Watching the television on September 11, my primary reaction was amazement. The attacks were amazing in their diabolicalness and audacity: to hijack fuel-laden commercial airliners and fly them into buildings, killing thousands of innocent civilians. .. The attacks were amazing in their complexity. Estimates are that the plan required about 50 people, at least 19 of them willing to die. It required training. It required logistical support. It required coordination. ... Al-Qaeda invented a new type of attacker. ... Finally, the attacks were amazing in their success. ...
Airline Security Regulations Computer security experts have a lot of expertise.... First and foremost, we have well-developed senses of what security looks like. ... The ban on cutting instruments is a perfect example. It's a knee-jerk reaction: the terrorists used small knives and box cutters, so we must ban them. And nail clippers, nail files, ... how does turning an airplane into a kindergarten classroom reduce the threat? ... Hasn't anyone heard of karate? ,,, The rule limiting concourse access to ticketed passengers is another one that confuses me. ... the inspectors are poorly paid and, for the most part, poorly educated and trained. .... Positive bag matching -- ... is actually a good security measure, but assumes that bombers have self-preservation as a guiding force.... The worst security measure of them all is the photo ID requirement, solves no security problem I can think of. ... any high school student can tell you how to get a fake ID....Airline security measures are primarily designed to give the appearance of good security rather than the actuality. ... All security measures have benefits, and all have costs: money, inconvenience, etc. ... self-invented security measures, instead of expert-analyzed and time-tested ones. ... El Al. ... One thing they do is have reinforced, locked doors between their airplanes' cockpit and the passenger section. ( 1) expensive, and 2) not immediately perceptible to the passenger (3) effective.) Another thing they do is place all cargo in decompression chambers before takeoff, to trigger bombs set to sense altitude.
Biometrics in Airports ... The hardest problem is the false alarms. To explain why, I'm going to have to digress into statistics and explain the base rate fallacy. Suppose this magically effective face-recognition software is 99.99 percent accurate. That is, if someone is a terrorist, there is a 99.99 percent chance that the software indicates "terrorist," and if someone is not a terrorist, there is a 99.99 percent chance that the software indicates "non-terrorist." Assume that one in ten million flyers, on average, is a terrorist. Is the software any good? No. The software will generate 1000 false alarms for every one real terrorist. And every false alarm still means that all the security people go through all of their security procedures. It's "The Boy Who Cried Wolf" increased 1000-fold. I say mostly useless, because it would have some positive effect. Once in a while, the system would correctly finger a frequent-flyer terrorist.
Diagnosing Intelligence Failures It's clear that U.S. intelligence failed to provide adequate warning of the September 11 terrorist attacks, and that the FBI failed to prevent the attacks. ... Over the past couple of decades, the U.S. has relied more and more on high-tech electronic eavesdropping (SIGINT and COMINT) and less and less on old fashioned human intelligence (HUMINT).
Regulating Cryptography In the wake of the devastating attacks on New York's World Trade Center and the Pentagon, Senator Judd Gregg and other high-ranking government officials quickly seized on the opportunity to resurrect limits on strong encryption and key escrow systems that ensure government access to encrypted messages. I think this is a bad move. One, you can't limit the spread of cryptography mathematics Two, any controls on the spread of cryptography hurt <COMBATING> eavesdropping, unauthorized access, meddling, denial of service. Three, key escrow doesn't work. Poll indicates that 72 percent of Americans believe that anti-encryption laws would be "somewhat" or "very" helpful in preventing a repeat of last week's terrorist attacks on New York's World Trade Center and the Pentagon in Washington, D.C. No indication of what percentage actually understood the question.
Terrorists and Steganography Guess what? Al-Qaeda may use steganography. ... Typically, a message (either plaintext or, more cleverly, ciphertext) is encoded as tiny changes to the color of the pixels of a digital photograph. Or in imperceptible noise in an audio file. ... Hanssen communicated with his Russian handlers. They never met, but would leave messages, money, and documents for one another in plastic bags under a bridge. Hanssen's handler would leave a signal in a public place -- a chalk mark on a mailbox -- to indicate a waiting package. ... One, the two parties are never seen together. Two, the two parties don't have to coordinate a rendezvous. Three, and most importantly, one party doesn't even have to know who the other one is (a definite advantage if one of them is arrested). Dead drops can be used to facilitate completely anonymous, asynchronous communications.
News I am not opposed to using force against the terrorists. ... Occasionally, peace is something you have to fight for. But I think the use of force is far more complicated than most people realize.... Security problems include: inaccurate information, insiders issuing fake cards (this happens with state drivers' licenses), vulnerability of the large database, potential privacy abuses, etc. And, of course, no trans-national terrorists would be listed in such a system, because they wouldn't be U.S. citizens. What do you expect from a company whose origins are intertwined with the CIA?
Protecting Privacy and Liberty Appalled by the recent hijackings, many Americans have declared themselves willing to give up civil liberties in the name of security. ... Here's an example: securing a room. Option one: convert the room into an impregnable vault. Option two: put locks on the door, bars on the windows, and alarm everything. Option three: don't bother securing the room; instead, post a guard in the room who records the ID of everyone entering and makes sure they should be allowed in. ... Thomas Jefferson once said: "Eternal vigilance is the price of liberty."
How to Help How can you help? Speak about the issues. Write to your elected officials. Contribute to organizations working on these issues. 1. Urge your representatives in Congress to protect privacy. - Call the White House switchboard at 2002-224-3121. - Ask to be connected to the office of yyour Congressional representative. - When you are put through, say "Maay I please speak to the staff member who is working on the anti-terrorism legislation?" If that person is not available to speak with you, say "May I please leave a message?" - Briefly explain that you appreciate thhe efforts of your representative to address the challenges brought about by the September 11th tragedy, but it is your view that it would be a mistake to make any changes in the federal wiretap statute that do not respond to "the immediate threat of investigating or preventing terrorist acts." 2. Go to the In Defense of Freedom web site and endorse the statement: <http://www.indefenseoffreedom.org> 3. Forward this message to at least five other people. Legislation that will (a) significantly expand the use of Carnivore, (b) make computer hacking a form of terrorism, (c) expand electronic surveillance in routine criminal investigations, and (d) reduce government accountability.
** *** ***** ******* *********** *************
CRYPTO-GRAM is a free monthly newsletter providing summaries, analyses, insights, and commentaries on computer security and cryptography. Back issues are available on <http://www.counterpane.com/crypto-gram.html>. To subscribe, visit <http://www.counterpane.com/crypto-gram.html> or send a blank message to [email protected]. To unsubscribe, visit <http://www.counterpane.com/unsubform.html>. Please feel free to forward CRYPTO-GRAM to colleagues and friends who will find it valuable. Permission is granted to reprint CRYPTO-GRAM, as long as it is reprinted in its entirety. CRYPTO-GRAM is written by Bruce Schneier. Schneier is founder and CTO of Counterpane Internet Security Inc., the author of "Secrets and Lies" and "Applied Cryptography," and an inventor of the Blowfish, Twofish, and Yarrow algorithms. He is a member of the Advisory Board of the Electronic Privacy Information Center (EPIC). He is a frequent writer and lecturer on computer security and cryptography. Counterpane Internet Security, Inc. is the world leader in Managed Security Monitoring. Counterpane's expert security analysts protect networks for Fortune 1000 companies world-wide. <http://www.counterpane.com/> Copyright (c) 2001 by Counterpane Internet Security, Inc. -----------------------------------------