ago|reply
It doesn't make sense. You send the worst people possible that have a chance of pulling it off.
[+] [-] CamperBob|16 years ago|reply
Just as in this case, there were any number of measures already in place that could have stopped 9/11, if they had only been followed. More rules are not the answer.
[+] [-] CWuestefeld|16 years ago|reply
Paradoxically, the best terrorist strategy (as long as they have enough volunteers) under unpredictable screening may be to prepare a cadre of suicide bombers for the least rigorous screening to which they might be subjected, and not, as the strategy assumes, for the most rigorous. Sent on their way, each will either succeed at destroying a plane or be caught, but either outcome serves the terrorists' objective. ...
We might reflexively assume that any passenger screening system needs to be 100% effective at detecting all possible weapons and dangerous objects, an obviously difficult task. But, fortunately, that's not the requirement. Instead, the mechanisms need only be highly effective at detecting objects that can create actual terror under the conditions they will be subjected to in an actual flight. That is, in order to have meaningful security screening, we first must understand what it realistically takes to bring down an airplane. The security system can then be designed specifically to eliminate the preconditions for successful terrorism.
The TSA's much maligned "three ounce" liquid rule is, in fact, a nice example of good security engineering of this kind. ...
[+] [-] tptacek|16 years ago|reply
[+] [-] bdr|16 years ago|reply
- Shutting down commercial flight is better outcome (for the defender) than the the destruction of 9/11 - There are alternative responses, such as heightened screening, tighter in-flight security, or checking passenger lists for people with known connections to the terrorist caught.
[+] [-] neilk|16 years ago|reply
"Well, if you succeed, you may shock the world and rally the Muslim nations to our cause, while drawing the Great Satan into an unwinnable war costing over a trillion dollars. If you fail... well, you're going to cause a lot of air travellers to be a little annoyed for five minutes."
There is this idea that terrorists are like devils, delighting in causing misfortune of any kind. I don't think that's the case. Al-Qaeda has concrete goals, like advancing Wahabbi ideology or ejecting the USA from the holy places. Failed missions don't support that, do they?
[+] [-] pyre|16 years ago|reply
[+] [-] johnl|16 years ago|reply
[+] [-] itistoday|16 years ago|reply
But is it not also possible that the TSA is purposefully putting on the guise of an incompetent governmental entity? That would seem like an excellent strategy to take, as it follows the principles in Sun Tzu's Art of War to the letter. If you are strong, appear weak, if you are weak, appear strong, etc.
If these terrorists think they can easily game the system, it will likely lead them to be less cautious, exactly as stated in the article:
Paradoxically, the best terrorist strategy (as long as they have enough volunteers) under unpredictable screening may be to prepare a cadre of suicide bombers for the least rigorous screening to which they might be subjected, and not, as the strategy assumes, for the most rigorous.
That seems like a good thing to me, and if this is the TSA's actual strategy, it's a smart one. Say one thing publicly, but do another privately.
[+] [-] pvg|16 years ago|reply
It's extremely unlikely. For one thing, appearing incompetent in order to encourage the incautious, freelancers, amateurs and copycats is essentially using the public as bait - if you happen to miss one, people die. As a strategy it's morally and probably legally questionable.
[+] [-] kscaldef|16 years ago|reply
[+] [-] thesethings|16 years ago|reply
[+] [-] wendroid|16 years ago|reply
[+] [-] elblanco|16 years ago|reply
Kirk: Mr. Spock, how many ways are there to die on this planet?
Spock: 3 Captain
Kirk: Very good, let's bring 3 guys in red shirts down to the planet with us.
[+] [-] chaosmachine|16 years ago|reply
[+] [-] RedJones|16 years ago|reply
[deleted]