
Matt Blaze: How unpredictable screening helps terrorists - alterego
http://www.crypto.com/blog/random/
======
tptacek
This article demonstrates what I like about Matt Blaze's physical security
writing that I _don't_ like about Schneier's.

Both are computer security experts by training, but Blaze's writing has a
concrete engineering-driven perspective that Schneier's lacks. Schneier's
writing always "feels" right, but leaves you with the sense that's it's not
based on any operational reality.

It's probably not a coincidence that Matt Blaze has done formal research on
physical security topics (safecracking, wiretapping, etc) --- in addition to
being a bona fide computer scientist.

~~~
rogersm
First of all I must say I don't believe in these kind of unpredictable
systems: rarely doing this 'select randomly the process from a set of
processes' works better than using the best process in the set.

But I don't think this applies:

    
    
      But terrorist organizations -- especially those employing 
      suicide bombers -- have very different goals and incentives 
      from those of smugglers, fare beaters and tax cheats. 
      Groups like Al Qaeda aim to cause widespread disruption and 
      terror by whatever means they can, even at great cost to 
      individual members. In particular, they are willing and 
      able to sacrifice -- martyr -- the very lives of their 
      solders in the service of that goal. The fate of any 
      individual terrorist is irrelevant as long as the loss 
      contributes to terror and disruption. 
    

Training a terrorist has a cost, and he should succeed the "fate of any
individual terrorist is _not_ irrelevant". The terrorist group does not have
an infinite number of terrorists (as he correctly concedes in the next
paragraph).

So random screening works, not because that influences the behavior even of
those who aren't checked, but because makes executing the attack more
expensive to overcome the possibility of being detained in the random test.

Of course random screening is not as good as full screening, but from a
realistic point of view is the only thing you can apply without shutting down
world economy.

~~~
alterego
But if you read the article, I believe the point was that if the terrorist
gets caught under a random system, the terrorist still achieves a positive
result for the terrorists (the govt becomes forced to shut down aviation and
then apply the maximum screening to everyone, causing expensive chaos and
terror of its own).

~~~
rogersm
This is not the kind of chaos of terror the terrorist has on his mind.
Otherwise they will be shutting down traffic light control systems.

Getting caught is a failure. A bomb exploding is a victory.

~~~
tptacek
Getting caught this time was a huge win. By all accounts, the guy who got
caught was a nobody. Had he even been to the camps for training? For the cost
of a pair of explosive underpants and the life of one shmuck, AQ is once again
top-of-mind in the west --- not to mention the tens of millions of dollars of
disruption the stunt caused.

There is a practically limitless supply of shmucks out there for AQ to
weaponize. All they have to do is get better at converting them. What evidence
do we have that this will be a long-term operational problem for AQ?
Everything I see indicates that they will get better at it, not worse.

This is also why they aren't shutting down traffic lights. A failed attempt to
shut down traffic lights wins nothing. Nobody is viscerally afraid of darkened
traffic lights. In fact, until it happens, nobody is going to be viscerally
afraid of someone taking out the grid. But everyone is afraid in their gut of
exploding planes. Just the threat --- just 5% of the threat --- is enough to
wreak havoc.

------
pedrocr
The problem is that with non-random screening the terrorists can be much more
efficient. They can get a pool of candidates together and send them on flights
without any explosives on them. They can then find out which of the guys get
screened at a rate less than chance and send those on the actual attack.
That's why random screening is the best system possible because any other
system would have to be perfect, otherwise any flaw can be detected on dry
runs and exploited for the attack.

This was thoroughly explored last time the TSA tried to be smart about
screening and implemented its Computer-Assisted Passenger Screening System.
MIT article exploring it:

[http://groups.csail.mit.edu/mac/classes/6.805/student-
papers...](http://groups.csail.mit.edu/mac/classes/6.805/student-
papers/spring02-papers/caps.htm)

~~~
alterego
I think this article isn't talking about random vs. profiled (which is what
the mit paper is about), but random vs. 100% (where there 100% has been
analyzed carefully to be sufficient to detect large bombs, etc.).

~~~
pedrocr
He was hand-waving at the end about the 100% but that's not a solution. They
are doing it randomly because 100% is simply not possible. My point was that
in a situation where 100% is not possible, as in real life, any system is
potentially worse than randomness.

Maybe this just means we need to come up with screening mechanisms that can be
applied to 100%, but given the current capabilities, choosing random screening
is better than profiling.

------
sethg
_the best terrorist strategy (as long as they have enough volunteers)_

 _Do_ they have enough volunteers? The Shoe Bomber and the Undie Bomber,
compared with the team that pulled off 9/11, are a couple of amateurish mooks.
If these are the best men that al-Qaeda can send against the United States,
they must not have a very deep bench.

~~~
CamperBob
That's just it... the people who pulled off 9/11 _were_ a bunch of amateurish
mooks. A bunch of amateurish mooks with an 18 in the Luck department is still
dangerous.

Just as in this case, there were any number of measures already in place that
could have stopped 9/11, if they had only been followed. More rules are not
the answer.

~~~
dandelany
Well, sort of. They were _19_ amateurish mooks who had gone to flight school.
That's a far cry from a couple of idiots with unsuccessful bombs.

------
CWuestefeld
Relevant parts:

 _Paradoxically, the best terrorist strategy (as long as they have enough
volunteers) under unpredictable screening may be to prepare a cadre of suicide
bombers for the least rigorous screening to which they might be subjected, and
not, as the strategy assumes, for the most rigorous. Sent on their way, each
will either succeed at destroying a plane or be caught, but either outcome
serves the terrorists' objective._ ...

 _We might reflexively assume that any passenger screening system needs to be
100% effective at detecting all possible weapons and dangerous objects, an
obviously difficult task. But, fortunately, that's not the requirement.
Instead, the mechanisms need only be highly effective at detecting objects
that can create actual terror under the conditions they will be subjected to
in an actual flight. That is, in order to have meaningful security screening,
we first must understand what it realistically takes to bring down an
airplane. The security system can then be designed specifically to eliminate
the preconditions for successful terrorism.

The TSA's much maligned "three ounce" liquid rule is, in fact, a nice example
of good security engineering of this kind._ ...

~~~
tptacek
The idea that Matt Blaze thinks the three-ounce rule is sensible was
surprising to me; I hit it, jumped back to the top, and re-read the whole
article. What's the flaw in his reasoning? The three-ounce rule always seemed
like one of the more ridiculous TSA measures.

~~~
jz
I was also surprised by this. The three-ounce rule applies to a single
passenger. All it takes is a bit of team work to get around it. A 747 for
example can carry between 400 and 500 passengers depending on class layout. A
team of 3 terrorists would represent less than 1% of the passengers.

~~~
ghshephard
Kip Hawley, former head of the TSA has answered this question a number of
times, including conversations with Schneier. Most of the liquids that can do
the type of damage the TSA are concerned about are likely highly oxygen
reactive, or otherwise have significant obstacles to being combined outside of
a lab environment.

If that weren't the case, the TSA would have simply banned all liquids.

~~~
blasdel
Why would you have to combine the liquids into one reservoir? Couldn't the N
passengers just make N bombs from their 3x 3oz, each independently capable of
going off, but intended to be detonated together for maximum effect?

~~~
tptacek
Because then you have to get two suicide bombers on the plane at the same
time.

By all indications, the 9/11 bombers were very high on the AQ food chain. The
underpants bomber didn't get tens or hundreds of thousands of dollars wired to
him before the op; he was a shmuck, in a strategy designed to weaponize
schmucks.

If a TSA measure doubles the manpower required to carry off an AQ op, it is
almost _prima facie_ "effective". Is, I think, the logic you'd deploy against
the "combine the 3oz bottles" argument.

------
bdr
The problem with this post is his answer to the question "What do we do when
we detect a terrorist through random screening?" His answer is "shut down all
commercial aviation until the the most rigorous screening possible can
henceforth be applied universally, effectively creating the same kind of havoc
that occurs after a successful attack", and his whole post rests on this
point, but I think it's totally flawed.

\- Shutting down commercial flight is better outcome (for the defender) than
the the destruction of 9/11 \- There are alternative responses, such as
heightened screening, tighter in-flight security, or checking passenger lists
for people with known connections to the terrorist caught.

------
neilk
The article hinges on the proposition that a failed attack still serves the
terrorist network's purposes. Seriously, can you imagine a terrorist being
briefed like this?

"Well, if you succeed, you may shock the world and rally the Muslim nations to
our cause, while drawing the Great Satan into an unwinnable war costing over a
trillion dollars. If you fail... well, you're going to cause a lot of air
travellers to be a little annoyed for five minutes."

There is this idea that terrorists are like devils, delighting in causing
misfortune of any kind. I don't think that's the case. Al-Qaeda has concrete
goals, like advancing Wahabbi ideology or ejecting the USA from the holy
places. Failed missions don't support that, do they?

~~~
pyre
Do you really think that they would tell the suicide bomber that he/she might
fail?

~~~
neilk
It was just to demonstrate a certain absurdity. No, that conversation might
not happen, but the point was that the terrorist planners have objectives
beyond "cause mayhem". And that increasing airline security costs probably
don't even rank on their scale of worthy goals.

In Afghanistan, al-Qaeda is bleeding the USA of _billions_ of dollars every
month. But the article suggests that merely inconveniencing air travellers --
to the tune of maybe a few hundred million a year, widely dispersed -- might
rank as an acceptable second best to a terrorist.

~~~
pyre
al-Qaeda wants 'The West' to fear them. People get scared of air travel every
time there is an incident, even if that incident is a terrorism attempt that
was caught before it ever got off the ground. If al-Qaeda doesn't have _some_
sort of media presence, then people will start to think that they are a non-
issue. Maybe al-Qaeda doesn't really think of things in these terms, but I
have a hard time believing that they are all religious fundamental crazies.
For them to be so organized, _some_ of them have to be thinking on a more
practical level.

------
johnl
Random usually ends up being discrimination so I would go with a set of more
stable rules that apply to everyone.

------
itistoday
It's perfectly possible that an organization headed by the government whose
primary focus is the security of airline passengers is completely incompetent
and ineffective.

But is it not also possible that the TSA is _purposefully_ putting on the
guise of an incompetent governmental entity? That would seem like an excellent
strategy to take, as it follows the principles in Sun Tzu's Art of War to the
letter. If you are strong, appear weak, if you are weak, appear strong, etc.

If these terrorists think they can easily game the system, it will likely lead
them to be less cautious, exactly as stated in the article:

 _Paradoxically, the best terrorist strategy (as long as they have enough
volunteers) under unpredictable screening may be to prepare a cadre of suicide
bombers for the least rigorous screening to which they might be subjected, and
not, as the strategy assumes, for the most rigorous._

That seems like a good thing to me, and if this is the TSA's actual strategy,
it's a smart one. Say one thing publicly, but do another privately.

~~~
pvg
_But is it not also possible that the TSA is purposefully putting on the guise
of an incompetent governmental entity?_

It's extremely unlikely. For one thing, appearing incompetent in order to
encourage the incautious, freelancers, amateurs and copycats is essentially
using the public as bait - if you happen to miss one, people die. As a
strategy it's morally and probably legally questionable.

------
wendroid
4 in 5 people scanned, send 5 people

~~~
chaosmachine
Those still aren't very good odds.

~~~
tptacek
You can't talk about odds without talking about returns. 1-in-5 is f'ing
fantastic if a $1 bet pays $1000.

~~~
chaosmachine
True, but if someone is going to go to the trouble of planning and financing
an attack, I imagine they'd want a better than 20% chance of success.
Especially since one attacker being caught could ruin the chances of all the
others.

~~~
tptacek
WHY? Really, how much do you think a PETN bomb costs? Re-read the article:
nothing that happens in response to these attacks fails to help the
terrorists. They send 5 people and one blows up a plane: _huge positive ROI_.
They send 5 people and nobody blows up a plane, but commercial air travel is
disrupted to the tune of hundreds of millions of dollars: _huge positive ROI_.

~~~
chaosmachine
You have a good point, if you measure it in terms of financial damage, the
terrorists win either way.

A side point: I suspect bombs are at bottom of the price chart in terms of
financing an attack. More likely, the most expensive part is finding someone
stupid enough to blow themselves up, and getting them to the right place at
the right time. The cost of doing this undetected would probably increase non-
linearly with the number of people involved in your attack.

~~~
ghshephard
The good news for our side, is that these people have to be simultaneously
stupid enough to blow themselves up, yet bright enough to make it through
security. This is why El Al's approach to security (personal interviews with
all passengers) is effective - you'd have to be close to genius level to get
through their screening without triggering a (real-world, not TSA-Pansy) pat-
down and luggage check - at which point, if you were that bright, you probably
wouldn't be volunteering for kaboom duty.

~~~
sorbus
Or they could send someone through multiple times, giving them a prepared
briefcase each time, but only put a bomb in it the last time, but telling them
that there was a bomb each time; eventually, even an idiot will get used to
it, and stop triggering their screening. Hell, depending on what sort of
records they keep, they might eventually interpret his nervousness to just be
who he is (dislikes flying, say), and wave him through anyways.

~~~
ghshephard
If my (discredited by most on HN, but I still hold to it) theory regarding El
Al security screening is correct, they aren't principally looking for people
who are nervous, or acting guilty (though they'll pull those people aside as
well) - rather they are trying to identify individuals that fall within the
category of people that might bomb El Al, and then pull them aside for
selective screening.

Your average Muslim individual would have little chance convincing a screener
they were an observant Jew, and would always fail regardless of how many times
they attempted.

By the time they had learned a patter that would get them through security,
they would probably be bright enough to say "Hey, why am I wasting my life by
blowing myself up? I should probably _run_ operations instead of being in
them"

The supposed success of El Al isn't (in my opinion) that they can stop a broad
community of attackers, rather it is that they are effective in profiling
quickly, and passing through 95% of the passengers quickly, and only
subjecting 5% to selective screening.

I'd be interesting in hearing of the experiences of any Palestinian or Muslim
passengers that have flyed on El Al for anecdotal confirmation of this.

