Schneier On the War On the Unexpected

jamie found this essay by Bruce Schneier, The War on the Unexpected. (It originally appeared in Wired but this version has all the links.) "We've opened up a new front on the war on terror. It's an attack on the unique, the unorthodox, the unexpected; it's a war on different. If you act different, you might find yourself investigated, questioned, and even arrested — even if you did nothing wrong, and had no intention of doing anything wrong. The problem is a combination of citizen informants and a CYA attitude among police that results in a knee-jerk escalation of reported threats... After someone reports a 'terrorist threat,' the whole system is biased towards escalation and CYA instead of a more realistic threat assessment... If you ask amateurs to act as front-line security personnel, you shouldn't be surprised when you get amateur security."

High School Politics

[Gothmolly]

Our whole lives are spent dealing with people and their reactions to what is 'acceptable' and taking the risk that what you try and accomplish is 'unexpected'. Wear long hair in the executive world? Get fired. Dye your hair green in high school? Get teased. Run down a street naked? Get arrested.

Humans are exceptional at detecting differences, its part of our nature, intellectually - we integrate similar concepts and differentiate between different ones. Our brains pick out differences. Thats why profiling at airports actually works.

Its nice to see someone publish something about this, but its hardly insightful.

Narrow minded.

[EveryNickIsTaken]

After someone reports a 'terrorist threat,' the whole system is biased towards escalation and CYA instead of a more realistic threat assessment...

You know why they do this? Because several times already, government agencies have learned about possible terrorist acts being planned and didn't act because they didn't consider the source 'credible'. This has nothing to do with your BS tangents about targeting the unexpected, the different, etc. This has to do with agencies trying to save peoples lives.

The terrorists have won...

[Anonymous Coward]

...if their goal was to create fear in the U. S. population.

The fear is real. I hate to admit it, but it affect me.

Everyone knows that there will be further terrorist attacks on the U. S. On the one hand, we're not serious about beefing up homeland security, which is a disappointment to me--I was expecting at least a competent, good-faith effort. But we're doing all the "security theatre" stuff and none of the expensive, difficult, serious stuff. On the other hand, the Iraq war has inflamed passions in the Muslim world and created enemies where we didn't have them before. So the threat is getting worse and our defenses are not getting much better and all the "security theatre" just keeps reminding us of the issue.

On my last plane trip, the gate was near security, and my wife and I were watching as some woman got some kind of very, very extended attention from the TSA people. She was dressed in some kind of dark robe that covered her body, her head, and most of her face; it looked to me like a burkha, but I don't really know anything about such things. She also had a somewhat disfigured face, with a golf-ball-sized lump of some kind on one side of her forehead.

From our vantage point it was all pantomime. I don't know why they were searching her. But they would ask her questions, then wave those handheld metal-detector frisking things, have her sit down for a while, go away and come back with other officials who would ask her more questions and so forth. After about a half an hour she was still sitting there in the security area waiting. They announced that our flight was boarding and we got on and don't know anything more.

What I hated myself for was that I personally was creeped out by this person and her appearance. And what I particularly hated myself for was that the things creeped me out were a) her style of dress, and b) her disfigured face.

Part of me was indignant at what looked from a distance to be discriminatory treatment. And part of it was great relief that she was not on my flight.

Re:blame the media for CYA

[east coast]

You know there is a stinging truth to this:

Not too long after the London bus bombings a local TV crew took it on themselves to see if they could infiltrate a local bus depot. So they get in and film themselves walking around buses and sitting in a couple of them. The go and disclose this on TV but never get brought up on charges themselves since it's such an embarrassment to the local transit authority.

So what's it going to be, folks? Police, guards and cameras on every corner to satisfy the media? How much longer can the media get away with watching everyone but having no recourse to actually being honest and fair in their offerings?

The media is, for the most part, a bunch of shitballs. It's unbelievable how much they're able to get away with and how little they're accountable for.

Sorry, Bruce, you're just wrong....

[isa-kuruption]

I'm not normally one to disagree with Bruce, but...

All security analysis, whether physical or electronic, starts with looking at patterns. An IDS is a perfect example, it looks for patterns and reports on them. Guess what, Bruce? IDS have false positives, a lot of them. It takes a trained security professional to analyze what the IDS thinks is an alert and determine whether it's a real threat.

Eventually someone came up with IDS systems that analyze your normal IDS traffic, and start to alert on things that aren't normal. For example, if you have a link you only see SSH connections on, and all of a sudden there are FTPs, it will alert. Again, a trained security professional looks at the alert and decides if it's a real threat.

The IDS system is analogous to the people on the street reporting strange events, except the people on the street have more intelligence than a typical IDS system (for example, I've never seen this guy (FTP) in my neighborhood, but someone just moved in across the street, ah yes he just unlocked the door there, must be the new owner). People know what is unusual, what doesn't fit into their neighborhood, more so than IDS systems.

And the police officer is analogous to the security professional. A person (IDS) reports an event to me. I take in as much information as I can, and determine whether it's a real threat. If I don't have enough information, I get it. If I can't, I continue to monitor the activity. If it looks threatening, I escalate it.

However, Bruce, when you say that police shouldn't rely on the individuals on the street to help with security, you're like saying I should take down my IDS systems. It's a ridiculous statement. You say it's amateurish? Well, without individuals on the street calling in things they think is unusual, then police don't know someone is unusual. Just like an IDS system, if it doesn't tell me something is anomalous, I don't know whether to go in and check it.

The simple fact is that because people didn't report the unusual behavior of many of the 9/11 attackers, e.g. taking flight lessons that only focused on flying, getting pulled over without licenses, getting pulled over with illegal immigration statuses.... BECAUSE no one reported that activity, they went and hijacked 4 aircraft and killed 3000 people.

Specifically, Bruce... when you say we've opened up the war on the unusual, this is EXACTLY what more modern IDS/IPS systems do, they don't look at signatures, they look at UNUSUAL TRAFFIC. When it finds UNUSUAL TRAFFIC it REPORTS IT to you, then you INVESTIGATE IT, you QUESTION THE PEOPLE INVOLVED, and if they did something against policy you REMOVE THEM FROM THEIR JOBS. YES BRUCE, THIS IS WHAT YOU DO.

Also, on another rant. What's YOUR solution, Bruce? You tell us how NOT to do it, but you have no solutions yourself. Oh wait, you do... you tell us we should do EXACTLY what you rant against:

We don't want people to never report anything. A store clerk's tip led to the unraveling of a plot to attack Fort Dix last May, and in March an alert Southern California woman foiled a kidnapping by calling the police about a suspicious man carting around a person-sized crate. But these incidents only reinforce the need to realistically asses, not automatically escalate, citizen tips. In criminal matters, law enforcement is experienced in separating legitimate tips from unsubstantiated fears, and allocating resources accordingly; we should expect no less from them when it comes to terrorism.

Yes, I can agree that some people blow shit out of proportion, this happens everyday and is part of the human nature (especially for those that love drama). But that doesn't mean we should stop this activity, law enforcement just needs to become better at detecting the actual threats and escalating incidents at the same time fine-tuning their "IDS" systems to what is real threats. This isn't something that will happen overnight, but doesn't mean we should stop it completely!

I tip my hat to your sarcasm...

[Veetox]

People, en masse, are indeed stupid. (Should I reference Nietzsche?) How ironic that this should come up today; I came into work this morning, and took the back stairway as I usually do, but I passed some wierd looking device that was sitting in the corner of the hallway. The device had been there the evening before, when I left, and it had been "running" throughout the night. It had several hoses coming off of it and I had no idea what it was used for - and I know about ALL KINDS of strange devices in my business (biomedical/biochemical research). So the question arose in my mind: "Should I ask someone who works nearby if they know what this is? ...It could be a ...bomb... and I know some groups that would seriously consider our area for a bomb..." But here's where I drew the line: I examined it for a moment, and decided, "This device is way too complex for a terrorist bomb or a prank." So I just went on my way. Here's why: If a terrorist is going to plant a bomb somewhere, isn't it obvious wisdom to NOT draw attention to it? What kind of dumb-ass does it take to have the knowledge to build a significant bomb, place it without getting caught in the process, but make it horrifyingly obvious that it is a bomb?

Hiding in plain sight

[FozE_Bear]

You didn't call anyones attention to it, did you? You just confirmed to me that a way to plant a bomb where you work is to just make it look compex enough.

Re:Dejavu

[dctoastman]

1984 is nice, but I prefer "The Monsters Are Due on Maple Street"

"The tools of conquest do not necessarily come with bombs and explosions and fallout. There are weapons that are simply thoughts, attitudes, prejudices, to be found only in the minds of men. For the record: prejudices can kill, and suspicion can destroy, and the thoughtless, frightened search for a scapegoat has a fallout all of its own, for the children and the children yet unborn. And the pity of it is that such things cannot be confined... to The Twilight Zone."

Re:Dejavu

[moranar]

It's weird to me that no-one seems to have realised yet that you could mass-murder much more people, and in a much easier fashion, just coordinating directly in an airport, in the checkin queues. No one has checked your bag at all yet, and you can blow yourself to smithereens just for the price of not looking too suspicious. At least in cheap European flights like Easyjet or Ryanair, the queues sometimes amount to two or three planes full of passengers. Do it simultaneously, in a few airports, and we wouldn't be able to fly anymore due to fear.

Basically, the problem of getting the bomb to the useful place has just changed the place: it used to be the plane. Now it can be the airport check in queues. Next would be the airport entrances. There will always be a mass of people checking in somewhere, at least until the damn flying cars are finally here.

Re:Dejavu

[LionKimbro]

Asking people to look out for suspicious behaviour sounds omnimous but you should anyways. Like if you saw someone drop a suitcase by a bridge or bus depot and walk away, wouldn't you think to at least get the persons attention to get the bag they forgot, and if they didn't respond, maybe there was a reason?

No. Frankly, you should not. Not unless, you're calling out to the person who left the bag by accident, out of genuine concern that they get their bag back.

Here's the thing: Let me make some new common sense: Attitude and mindset matter. Attitude and mindset determine how people think, how they relate with others, and so on.

If everybody is looking out for suspicious behavior, thinking to call the cops, and making the kinds of arguments you are, then we're headed in totally the wrong direction. We need a world of care, goodwill, freedom, and love, not one of fear, paranoia, reporting, and the panopticon. You're right, it does sound ominous, and we don't need that kind of thing here.

We need clarity of intent: Community, care, heart, cooperation, generosity.

We can't hold that, while thinking, "I've got to be on the lookout for anything that might be suspicious."

So I say: "No." Even looking out for suspicious behavior, it's not going to work. The person who wants to kill you or destroy the bridge will find a way. They will just not walk away, before using the bomb. They'll have someone else deliver the bomb.

There is no security, save security in the social fabric itself.

Boston Police Stopped Me

[holophrastic]

I was a Canadian tourist in Boston in April. I walked through Boston Commons Park at 10am on a beautiful Sunday morning, seven steps from my hotel. I said good morning to a few people in the park. Ten minutes later, two police approached and interrogated me. Apparently, some crazy women to whom I said "good morning" promptly left the park and reported me as a sex offender / pedaphile.

The police were firm but polite in their in-park ten-minute interrogation. They said things like "maybe you shouldn't walk around in public parks." and "don't you think it's a bad idea to say 'good morning' to a complete stranger?". They believed me when I said I was Canadian -- after seeing my passport and driver's licence. (yeah, passport wasn't enough for them. I have no clue how they were able to authenticate an Ontario driver's licence, Massacheusets has something that looks like it's off a 1985 inkjet.)

It was really just one crazy woman -- I greeted many people during the week, and others, notably injured Kelly, and also fishing Steve, were exceptionally nice.

All the same, I was glad when they let me leave the country five days later.