CRYPTO-GRAM, October 15, 2008

Bruce Schneier schneier at SCHNEIER.COM
Wed Oct 15 02:30:25 PDT 2008


               October 15, 2008

              by Bruce Schneier
      Chief Security Technology Officer, BT
             schneier at

A free monthly newsletter providing summaries, analyses, insights, and 
commentaries on security: computer and otherwise.

For back issues, or to subscribe, visit 

You can read this issue on the web at 
<>.  These same essays 
appear in the "Schneier on Security" blog: 
<>.  An RSS feed is available.

** *** ***** ******* *********** *************

In this issue:
     The Seven Habits of Highly Ineffective Terrorists
     The Two Classes of Airport Contraband
     The More Things Change, the More They Stay the Same
     NSA's Warrantless Eavesdropping Targets Innocent Americans
     Schneier/BT News
     Taleb on the Limitations of Risk Management
     "New Attack" Against Encrypted Images
     Nonviolent Activists Are Now Terrorists
     Does Risk Management Make Sense?
     Comments from Readers

** *** ***** ******* *********** *************

     The Seven Habits of Highly Ineffective Terrorists

Most counterterrorism policies fail, not because of tactical problems, 
but because of a fundamental misunderstanding of what motivates 
terrorists in the first place. If we're ever going to defeat terrorism, 
we need to understand what drives people to become terrorists in the 
first place.

Conventional wisdom holds that terrorism is inherently political, and 
that people become terrorists for political reasons. This is the 
"strategic" model of terrorism, and it's basically an economic model. It 
posits that people resort to terrorism when they believe -- rightly or 
wrongly -- that terrorism is worth it; that is, when they believe the 
political gains of terrorism minus the political costs are greater than 
if they engaged in some other, more peaceful form of protest. It's 
assumed, for example, that people join Hamas to achieve a Palestinian 
state; that people join the PKK to attain a Kurdish national homeland; 
and that people join al-Qaida to, among other things, get the United 
States out of the Persian Gulf.

If you believe this model, the way to fight terrorism is to change that 
equation, and that's what most experts advocate. Governments tend to 
minimize the political gains of terrorism through a no-concessions 
policy; the international community tends to recommend reducing the 
political grievances of terrorists via appeasement, in hopes of getting 
them to renounce violence. Both advocate policies to provide effective 
nonviolent alternatives, like free elections.

Historically, none of these solutions has worked with any regularity. 
Max Abrahms, a predoctoral fellow at Stanford University's Center for 
International Security and Cooperation, has studied dozens of terrorist 
groups from all over the world. He argues that the model is wrong. In a 
paper published this year in International Security that -- sadly -- 
doesn't have the title "Seven Habits of Highly Ineffective Terrorists," 
he discusses, well, seven habits of highly ineffective terrorists. These 
seven tendencies are seen in terrorist organizations all over the world, 
and they directly contradict the theory that terrorists are political 

Terrorists, he writes, (1) attack civilians, a policy that has a lousy 
track record of convincing those civilians to give the terrorists what 
they want; (2) treat terrorism as a first resort, not a last resort, 
failing to embrace nonviolent alternatives like elections; (3) don't 
compromise with their target country, even when those compromises are in 
their best interest politically; (4) have protean political platforms, 
which regularly, and sometimes radically, change; (5) often engage in 
anonymous attacks, which precludes the target countries making political 
concessions to them; (6) regularly attack other terrorist groups with 
the same political platform; and (7) resist disbanding, even when they 
consistently fail to achieve their political objectives or when their 
stated political objectives have been achieved.

Abrahms has an alternative model to explain all this: People turn to 
terrorism for social solidarity. He theorizes that people join terrorist 
organizations worldwide in order to be part of a community, much like 
the reason inner-city youths join gangs in the United States.

The evidence supports this. Individual terrorists often have no prior 
involvement with a group's political agenda, and often join multiple 
terrorist groups with incompatible platforms. Individuals who join 
terrorist groups are frequently not oppressed in any way, and often 
can't describe the political goals of their organizations. People who 
join terrorist groups most often have friends or relatives who are 
members of the group, and the great majority of terrorist are socially 
isolated: unmarried young men or widowed women who weren't working prior 
to joining. These things are true for members of terrorist groups as 
diverse as the IRA and al-Qaida.

For example, several of the 9/11 hijackers planned to fight in Chechnya, 
but they didn't have the right paperwork so they attacked America 
instead. The mujahedeen had no idea whom they would attack after the 
Soviets withdrew from Afghanistan, so they sat around until they came up 
with a new enemy: America. Pakistani terrorists regularly defect to 
another terrorist group with a totally different political platform. 
Many new al-Qaida members say, unconvincingly, that they decided to 
become a jihadist after reading an extreme, anti-American blog, or after 
converting to Islam, sometimes just a few weeks before. These people 
know little about politics or Islam, and they frankly don't even seem to 
care much about learning more. The blogs they turn to don't have a lot 
of substance in these areas, even though more informative blogs do exist.

All of this explains the seven habits. It's not that they're 
ineffective; it's that they have a different goal. They might not be 
effective politically, but they are effective socially: They all help 
preserve the group's existence and cohesion.

This kind of analysis isn't just theoretical; it has practical 
implications for counterterrorism. Not only can we now better understand 
who is likely to become a terrorist, we can engage in strategies 
specifically designed to weaken the social bonds within terrorist 
organizations. Driving a wedge between group members -- commuting prison 
sentences in exchange for actionable intelligence, planting more double 
agents within terrorist groups -- will go a long way to weakening the 
social bonds within those groups.

We also need to pay more attention to the socially marginalized than to 
the politically downtrodden, like unassimilated communities in Western 
countries. We need to support vibrant, benign communities and 
organizations as alternative ways for potential terrorists to get the 
social cohesion they need. And finally, we need to minimize collateral 
damage in our counterterrorism operations, as well as clamping down on 
bigotry and hate crimes, which just creates more dislocation and social 
isolation, and the inevitable calls for revenge.

This essay previously appeared on 

Interesting rebuttal:

** *** ***** ******* *********** *************

     The Two Classes of Airport Contraband

Airport security found a jar of pasta sauce in my luggage last month. It 
was a 6-ounce jar, above the limit; the official confiscated it, because 
allowing it on the airplane with me would have been too dangerous. And 
to demonstrate how dangerous he really thought that jar was, he blithely 
tossed it in a nearby bin of similar liquid bottles and sent me on my way.

There are two classes of contraband at airport security checkpoints: the 
class that will get you in trouble if you try to bring it on an 
airplane, and the class that will cheerily be taken away from you if you 
try to bring it on an airplane. This difference is important: Making 
security screeners confiscate anything from that second class is a waste 
of time. All it does is harm innocents; it doesn't stop terrorists at all.

Let me explain. If you're caught at airport security with a bomb or a 
gun, the screeners aren't just going to take it away from you. They're 
going to call the police, and you're going to be stuck for a few hours 
answering a lot of awkward questions. You may be arrested, and you'll 
almost certainly miss your flight. At best, you're going to have a very 
unpleasant day.

This is why articles about how screeners don't catch every -- or even a 
majority -- of guns and bombs that go through the checkpoints don't 
bother me. The screeners don't have to be perfect; they just have to be 
good enough. No terrorist is going to base his plot on getting a gun 
through airport security if there's a decent chance of getting caught, 
because the consequences of getting caught are too great.

Contrast that with a terrorist plot that requires a 12-ounce bottle of 
liquid. There's no evidence that the London liquid bombers actually had 
a workable plot, but assume for the moment they did. If some copycat 
terrorists try to bring their liquid bomb through airport security and 
the screeners catch them -- like they caught me with my bottle of pasta 
sauce -- the terrorists can simply try again. They can try again and 
again. They can keep trying until they succeed. Because there are no 
consequences to trying and failing, the screeners have to be 100 percent 
effective. Even if they slip up one in a hundred times, the plot can 

The same is true for knitting needles, pocketknives, scissors, 
corkscrews, cigarette lighters and whatever else the airport screeners 
are confiscating this week. If there's no consequence to getting caught 
with it, then confiscating it only hurts innocent people. At best, it 
mildly annoys the terrorists.

To fix this, airport security has to make a choice. If something is 
dangerous, treat it as dangerous and treat anyone who tries to bring it 
on as potentially dangerous. If it's not dangerous, then stop trying to 
keep it off airplanes. Trying to have it both ways just distracts the 
screeners from actually making us safer. 

This essay originally appeared on 

** *** ***** ******* *********** *************


According to U.S. government documents, fear of terrorism could cause a 
psychosomatic epidemic:

GPS spoofing:

NSA -- and others -- snooping on cell phone calls with off-the-shelf 

The NSA teams up with the Chinese government to limit Internet anonymity:

The Pentagon's World of Warcraft Movie-Plot threat:

TSA employees are bypassing airport screening.
This isn't a big deal.  Screeners have to go in and out of security all 
the time as they work.  Yes, they can smuggle things in and out of the 
airport.  But you have to remember that the airport screeners are 
trusted insiders for the system: there are a zillion ways they could 
break airport security.  On the other hand, it's probably a smart idea 
to screen screeners when they walk through airport security when they 
aren't working at that checkpoint at that time.  The reason is the same 
reason you should screen everyone, including pilots who can crash their 
plane: you're not screening screeners (or pilots), you're screening 
people wearing screener (or pilot) uniforms and carrying screener (or 
pilot) IDs.  You can either train your screeners to recognize authentic 
uniforms and IDs, or you can just screen everybody.  The latter is just 
easier.  But this isn't a big deal.

I can think of specific instances where the ability to unlock your door 
over the Internet can be useful, but in most places it's not a good idea. 

India using brain scans to prove guilt in court.
The pseudo-science here is even worse than for lie detectors.

People have been asking me to comment about Sarah Palin's Yahoo e-mail 
account being hacked.  I've already written about the security problems 
with "secret questions" back in 2005:
More commentary: 

The $20M camera system at New York's Freedom Tower is pretty sophisticated. 

We're developing a pre-crime detector that detects hostile thoughts. 

Spykee is your own personal robot spy.  It takes pictures and movies 
that you can watch on the Internet in real time or save for later.  You 
can even talk with whoever you're spying on via Skype.  Only $300.

Security maxims from Roger Johnston.  Funny, and all too true.

Send your personalized message to TSA X-ray screeners using metal plates 
you can put in your carry-on luggage. 

Another bomb scare.  Hot dogs this time. 

The Hackers Choice has released a tool allowing people to clone and 
modify electronic passports.  The problem is self-signed certificates. 
A CA is not a great solution, and the link gives a good explanation as 
to why.  "So what's the solution? We know that humans are good at Border 
Control. In the end they protected us well for the last 120 years. We 
also know that humans are good at pattern matching and image 
recognition. Humans also do an excellent job 'assessing' the person and 
not just the passport. Take the human part away and passport security 
falls apart." 

Hand grenades are now weapons of mass destruction:

MI6 camera -- including secrets -- sold on eBay.  The buyer turned the 
camera in to the police. 

"Scareware" vendors sued -- it's about time. 

This is clever: bank robber hires accomplices on Craigslist. 

New cross-site request forgery attacks. 

"Clickjacking" is a stunningly sexy name, but the vulnerability is 
really just a variant of cross-site scripting.  We don't know how bad it 
really is, because the details are still being withheld.  But the name 
alone is causing dread.  Here's a good Q&A on the vulnerability: 

Turns out you can add anyone's number to -- or remove anyone's number 
from -- the Canadian do-not-call list. You can also add (but not remove) 
numbers to the U.S. do-not-call list, though only up to three at a time, 
and you have to provide a valid e-mail address to confirm the addition. 
 Here's my idea.  If you're a company, add every one of your customers 
to the list.  That way, none of your competitors will be able to cold 
call them.

Chinese monitoring Skype messages: 

According to a massive report from the National Research Council, data 
mining for terrorists doesn't work. 

Interesting paper by Adam Shostack on threat modeling at Microsoft:

Elcomsoft is claiming that the WPA protocol is dead, just because they 
can speed up brute-force cracking by 100 times using a hardware 
accelerator.  Why exactly is this news?  Yes, weak passwords are weak -- 
we already know that.  And strong WPA passwords are still strong.  This 
seems like yet another blatant attempt to grab some press attention with 
a half-baked cryptanalytic result.

Clever counterterrorism attack against the IRA: set up a laundromat, and 
watch who has bomb residue on their clothes:

There's a new chip-and-pin scam in the UK.  The card readers were hacked 
when they were built, "either during the manufacturing process at a 
factory in China, or shortly after they came off the production line." 
It's being called a "supply chain hack."  Sophisticated stuff, and yet 
another demonstration that these all-computer security systems are full 
of risks.
BTW, what's it worth to rig an election?

BART, the San Francisco subway authority, has been debating allowing 
passengers to bring drinks on trains.  There are all sorts of good 
reasons why or why not -- convenience, problems with spills, and so on 
-- but one reason that makes no sense is that terrorists may bring 
flammable liquids on board.  Yet that is exactly what BART managers 
said.  No big news -- we've seen stupid things like this regularly since 
9/11 -- but this time people responded:  "Added Director Tom Radulovich, 
'If somebody wants to break the law and bring flammable liquids on, they 
can. It's not like al Qaeda is waiting in their caves for us to have a 
sippy-cup rule.'  Directing his comments to BART administrators, he 
said, 'You know, it's just fearmongering and you should be ashamed.' 
Terrorist fear mongering seems to be working less well.

** *** ***** ******* *********** *************

     The More Things Change, the More They Stay the Same

Guess the year:  "Murderous organizations have increased in size and 
scope; they are more daring, they are served by the most terrible 
weapons offered by modern science, and the world is nowadays threatened 
by new forces which, if recklessly unchained, may some day wreck 
universal destruction. The Orsini bombs were mere children's toys 
compared with the later developments of infernal machines. Between 1858 
and 1898 the dastardly science of destruction had made rapid and 
alarming strides..."

No, that wasn't a typo.  "Between 1858 and 1898...."  This quote is from 
Major Arthur Griffith, "Mysteries of Police and Crime," London, 1898, 
II, p. 469.  It's quoted in: Walter Laqueur, "A History of Terrorism," 
New Brunswick/London, Transaction Publishers, 2002. 

** *** ***** ******* *********** *************

     NSA's Warrantless Eavesdropping Targets Innocent Americans

Remember when the U.S. government said it was only spying on terrorists? 
 Anyone with any common sense knew it was lying -- power without 
oversight is always abused -- but even I didn't think it was this bad:

"Faulk says he and others in his section of the NSA facility at Fort 
Gordon routinely shared salacious or tantalizing phone calls that had 
been intercepted, alerting office mates to certain time codes of 'cuts' 
that were available on each operator's computer.

"'Hey, check this out,' Faulk says he would be told, 'there's good phone 
sex or there's some pillow talk, pull up this call, it's really funny, 
go check it out. It would be some colonel making pillow talk and we 
would say, "Wow, this was crazy",' Faulk told ABC News."

Warrants are a security device.  They protect us against government 
abuse of power.

** *** ***** ******* *********** *************

     Schneier/BT News

Schneier is speaking at the 30th International Conference of Data 
Protection and Privacy Commissioners on 15 October in Strasbourg, France.

Schneier is speaking at the European Security and Information System 
Congress on 17 October in Monaco.

Schneier is speaking at RSA Europe on 28 October in London.

Schneier is speaking at the 22nd Large Installation System 
Administration Conference on 13 November in San Diego, CA.

Schneier was interviewed by Telecom Asia:

Schneier was interviewed by the Irish Times: 

Schneier was interviewed by Dr. Dobb's Journal:

My essay on chemical plants and security for the Guardian.  Nothing I 
haven't said before.

** *** ***** ******* *********** *************

     Taleb on the Limitations of Risk Management

Nice paragraph on the limitations of risk management in this 
occasionally interesting interview with Nicholas Taleb:

"Because then you get a Maginot Line problem. [After World War I, the 
French erected concrete fortifications to prevent Germany from invading 
again -- a response to the previous war, which proved ineffective for 
the next one.] You know, they make sure they solve that particular 
problem, the Germans will not invade from here. The thing you have to be 
aware of most obviously is scenario planning, because typically if you 
talk about scenarios, you'll overestimate the probability of these 
scenarios. If you examine them at the expense of those you don't 
examine, sometimes it has left a lot of people worse off, so scenario 
planning can be bad. I'll just take my track record. Those who did 
scenario planning have not fared better than those who did not do 
scenario planning. A lot of people have done some kind of "make-sense" 
type measures, and that has made them more vulnerable because they give 
the illusion of having done your job. This is the problem with risk 
management. I always come back to a classical question. Don't give a 
fool the illusion of risk management. Don't ask someone to guess the 
number of dentists in Manhattan after asking him the last four digits of 
his Social Security number. The numbers will always be correlated. I 
actually did some work on risk management, to show how stupid we are 
when it comes to risk." 

** *** ***** ******* *********** *************

     "New Attack" Against Encrypted Images

In a blatant attempt to get some PR, a researcher at PMC Ciphers has 
figured out that encrypting data with ECB mode results in ciphertext 

Yeah, we already knew that.

And -1 point for a security company requiring the use of JavaScript, and 
not failing gracefully for a browser that doesn't have it enabled.  And 
-- ahem -- what is it with that photograph in the paper?  Couldn't the 
researchers have found something a little less adolescent?

For the record, I doghoused PMC Ciphers back in 2003:  "PMC Ciphers. The 
theory description is so filled with pseudo-cryptography that it's funny 
to read. Hypotheses are presented as conclusions. Current research is 
misstated or ignored. The first link is a technical paper with four 
references, three of them written before 1975. Who needs thirty years of 
cryptographic research when you have polymorphic cipher theory?"

I didn't realize it at the time, but PMC Ciphers responded to my 
doghousing them.  Funny stuff. 

Doghouse and response: 

When I posted this on my blog, three new commenters using dialups at the 
same German ISP showed up to defend the paper.  What are the odds?

** *** ***** ******* *********** *************

     Nonviolent Activists Are Now Terrorists

This is an abomination:  "The Maryland State Police classified 53 
nonviolent activists as terrorists and entered their names and personal 
information into state and federal databases that track terrorism 
suspects, the state police chief acknowledged yesterday."

Why did they do that?  "Both Hutchins and Sheridan said the activists' 
names were entered into the state police database as terrorists partly 
because the software offered limited options for classifying entries."

I know that once we had this "either you're with us or with the 
terrorists" mentality, but don't you think that -- just maybe -- the 
software should allow for a little bit more nuance? 

** *** ***** ******* *********** *************

     Does Risk Management Make Sense?

We engage in risk management all the time, but it only makes sense if we 
do it right.

"Risk management" is just a fancy term for the cost-benefit tradeoff 
associated with any security decision. It's what we do when we react to 
fear, or try to make ourselves feel secure. It's the fight-or-flight 
reflex that evolved in primitive fish and remains in all vertebrates. 
It's instinctual, intuitive and fundamental to life, and one of the 
brain's primary functions.

Some have hypothesized that humans have a "risk thermostat" that tries 
to maintain some optimal risk level. It explains why we drive our 
motorcycles faster when we wear a helmet, or are more likely to take up 
smoking during wartime. It's our natural risk management in action.

The problem is our brains are intuitively suited to the sorts of risk 
management decisions endemic to living in small family groups in the 
East African highlands in 100,000 BC, and not to living in the New York 
City of 2008. We make systematic risk management mistakes -- 
miscalculating the probability of rare events, reacting more to stories 
than data, responding to the feeling of security rather than reality, 
and making decisions based on irrelevant context. And that risk 
thermostat of ours? It's not nearly as finely tuned as we might like it 
to be.

Like a rabbit that responds to an oncoming car with its default predator 
avoidance behavior -- dart left, dart right, dart left, and at the last 
moment jump -- instead of just getting out of the way, our Stone Age 
intuition doesn't serve us well in a modern technological society. So 
when we in the security industry use the term "risk management," we 
don't want you to do it by trusting your gut. We want you to do risk 
management consciously and intelligently, to analyze the tradeoff and 
make the best decision.

This means balancing the costs and benefits of any security decision -- 
buying and installing a new technology, implementing a new procedure or 
forgoing a common precaution. It means allocating a security budget to 
mitigate different risks by different amounts. It means buying insurance 
to transfer some risks to others. It's what businesses do, all the time, 
about everything. IT security has its own risk management decisions, 
based on the threats and the technologies.

There's never just one risk, of course, and bad risk management 
decisions often carry an underlying tradeoff. Terrorism policy in the 
U.S. is based more on politics than actual security risk, but the 
politicians who make these decisions are concerned about the risks of 
not being re-elected.

Many corporate security decisions are made to mitigate the risk of 
lawsuits rather than address the risk of any actual security breach. And 
individuals make risk management decisions that consider not only the 
risks to the corporation, but the risks to their departments' budgets, 
and to their careers.

You can't completely remove emotion from risk management decisions, but 
the best way to keep risk management focused on the data is to formalize 
the methodology. That's what companies that manage risk for a living -- 
insurance companies, financial trading firms and arbitrageurs -- try to 
do. They try to replace intuition with models, and hunches with 

The problem in the security world is we often lack the data to do risk 
management well. Technological risks are complicated and subtle. We 
don't know how well our network security will keep the bad guys out, and 
we don't know the cost to the company if we don't keep them out. And the 
risks change all the time, making the calculations even harder. But this 
doesn't mean we shouldn't try.

You can't avoid risk management; it's fundamental to business just as to 
life. The question is whether you're going to try to use data or whether 
you're going to just react based on emotions, hunches and anecdotes.

This essay appeared as the first half of a point-counterpoint with 
Marcus Ranum in Information Security magazine.,289498,sid14_gci1332745,00.html?

** *** ***** ******* *********** *************

     Comments from Readers

There are hundreds of comments -- many of them interesting -- on these 
topics on my blog. Search for the story you want to comment on, and join in.

** *** ***** ******* *********** *************

Since 1998, CRYPTO-GRAM has been a free monthly newsletter providing 
summaries, analyses, insights, and commentaries on security: computer 
and otherwise.  You can subscribe, unsubscribe, or change your address 
on the Web at <>.  Back issues 
are also available at that URL.

Please feel free to forward CRYPTO-GRAM, in whole or in part, to 
colleagues and friends who will find it valuable.  Permission is also 
granted to reprint CRYPTO-GRAM, as long as it is reprinted in its entirety.

CRYPTO-GRAM is written by Bruce Schneier.  Schneier is the author of the 
best sellers "Beyond Fear," "Secrets and Lies," and "Applied 
Cryptography," and an inventor of the Blowfish and Twofish algorithms. 
He is the Chief Security Technology Officer of BT (BT acquired 
Counterpane in 2006), and is on the Board of Directors of the Electronic 
Privacy Information Center (EPIC).  He is a frequent writer and lecturer 
on security topics.  See <>.

Crypto-Gram is a personal newsletter.  Opinions expressed are not 
necessarily those of BT.

Copyright (c) 2008 by Bruce Schneier.

----- End forwarded message -----
Eugen* Leitl <a href="">leitl</a>
ICBM: 48.07100, 11.36820
8B29F6BE: 099D 78BA 2FD3 B014 B08A  7779 75B0 2443 8B29 F6BE

More information about the cypherpunks-legacy mailing list