Devils and Dust

As I sit on the MBTA commuter rail train, hearing the n-th “watch out for terrorists” warning of the day, I’m reminded of the chorus from the title track to Bruce Springsteen’s new album (short ogg sample):

We’ve got God on my side,
We’re just trying to survive,
but if what you do to survive
kills the thing you love—

Fear’s a powerful thing,
it will turn your heart black you can trust.

(full lyrics)

The verse works so well, I think, because it doesn’t answer what happens “if what you do to survive kills the thing you love…” He just leaves it hanging.

I hope this song can reach some people who are otherwise completely captive to irrational fear. This album is going to be discussed later tonight on On Point (a locally produced National Public Radio show).

I also want to clarify a point I made yesterday about intelligently predicting attacks rather than blindly protecting against the identical attack that just happened. It’s not going to do much good, even if we figure out that the last attack was on a subway and the next one is planned for a shopping mall. So long as any security measure acts just to shift a planned attack to a new target, there’s no net benefit to society and a huge waste of resources. We need deterrent and preventive measures that reduce attacks overall, not ones that just protect particular targets.

A good example of this, described by Bruce Schneier, is The Club versus the LoJack system for protecting your car from theft. The Club makes the attacker move on to the next car that doesn’t have one; with LoJack, the attacker can’t tell whether the particular car he is looking at it is protected or not, and his risks increase considerably. Apparently LoJack has reduced car theft in Boston by 50 percent, while presumably The Club has had only a negligible effect if any. The Club might be effective if 100% of cars used it, but that is a lot less efficient than having LoJack selectively and secretly implanted in a sufficient number of cars to make a car thief think twice about his line of work.

I don’t know what the national security equivalent is of LoJack, but I’m sure there is something more effective than covering our subway and commuter rail systems with a heavy police presence. There are a finite number of police, and concentrating them in one place means they aren’t somewhere else. This seems like classic “shifting” rather than “deterring.”

London Bombing

A few thoughts about the attacks in London this morning:

  • After September 11, people in every part of the world observed a moment of silence. After the March 11 attacks in Spain, there was no such response in solidarity in the United States, even though per capita the impact on the country was similar. Although the sheer death toll in London may not be the same order of magnitude, it is the worst attack against people in that country in half a century.

    There should be some gesture that people around the world can join to indicate their opposition to any sort of indiscriminate attack on civilians, regardless of their politics otherwise. The overwhelming majority of people who oppose the wars in Iraq and Afghanistan also vehemently oppose violent retribution, and there should be a way to make that clear. Moreover, the United States is not the only country that deserves the sympathy of the world after tragedy—the whole world should stand together no matter who is the perpetrator and who is the victim.

  • Do people really believe that the goal of the terrorists is to destroy our freedom? Or that they hate our way of life? (E.g, Tony Blair’s remarks). I’d be interested to know the origin of this theme—at some point, the cold war anti-Soviet rhetoric was somehow adapted to the war on terror.

    I don’t think there’s any credible evidence that the terrorists want to impose a militant repressive fundamentalist Islamic regime on the United States or the Western World. They don’t care whether American women are forced to cover their faces in public. They don’t really care about “our most deeply held beliefs.” My understanding is that they are concerned almost exclusively with the United States and Western presence in the Islamic world. If anyone has evidence to the contrary (e.g., samples of terrorist propaganda), I’d be interested to see it.

    Whether there ought to be militant repressive fundamentalist regimes in the Islamic world is a separate question—but if that’s what this is about, let’s at least say it.

  • In the United States, security was immediately increased after the bombings, although apparently only for mass transit systems. Is there really any reason to think an attack is more likely on mass transit in the United States now, a few hours after the London bombings, rather than a week from now, or two months from now, or against a bridge or a mall rather than a subway or a bus? Are the authorities afraid of “copycat” attacks, or attacks planned in coordination with the original attacks? If the former, is it really plausible that the copycats would be able to get their acts together in just a few hours? If the latter, why would the attackers design their attack so that the authorities had notice and time to prepare for them? It seems to be that now is probably the safest time to take a subway in the United States or really anywhere else in the world.

    I’m sure there is a brief period of time—say a few minutes after an initial attack—when extremely heightened security measures might accomplish something. For example, the time between the two airplanes crashing into the World Trade Center, or the several bombs on the London underground. But after that, doesn’t the chance of another identical attack just go back to complete random chance?

    Similarly, there are concerns that tourism to England is going to take a huge hit from this event. But why should we expect the next attack to be in England? Given one dot, you can draw a line in any direction you want. First, Spain; then, England; next, — France? Norway? Back to Spain? Las Vegas?

    It seems to me that we need some kind of analysis—and intelligence—that isn’t founded on an expectation that the next attack will be identical to the last one. Otherwise, we’re just “doing something” because “something is better than nothing,” which isn’t necessarily true.

It’s a Wild World

Does anyone else find it bizarre that so many news outlets are reporting that Cat Stevens (aka Yusuf Islam) was denied entry to the United States because he appears on a terrorist watch list with a straight face? I know content providers pretend to separate editorial/opinion pieces from “straight news” stories, but this one is so implausible it’s almost a sign of bias to not go into a little more detail about the absurdity of it. At least this AP story printed in the Portland Maine Press Herald includes the statement that officials “said Islam was denied entry on national security grounds, but had no details about why the peace activist might be considered a risk to the United States.”

A couple of comments on this case, in the form of rhetorical questions. I realize I’m not the first person to ask these questions:

  • How is it that someone can be so dangerous that they shouldn’t be allowed on an airplane nor permitted to enter US borders, but harmless enough that they can’t be arrested or detained? If we’re so worried about them, why do we let them go once we have them in our clutches? If they’re a risk to airplane flights, why aren’t they also a risk to subways, baseball stadiums, and Britney Spears concerts?
  • With all these “false positives” (i.e., clearly harmless people appearing on security watch lists, including, for example Senator Ted Kennedy), isn’t our confidence in the whole system shot? If every third person to walk through a bomb detector sets off the alarm, aren’t the guards eventually going to just ignore the alarm? Have we reached the point where the secret terrorism watch lists and no-fly lists are so voluminous as to be useless?

Ken Lavender Is A Fraud

A few weeks ago, security guru Bruce Schneier wrote a blistering critique of the “Tree” security system· in the “doghouse” section of his newsletter, Crypto-Gram· (at the moment, the website for the product reports “the website you have requested has exceeded its daily bandwidth quota of 56MB and has been temporarily de-activated”). Ken Lavender, apparently an executive of the company, wrote the following retort, which I reproduce in full to insure with the hope that it will be widely disseminated:

 From: "Ken Lavender"  Subject: ICS Atlanta I am APPAULED at your "comments" that you had made on your website: ·> You have statements are nothing but slander & defamation. They shall be dealt with accordingly. Lie #1: "How do they demonstrate Tree's security? 'Over 100 professionals in mathematics & in computer science at Massachusetts Institute of Technology & at Georgia Tech, had sample encoded messages submitted to them. Not a single person could break this code!'" That is not the ONLY way we prove it. We have examples & offer to allow people to submit their OWN messages to have encoded to SEE how good the code is. So there are THREE methods, NOT just ONE as you IMPLY. Lie #2: "These guys sent unsolicited e-mails..." HOW do you KNOW that this was the case? Have any PROOF of such? NO! Lie #3: "And if all that isn't enough to make you run screaming from these guys, their website proudly proclaims: 'Tree Encoded Files Can Be "Zipped."'" Because they can be "zipped" does NOT mean that it is "bad encoding." The "code talkers" of ww2 used LANGUAGE to "code" the messages, and THOSE COULD BE "ZIPPED"!!! And that code was NEVER BROKEN!!! Lie #4: "That's right; their encryption is so lousy that the ciphertext doesn't even look random." AGAIN, HOW would you KNOW??? Did you break it? NO! And what is "random"??? random : without definite aim, direction, rule, or method "So lousy"? HOW WOULD YOU KNOW??? You would have to KNOW how we encode BEFORE you can make such a statement, & YOU DO NOT KNOW HOW!!! If it is SO LOUSY, how come NOBODY HAS BROKEN IT YET??? And we have people ALL THE TIME trying to, with ZERO SUCCESS. I do not like you slandering something that you do not understand. ATALL!!! The ONLY question you asked was "how long is the key" AND THAT WAS IT! HOW long was the key that the 'code talkers' used? ZERO!!! JUST AS OUR IS. The encoding routine was created, tested, & verified on PAPER & PENCIL WITHOUT COMPUTERS! A child could encode data using our routine. The computer is merely used to "speed-up" the process, NOT TO CREATE IT. Our routine is based on LANGUAGE, NOT MATH. So all of you "comments" are just false, misleading & just plain ole lies! SHOW & PROVE that it is NOT random. What is the PATTERN THEN??? I am DEMANDING A FULL RETRACTION OF YOUR COMMENTS & A FULL, COMPLETE APOLOGY TO THESE AND ALL STATEMENTS. I am a person who tries to work with people as a man w/o having to "drag" others into the mess. Others? THE COURTS. You have violated Calf law by your statements. [Text of California Civil Code Section 46 deleted.] Your LIES have damaged my respect in my job & has damaged any sales of this routine. You have ZERO proof of your "comments," ANY OF THEM!!! I beseech of you, do the RIGHT THING and comply. I DO NOT wish to escalate this matter any higher. And remember this, Tree is based on LANGUAGE, NOT MATH!!!!!!!!!!!!!!!!! [Phone number deleted out of mercy.] 

IE Homeland Insecurity

From the “for those of you who don’t regularly read slashdot department”: I’m usually pretty skeptical of the Department of Homeland Security; I think it’s a pretty bad solution to the threat presented (see, e.g., Bruce Schneier’s comments on the subject), but I have to agree with them this time. The agency has issued a recommendation that users stop using Microsoft’s Internet Explorer and pick an alternative web browser. Wired Magazine reports that upgrades of the free software browser Mozilla have spiked sharply following the announcement.

The only reference I could find to the issue on the DHS website (which is not, incidentally, served by Microsoft software) was the following bit from this report:

Handling Dependencies

A coordinator may be required to conduct significant research into software, hardware, and firmware dependencies in order to provide complete and correct advice.

Rationale: Vulnerabilities are often discovered in software components on which other software relies. For example, a shared library may be used by dozens or hundreds of products. For instance, vulnerabilities in Microsoft’s Internet Explorer often affect other products (including products by third-party vendors) in ways that aren’t obvious to end users. Examples of products that are sometimes affected by Internet Explorer vulnerabilities include Lotus Notes, Eudora, and Microsoft Outlook. Furthermore, these dependencies are not typically recorded.

Presumably something more on-topic will be posted soon. There is also this warning from CERT (the United States Computer Emergency Readiness Team).


By now, you’ve probably all heard about Mydoom, the latest trivial exploit of Microsoft vulnerabilities that is ravaging the Microsoft world and inflecting some collateral damage on the rest of us. SCO, an apparent target of the virus, is offering a $250000 reward for the arrest of the author. I also heard through the grapevine that Mydoom will not send any email to an account with a domain that contains “mozilla.”

I hope this doesn’t provoke a negative backlash against free software. I imagine SCO is going to accuse us of “not being able to police our own,” as part of their campaign to discredit the entire development model.

Daily Show on Nat Heatwole

There’s a great segment (quicktime movie) on the Daily Show with John Stewart· about Nat Heatwole’s “box cutter” experiment·, mentioned here last week. (via Boing Boing· via On Lisa Rein’s Radar·).

Stewart strategically clips statements from Department of Justice· and Transportation Security Administration· speakers to show how ridiculous this whole thing really is. Particularly of note—Heatwole sent a signed email about his plan to the FBI, yet it took several weeks to track him down. Is there any reasonable explanation for this?

Box Cutter Tests

Nathaniel Heatwole, a 20-year-old college student who told authorities he placed box cutters and other banned items aboard two airliners to test security was charged Monday with taking a dangerous weapon aboard an aircraft. He faces up to 10 years in prison on federal charges. (interesting trivia: apparently Heatwole has received an amateur radio scholarship).

What’s interesting is that the article notes:

The discoveries prompted the TSA and the Department of Homeland Security to order security inspections of all U.S. commercial airliners.

The discovery being Heatwole’s email to the TSA about his accomplishments.

There is a long history in the hacker world of testing security measures to see if they work, and if they don’t either notifying the people responsible or leaving some sort of indication that you’ve been there. This sort of activity has never been well received by the powers that be, and is now subject to increasingly harsh criminal sanctions.

It seems to me that the arguments for permitting this sort of “white hat” hacking (vs. cracking) are just as good when applied to real world physical security as to computer and Internet security. After all, Heatwole’s actions did provoke an investigation. If someone had just called the TSA and said, “hey, are you sure nobody can bring box cutters on board?” there would likely have been no response. Demonstrating a “proof of concept” as here may ultimately result in improved security for all of us.

Interestingly, federal prosecutors recently they made a mistake when they obtained the conviction of a computer administrator who exposed flaws in his employer’s computer system to customers. The prosecutors are actually seeking an appeal to reverse the conviction that they themselves got. Although you would hope they would have thought this through before prosecuting the guy, it’s something of a testament to their honesty that now they’re trying to get him out.