Unfortunately, there's not really anything to his response. It's obvious he doesn't want to admit that they've been checking ID's all this time to no purpose whatsoever, so he just emits vague generalities like a frightened squid filling the water with ink. Yes, some of the stunts in article are silly (who cares if people fly with Hezbollah T-shirts?) so that gives him an opportunity to minimize the real issues.

Watch-lists and identity checks are important and effective security measures. We identify dozens of terrorist-related individuals a week and stop No-Flys regularly with our watch-list process.

It is simply impossible that the TSA catches dozens of terrorists every week. If it were true, the administration would be trumpeting this all over the press -- it would be an amazing success story in their war on terrorism. But note that Hawley doesn't exactly say that; he calls them "terrorist-related individuals." Which means exactly what? People so dangerous they can't be allowed to fly for any reason, yet so innocent they can't be arrested -- even under the provisions of the Patriot Act.

And if Secretary Chertoff is telling the truth when he says that there are only 2,500 people on the no-fly list and fewer than 16,000 people on the selectee list -- they're the ones that get extra screening -- and that most of them live outside the U.S., then it is statistically impossible that the TSA identifies "dozens" of these people every week. The math just doesn't make sense.

And I also don't believe this:

Behavior detection works and we have 2,000 trained officers at airports today. They alert us to people who may pose a threat but who may also have items that could elude other layers of physical security.

It does work, but I don't see the TSA doing it properly. (Fly El Al if you want to see it done properly.) But what I think Hawley is doing is engaging in a little bit of psychological manipulation. Like sky marshals, the real benefit of behavior detection isn't whether or not you do it but whether or not the bad guys believe you're doing it. If they think you are doing behavior detection at security checkpoints, or have sky marshals on every airplane, then you don't actually have to do it. It's the threat that's the deterrent, not the actual security system.

This doesn't impress me, either:

Items carried on the person, be they a 'beer belly' or concealed objects in very private areas, are why we are buying over 100 whole body imagers in upcoming months and will deploy more over time. In the meantime, we use hand-held devices that detect hydrogen peroxide and other explosives compounds as well as targeted pat-downs that require private screening.

Optional security measures don't work, because the bad guys will opt not to use them. It's like those air-puff machines at some airports now. They're probably great at detecting explosive residue off clothing, but every time I have seen the machines in operation, the passengers have the option whether to go through the lane with them or another lane. What possible good is that?

The closest thing to a real response from Hawley is that the terrorists might get caught stealing credit cards.

Using stolen credit cards and false documents as a way to get around watch-lists makes the point that forcing terrorists to use increasingly risky tactics has its own security value.

He's right about that. And, truth be told, that was my sloppiest answer during the original intervied. Thinking about it afterwards, it's far more likely is that someone with a clean record and a legal credit card will buy the various plane tickets.

This is new:

Boarding pass scanners and encryption are being tested in eight airports now and more will be coming.

Ignoring for a moment that "eight airports" nonsense -- unless you do it at every airport, the bad guys will choose the airport where you don't do it to launch their attack -- this is an excellent idea. The reason my attack works, the reason I can get through TSA checkpoints with a fake boarding pass, is that the TSA never confirms that the information on the boarding pass matches a legitimate reservation. If all TSA checkpoints had boarding pass scanners that connected to the airlines' computers, this attack would not work. (Interestingly enough, I noticed exactly this system at the Dublin airport earlier this month.)

Stopping the ‘James Bond’ terrorist is truly a team effort and I whole-heartedly agree that the best way to stop those attacks is with intelligence and law enforcement working together.

This isn't about "Stopping the 'James Bond' terrorist," it's about stopping terrorism. And if all this focus on airports, even assuming it starts working, shifts the terrorists to other targets, we haven't gotten a whole lot of security for our money.

FYI: I did a long interview with Kip Hawley last year. If you haven't read it, I strongly recommend you do. I pressed him on these and many other points, and didn't get very good answers then, either.

Soldiers were deployed throughout Italy on Monday to embassies, subway and railway stations, as part of broader government measures to fight violent crime here for which illegal immigrants are broadly blamed.

[...]

The conservative government of Silvio Berlusconi won elections in April while promising to crack down on petty crime and illegal immigrants. The new patrols of soldiers, who are not empowered to make arrests, do not seem aimed only at illegal immigrants, though the patrols were deployed to centers where illegal immigrants are housed.

“Security is something concrete,” Mr. La Russa said on Monday. The troops, he said, will be a “deterrent to criminals.”

That reminds me of one of my favorite logical fallacies: "We must do something. This is something. Therefore, we must do it." It does seem largely to be a demonstration of "doing something" by the Berlusconi government. The legitimate police, of course, think it's a terrible idea.

“You need to be specially trained to carry out some kinds of controls,” Nicola Tanzi, the secretary of a trade union that represents Italian police officers. “Soldiers just aren’t qualified.”

He also questioned whether the $93.6 million that will be spent for the extra deployment, called Operation Safe Streets, might not have been better used to increase the budgets for Italy’s police and military.

Of course, a major problem with that approach is that the “persons of interest” are long gone by the time the video shows that “yep, you can defiantly see some guy cutting off that lock and stealing that…”.

Another problem is that unless the equipment is being checked on a regular basis, it may be defeated (or just broken) for a long time before any problems are identified.

In the photo to the right, a NYC artist William Lamson, has created an interesting photo of hacking (or blocking) a security camera with a helium balloon. This is such a simple and inexpensive attack on the video surveillance camera that I am shocked I haven’t seen this before. I am also certain that the appearance of this in a TV or movie plot is imminent. It would have been pretty simple to use two balloons to block the camera without providing the nice tether to “fix” the problem.

Digital photography is a hobby of mine, and I have a mild obsession for photographing physical security faux pas (which to date has not resulted in any ‘Imperial Entanglements’ ). So I am going to use Mr. Lamson’s photo to kick off a new category (and series) on Art of Information Security, called “Security faux pas” - stay tuned…

Cheers, Erik

Coming Soon to a Movie Plot Near You…

Last week at RSA, Microsoft Chief Research and Strategy Officer Craig Mundie spoke and outlined a proposed vision for “End to End Trust.” Much has and will be written on that, and additional information and discussions can be found at the End to End Trust portal http://www.microsoft.com/endtoendtrust. In many ways, Craig’s talk was very unusual for Microsoft’s presence at RSA in that it wasn’t a big new product announcement, nor was it evangelizing a new technology or platform to innovate upon. Rather, it was a aimed at kicking off a dialogue by describing some of the current challenges and barriers we see to achieving a more trusted and privacy enhanced Internet, and some of our ideas on how both industry and society might be able to start a productive dialog about collaborating toward that end.    Make no mistake: this is tough stuff. This needs to be an industry-wide, long-term effort, and it’s about more than just technology. Enabling true End to End Trust will require that we continue to build on technology progress while aligning those innovations more closely with social, economic and political forces.

Along those lines, I wanted to take a few moments and comment on how SDL factors into that broader discussion on trust. Allow me to draw some analogies with some of my prior work…

In the late 1990’s, I was not yet working on computer security but on computer speech recognition and speech synthesis for Microsoft. Having an engineering background, I was (and still am) very interested in the opportunities and possibilities enabled by freeing people from computer keyboards and mice and allowing them to interact with computers in one of the same ways we interact with each other – by voice. Speech recognition was, and still is, largely assessed by a key metric of “what percentage of words spoken by a person did the computer correctly understand?” Nirvana for speech recognition is 100 percent accuracy (defined as “the computer correctly understood all of the words spoken”) with any audio stream (even with a microphone far away from a person in a noisy room) with an unlimited vocabulary (regardless if I am discussing sports using slang or detailed technical terminology) in any spoken language/dialect. State of the art of speech recognition technology today is not 100 percent accurate within the parameters I described, but let’s pretend for a minute that it is – then what? If you start thinking more deeply on this subject, you can quickly see that many other pieces of the puzzle are needed to realize the goal of “allowing people to interact with computers in one of the same ways we interact with each other – by voice. Natural Language Processing and designing an effective Voice User Interface (VUI) are two of the first major challenges encountered when trying to realize the broader vision of enabling people to interact with computers via voice. These are hard problems that I hope to see significant progress on in my lifetime. However, analyzing an audio stream and converting into some format (words or otherwise) is a fundamental requirement necessary for speech recognition. Yet, it’s also insufficient to realize the broader vision.

Some of you reading may be thinking “But wait Eric, this is a security blog so why are you rambling on about your former roles working on speech recognition?” Well, there is an analogy I’m trying to draw. The point I’ve been leading up to is that the SDL plays a similar role in the context of realizing the broader “End to End Trust” vision. Having software that operates securely without exposing systems or data to unnecessary risk is a fundamental requirement in order for people to trust their computers and software. Yet, that alone is insufficient to enable confidence and trust. As Scott Charney noted in the “End to End Trust Paper:”

“There remained, however, other more specific threats not well addressed by SD3 or Defense-in-Depth. For example, spam does not normally exploit vulnerabilities, nor would one turn off mail by default. There is also very little a specific user or enterprise can do to prevent a distributed denial-of service attack from a botnet. As a result, Microsoft started working on threat mitigations for specific issues. With regard to phishing and spam, for example, it engaged in broad consumer education campaigns and worked on developing technological solutions such as phishing filters and SenderID. For both phishing and botnets, Microsoft began working more extensively with law enforcement to identify phishers and botnet herders in an attempt to create deterrent to such activity, even though the deterrent effect is limited by the current environment because it is hard to find offenders, and criminal penalties may be applied without sufficient force.”

In the non-computing world, even if I keep my house, car, and other valuables under lock and key, I still am at risk of being victimized by criminal activity through no fault of my own. However, a broader set of societal constructs help offer improved assurances that if I don’t live careless or recklessly I will largely remain safe and secure. Note I said “improved.” Society is still not perfect; crime still exists and it always will! The online world is no different. The online world has not yet been around quite as long as human society, it too needs help in developing improved assurances – assurances that ensure I will largely remain safe and secure given I don’t live carelessly or recklessly. These assurances can’t be provided by any single vendor. They require collaboration from all of industry, and indeed society. Craig Mundie’s talk aimed to start a dialogue about how to evolve our online society to be a safer place, where devices and software enable people to make more effective trust decisions and take control over whom and what they trust online.

The creation of a more trustworthy Internet will benefit all of society, and an open dialogue among its members is critical component of achieving this. Feel free to go to http://forums.community.microsoft.com/en-US/EndToEndTrust/threads/ and chime in with your thoughts. As Scott Charney noted “"… if we want the internet to reach its full potential, we need a safer, more trusted online environment."

Researchers examined data from the San Francisco Police Department detailing the 59,706 crimes committed within 1,000 feet of the camera locations between Jan. 1, 2005, and Jan. 28, 2008.

These were the total number of crimes for which police had reports -- regardless of whether the crimes were caught on video. The idea was to look at whether criminals stopped committing crimes at those locations because they knew cameras were there.

Using a complicated method, researchers were able to come up with an average daily crime rate at each location broken out by type of crime and distance from the cameras. They then compared it with the average daily crime rate from the period before the cameras were installed.

They looked at seven types of crime: larcenies, burglaries, motor vehicle theft, assault, robbery, homicide and forcible sex offenses.

The only positive deterrent effect was the reduction of larcenies within 100 feet of the cameras. No other crimes were affected -- except for homicides, which had an interesting pattern.

Murders went down within 250 feet of the cameras, but the reduction was completely offset by an increase 250 to 500 feet away, suggesting people moved down the block before killing each other.

The final report is expected to analyze the figures in more depth and to include other crimes, including prostitution and drug offenses.

This quote is instructive:

Mayor Gavin Newsom called the report "conclusively inconclusive" on Thursday but said he still wants to install more cameras around the city because they make residents feel safer.

That's right: the cameras aren't about security, they're about security theater. More comments on the general issue here.