From: owner-roc-digest@lists.xmission.com (roc-digest) To: roc-digest@lists.xmission.com Subject: roc-digest V2 #470 Reply-To: roc-digest Sender: owner-roc-digest@lists.xmission.com Errors-To: owner-roc-digest@lists.xmission.com Precedence: bulk roc-digest Wednesday, October 3 2001 Volume 02 : Number 470 ---------------------------------------------------------------------- Date: Thu, 27 Sep 2001 02:02:38 -0700 From: Bill Vance Subject: On the Positive Side (fwd) From: "Huck" Subject: Fw: On the Positive Side Date: Wed, 26 Sep 2001 22:08:40 -0400 - ----- Original Message ----- From: "Robert Berry" Sent: Wednesday, September 26, 2001 10:01 PM Subject: On the Positive Side > > By now everyone has been hearing the death toll rise and reports of > the > > destruction from the terrorist attacks on the US. These were > deplorable > acts > > that we will never forget. But now is a time to look at the other > side of > > the numbers coming out of New York, Washington and Pennsylvania. > > > > The sad but somewhat uplifting side that the mainstream media has not > > reported yet - the SURVIVAL rates and some positive news about the > attacks. > > > > *** The Buildings *** > > > > The World Trade Center - > > The twin towers of the World Trade Center were places of employment > for > some > > 50,000 people. With the missing list of just over 5,000 people, that > means > > 90% of the people targeted survived the attack. A 90% on a test is an > > 'A'. > > > > The Pentagon - > > Some 23,000 people were the target of a third plane aimed at the > Pentagon. > > The latest count shows that only 123 lost their lives. That is an > amazing > > 99.5% survival rate. In addition, the plane seems to have come in too > low > > and too early to affect a large portion of the building. On top of > that, > > the section that was hit was the first of five sections to undergo > > renovations that would help protect the Pentagon from terrorist > attacks. > It > > had recently completed straightening and blastproofing, saving untold > lives. > > This attack was sad, but a statistical failure. > > > > *** The Planes *** > > American Airlines Flight 77 - > > The Boeing 757 that was flown into the outside of the Pentagon could > have > > carried up to 289 people, yet only 64 were aboard. Luckily 78% of the > > seats > > were empty. > > > > American Airlines Flight 11 - > > This Boeing 767 could have had up to 351 people aboard, but carried > only > 92. > > Thankfully 74% of the seats were unfilled. > > > > United Airlines Flight 175 - > > Another Boeing 767 that could have sat 351 people only had 65 people > on > > board. Fortunately it was 81% empty. > > > > United Airlines Flight 93 - > > This Boeing 757 was one of the most uplifting stories yet. The > smallest > > flight to be hijacked with only 45 people aboard out of a possible 289 > had > > 84% of its capacity unused. Yet these people stood up to the > attackers > and > > thwarted a fourth attempted destruction of a national landmark, saving > > > untold numbers of lives in the process. > > > > *** In Summary *** > > Out of potentially 74,280 Americans directly targeted by these inept > > cowards, 93% survived or avoided the attacks. That's a higher > survival > rate > > than heart attacks, breast cancer, kidney transplants and liver > > transplants - all common, survivable illnesses. > > > > The hijacked planes were mostly empty, the Pentagon was hit at it's > > strongest point, the overwhelming majority of people in the World > Trade > > Center buildings escaped, and a handful of passengers gave the > ultimate > > sacrifice to save even more lives. > > > > Pass this information on to those in fear and the media. Don't fear > these > > terrorists. The odds are against them. - -- - ---------------------------------------------------------------------------- RKBA! ***** Blessings On Thee, Oh Israel! ***** RKBA! - ----------------+----------+--------------------------+--------------------- An _EFFECTIVE_ | Insured | All matter is vibration. | Let he who hath no weapon in every | by COLT; | -- Max Plank | weapon sell his hand = Freedom | DIAL | In the beginning was the | garment and buy a on every side! | 1911-A1. | word. -- The Bible | sword.--Jesus Christ - ----------------+----------+--------------------------+--------------------- Constitutional Government is dead, LONG LIVE THE CONSTITUTION!!!!! - ---------------------------------------------------------------------------- - - ------------------------------ Date: Sat, 29 Sep 2001 12:52:00 -0700 From: Bill Vance Subject: Is the Bill of Rights "anti-government" (fwd) From: Rich Martin Subject: Is the Bill of Rights "anti-government" Date: Sat, 29 Sep 2001 00:27:01 -0700 (PDT) On Fri, 28 Sep 2001 21:11:30 -0500, Jerry King wrote: QUESTION TO THE MEDIA is the Bill of Rights "anti-government" too? Dorothy Anne Seese 09.10.01 ------------------------------------------------------------------- This is a general question to those reporters and editorialists who love to toss around the phrase "anti-government" when citizens or citizens groups challenge their individual, property or other rights when a government agency takes action. The Bill of Rights states what powers and rights belong to the people, upon which the government may not trespass. Does that make the Bill of Rights "anti-government?" If not, why not? Why is it that individuals and groups who assert their rights under the Bill of Rights become "anti-government"? The Bill of Rights gives to us, as citizens, certain rights upon which the government may not infringe, and when we assert those rights, you, the media, immediately attach to us the label "anti-government." If the Bill of Rights gives us our rights, and it is still the law of the land, then are you guilty of libel when you label people who invoke such rights as "anti-government"? Maybe that's one that should be tested in a court of law. You're banking on the lack of funding behind people's groups to keep them out of a court of law in such tests, or you, the media, would not be so careless about the invective with which you label people who merely stand up for what our founding fathers gave us to protect us from government oppression. You use your First Amendment rights of freedom of the press. If some of us use our right of freedom of speech, we're "anti-government." Dual standard for the fourth estate versus the common man? Or it is just that you, the liberal media, are so bent on taking our Bill of Rights away from us that short of labeling the Bill of Rights itself as "anti-government" you attach the label to those of us who dare .... dare ... to defend our rights against government intrusion? Do you, the media, realize that fully two-thirds of the laws now on the books in the United States would likely be declared unconstitutional if put to the test by a fair and just Supreme Court? That if we had elected constitutionally-conscious representatives as our lawmakers, such laws would not be laws today? Or is that an anti-government question? Your freedom of the press is abused by your use of it to intimidate, label, libel and malign United States citizens who invoke their constitutional rights. Pravda could do no better, and Xinhua, the state-controlled Chinese press, could do no worse! Is it any wonder that thinking Americans are turning to certain cable networks in the hope of obtaining honest information rather than biased reporting? Is it any wonder that newspaper circulation is dropping like a rock while internet news thrives? We not only need an honest government in this nation, we need an honest national media system, and if we had the latter, we might have the former! Now take the above and shove it down your anti-constitutional presses and think before you write or blather on the airwaves. I just exercised my First Amendment right of freedom of speech. -------------------------------------------------------------------- > You can contact Dorothy at "Dorothy A. Seese" Cut out the middlemen. Send your donation to: Boys Scouts of America National HQ 1329 Walnut Hill Ln. Irving, TX 75162 http://www.SaveOurScouts.com ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -- - ---------------------------------------------------------------------------- RKBA! ***** Blessings On Thee, Oh Israel! ***** RKBA! - ----------------+----------+--------------------------+--------------------- An _EFFECTIVE_ | Insured | All matter is vibration. | Let he who hath no weapon in every | by COLT; | -- Max Plank | weapon sell his hand = Freedom | DIAL | In the beginning was the | garment and buy a on every side! | 1911-A1. | word. -- The Bible | sword.--Jesus Christ - ----------------+----------+--------------------------+--------------------- Constitutional Government is dead, LONG LIVE THE CONSTITUTION!!!!! - ---------------------------------------------------------------------------- - - ------------------------------ Date: Sat, 29 Sep 2001 17:24:38 -0400 From: Tom Cloyes Subject: Re: Is the Bill of Rights "anti-government" (fwd) This is a great piece, but she makes one glaring error, the Bill of Rights does not give us any rights, it is an instrument to tell government what Rights we reserve that they may not engage in legislating upon. Tom At 12:52 9/29/01 -0700, you wrote: >From: Rich Martin >Subject: Is the Bill of Rights "anti-government" >Date: Sat, 29 Sep 2001 00:27:01 -0700 (PDT) > >On Fri, 28 Sep 2001 21:11:30 -0500, Jerry King wrote: > > > QUESTION TO THE MEDIA > is the Bill of Rights "anti-government" too? > Dorothy Anne Seese 09.10.01 > > ------------------------------------------------------------------- > This is a general question to those reporters and editorialists who love >to toss around the phrase "anti-government" when citizens or citizens groups >challenge their individual, property or other rights when a government >agency takes action. > > The Bill of Rights states what powers and rights belong to the people, >upon which the government may not trespass. Does that make the Bill of >Rights "anti-government?" > > If not, why not? > > Why is it that individuals and groups who assert their rights under the >Bill of Rights become "anti-government"? The Bill of Rights gives to us, as >citizens, certain rights upon which the government may not infringe, and >when we assert those rights, you, the media, immediately attach to us the >label "anti-government." > > If the Bill of Rights gives us our rights, and it is still the law of the >land, then are you guilty of libel when you label people who invoke such >rights as "anti-government"? Maybe that's one that should be tested in a >court of law. You're banking on the lack of funding behind people's groups >to keep them out of a court of law in such tests, or you, the media, would >not be so careless about the invective with which you label people who >merely stand up for what our founding fathers gave us to protect us from >government oppression. > > You use your First Amendment rights of freedom of the press. If some of us >use our right of freedom of speech, we're "anti-government." > > Dual standard for the fourth estate versus the common man? Or it is just >that you, the liberal media, are so bent on taking our Bill of Rights away >from us that short of labeling the Bill of Rights itself as >"anti-government" you attach the label to those of us who dare .... dare ... >to defend our rights against government intrusion? > > Do you, the media, realize that fully two-thirds of the laws now on the >books in the United States would likely be declared unconstitutional if put >to the test by a fair and just Supreme Court? That if we had elected >constitutionally-conscious representatives as our lawmakers, such laws would >not be laws today? > > Or is that an anti-government question? > > Your freedom of the press is abused by your use of it to intimidate, >label, libel and malign United States citizens who invoke their >constitutional rights. Pravda could do no better, and Xinhua, the >state-controlled Chinese press, could do no worse! > > Is it any wonder that thinking Americans are turning to certain cable >networks in the hope of obtaining honest information rather than biased >reporting? > > Is it any wonder that newspaper circulation is dropping like a rock while >internet news thrives? > > We not only need an honest government in this nation, we need an honest >national media system, and if we had the latter, we might have the former! > > Now take the above and shove it down your anti-constitutional presses and >think before you write or blather on the airwaves. > > I just exercised my First Amendment right of freedom of speech. > > > -------------------------------------------------------------------- > > > You can contact Dorothy at "Dorothy A. Seese" > > Cut out the middlemen. > Send your donation to: > > Boys Scouts of America National HQ > 1329 Walnut Hill Ln. > Irving, TX 75162 > http://www.SaveOurScouts.com > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > >-- >---------------------------------------------------------------------------- >RKBA! ***** Blessings On Thee, Oh Israel! ***** RKBA! >----------------+----------+--------------------------+--------------------- >An _EFFECTIVE_ | Insured | All matter is vibration. | Let he who hath no >weapon in every | by COLT; | -- Max Plank | weapon sell his >hand = Freedom | DIAL | In the beginning was the | garment and buy a >on every side! | 1911-A1. | word. -- The Bible | sword.--Jesus Christ >----------------+----------+--------------------------+--------------------- > > Constitutional Government is dead, LONG LIVE THE CONSTITUTION!!!!! > >---------------------------------------------------------------------------- > >- - - ------------------------------ Date: Sat, 29 Sep 2001 23:34:00 -0700 From: Bill Vance Subject: Ron Paul and Bob Smith Airline legislation (fwd) From: Howard Rothenburg Subject: Ron Paul and Bob Smith Airline legislation Date: Sun, 30 Sep 2001 01:08:13 -0400 (EDT) Gun Owners of America E-Mail/FAX Alert 8001 Forbes Place, Suite 102, Springfield, VA 22151 Phone: 703-321-8585 / FAX: 703-321-8408 http://www.gunowners.org ACTION: Please contact your two senators and ask them to cosponsor Sen. Bob Smith's legislation, S. 1463. Do not accept a non-committal reply. Demand to know whether your senators will cosponsor the bill. Call 202-224-3121 -- to identify your senators, as well as to send a pre-written message via e-mail, see the Legislative Action Center at http://www.gunowners.org/activism.htm on the GOA website. (Wednesday, September 26, 2001) -- It appears that the crusade for concealed carry is gaining momentum -- especially as it applies to pilots. Here's what has happened in the last two weeks: * Rep. Ron Paul (R-TX) introduced H.R. 2896 to let pilots carry guns on airplanes for the purpose of defending not only the lives of their passengers, but other innocent civilians as well. * Pilots, en masse, are speaking out in favor of this legislation. * The Air Line Pilots Association has even petitioned Congress, asking the legislature to let pilots carry guns. * Web polls, such as one conducted by CNN with over 100,000 votes, are finding that the overwhelming majority of the public (72%) favors arming pilots. And now, Senator Bob Smith (R-NH) has introduced S. 1463 to accompany the Paul legislation. Similar to the House bill, the language of S. 1463 is sufficiently flexible so that it would overturn the current FAA regulation encouraging airlines to veto firearms for pilots. In addition, it would preempt a rumored FAA regulation which would absolutely outlaw firearms in the hands of pilots. Sen. Smith is prepared to force a vote on his language as soon as the number and range of Senate cosponsors suggest that the language would prevail in a Senate vote. Therefore, it is imperative that we get a massive number of cosponsors on this bill. IMPORTANT NOTE TO PILOTS: Your role is critical in this battle. Please make sure that you contact your two senators and that you ask your fellow pilots to do the same. If possible, arrange for a meeting with your senators so that you and a couple of other pilots can meet with them. DEBUNKING THE MYTHS OF GUNS ON PLANES One objection that Senate offices may throw at you is this supposed idea that a bullet hole in an airplane's hull can cause catastrophic depressurization or cause the ship to crash. First, one should note that such an argument against pilots carrying guns would also apply to Federal Air Marshals. But the fact is, pre-fragmented ammo can minimize the supposed risks of a bullet puncturing a plane's hull. Having said that, writer David Kopel (along with author and pilot, Captain David Petteys) notes that the risks related to the hull being punctured are greatly exaggerated. In a recent National Review Online article dated September 16, they state, "There is only one known instance in which a bullet hole in an aircraft frame yanked objects across the plane, expanded, and sucked a person out into the sky. That was the James Bond movie Goldfinger. The movie was not intended to teach real-life lessons about physics." (Go to http://www.nationalreview.com/kopel/kopel091401.shtml to read the entire article.) Aircraft engineers have likewise downplayed the ability of a few bullets to depressurize a plane. "If one round, or two or three for that matter pierce the skin [of a plane]," says Dan Todd, a licensed aircraft engineer for 20 years, "it's not necessarily catastrophic." Todd says that in such a case, "air will go whistling out the hole, and the outflow valve will close a little further to maintain the desired cabin pressure." Another engineer notes that "a Boeing 747 can lose five cabin windows and maintain cabin pressure." (Go to https://www.keepandbeararms.com/information/XcIBViewItem.asp?ID=2474 for articles dispelling myths relating to guns & planes.) If you are not currently receiving the full GOA membership benefits (such as The Gun Owners newsletter in the mail), go to http://www.gunowners.org/ordergoamem.htm on the web to sign up; or call toll-free at 1-888-886-GUNS. GOA's upcoming newsletter will be a SPECIAL ISSUE entirely devoted to this month's bombing, and will include some of the best commentary on the myths and realities of allowing guns on planes. - ----- Pre-written letter ----- Dear Senator: Senator Bob Smith has introduced one of the most important bills this Congress. S. 1463 will help drive a stake into the heart of terrorism by virtually guaranteeing that no American airplane will ever be skyjacked again. S. 1463 will allow pilots to carry guns onto a plane, and thus, allow them to not only protect the lives of their passengers, but the lives of other innocent civilians as well. I urge you to cosponsor this legislation right away. At a time when Americans are fearful of flying and the airlines are laying off workers by the thousands; at a time when the economic aftershocks of the September 11 skyjackings are still reverberating on Wall Street; it is high time to ensure the absolute safety of airline passengers. Please don't believe those fear-mongers who would peddle the Hollywood myth that a bullet hole in a plane's hull can cause catastrophic depressurization or force the aircraft to crash. That is science fiction. Think about all the military planes that, in the midst of battle, have been riddled with dozens of bullets and continued flying -- only to land safely miles away. As noted by author David Kopel and pilot Captain Petteys: "There is only one known instance in which a bullet hole in an aircraft frame yanked objects across the plane, expanded, and sucked a person out into the sky. That was the James Bond movie Goldfinger. The movie was not intended to teach real-life lessons about physics." Kopel also quotes retired Air Force General James Chambers who points out that "the Air Force has plenty of pressurized planes, such as AWACS, which are able to sustain penetration/damage from bullets from enemy fighter jet machine guns." It is imperative that America not continue its current policy of making airplanes into gun free zones. America is rejecting this idea. The Air Line Pilots Association supports arming pilots. According to a CNN web poll, 72% of the American public supports arming pilots. The Smith legislation may be the most important bill you cosponsor this year. Again, I urge you to sign on to S. 1463. Gun Owners of America will keep me abreast as to who is signing on to this bill. Thank you. Sincerely, - -- - ---------------------------------------------------------------------------- RKBA! ***** Blessings On Thee, Oh Israel! ***** RKBA! - ----------------+----------+--------------------------+--------------------- An _EFFECTIVE_ | Insured | All matter is vibration. | Let he who hath no weapon in every | by COLT; | -- Max Plank | weapon sell his hand = Freedom | DIAL | In the beginning was the | garment and buy a on every side! | 1911-A1. | word. -- The Bible | sword.--Jesus Christ - ----------------+----------+--------------------------+--------------------- Constitutional Government is dead, LONG LIVE THE CONSTITUTION!!!!! - ---------------------------------------------------------------------------- - - ------------------------------ Date: Wed, 03 Oct 2001 06:01:16 -0500 From: linzellr@datastar.net (Robert Linzell) Subject: Fwd: CRYPTO-GRAM SPECIAL ISSUE, September 30, 2001 (1 of 3) Subject: CRYPTO-GRAM SPECIAL ISSUE, September 30, 2001 Date: Sun, 30 Sep 2001 20:10:57 -0500 From: Bruce Schneier To: crypto-gram@chaparraltree.com CRYPTO-GRAM September 30, 2001 by Bruce Schneier Founder and CTO Counterpane Internet Security, Inc. schneier@counterpane.com A free monthly newsletter providing summaries, analyses, insights, and commentaries on computer and network security. Back issues are available at . To subscribe, visit or send a blank message to crypto-gram-subscribe@chaparraltree.com. Copyright (c) 2001 by Counterpane Internet Security, Inc. ** *** ***** ******* *********** ************* This is a special issue of Crypto-Gram, devoted to the September 11 terrorist attacks and their aftermath. Please distribute this issue widely. In this issue: The Attacks Airline Security Regulations Biometrics in Airports Diagnosing Intelligence Failures Regulating Cryptography Terrorists and Steganography News Protecting Privacy and Liberty How to Help ** *** ***** ******* *********** ************* The Attacks Watching the television on September 11, my primary reaction was amazement. The attacks were amazing in their diabolicalness and audacity: to hijack fuel-laden commercial airliners and fly them into buildings, killing thousands of innocent civilians. We'll probably never know if the attackers realized that the heat from the jet fuel would melt the steel supports and collapse the World Trade Center. It seems probable that they placed advantageous trades on the world's stock markets just before the attack. No one planned for an attack like this. We like to think that human beings don't make plans like this. I was impressed when al-Qaeda simultaneously bombed two American embassies in Africa. I was more impressed when they blew a 40-foot hole in an American warship. This attack makes those look like minor operations. The attacks were amazing in their complexity. Estimates are that the plan required about 50 people, at least 19 of them willing to die. It required training. It required logistical support. It required coordination. The sheer scope of the attack seems beyond the capability of a terrorist organization. The attacks rewrote the hijacking rule book. Responses to hijackings are built around this premise: get the plane on the ground so negotiations can begin. That's obsolete now. They rewrote the terrorism book, too. Al-Qaeda invented a new type of attacker. Historically, suicide bombers are young, single, fanatical, and have nothing to lose. These people were older and more experienced. They had marketable job skills. They lived in the U.S.: watched television, ate fast food, drank in bars. One left a wife and four children. It was also a new type of attack. One of the most difficult things about a terrorist operation is getting away. This attack neatly solved that problem. It also solved the technological problem. The United States spends billions of dollars on remote-controlled precision-guided munitions; al-Qaeda just finds morons willing to fly planes into skyscrapers. Finally, the attacks were amazing in their success. They weren't perfect. We know that 100% of the attempted hijackings were successful, and 75% of the hijacked planes successfully hit their targets. We don't know how many planned hijackings were aborted for one reason or another. What's most amazing is that the plan wasn't leaked. No one successfully defected. No one slipped up and gave the plan away. Al-Qaeda had assets in the U.S. for months, and managed to keep the plan secret. Often law enforcement has been lucky here; in this case we weren't. Rarely do you see an attack that changes the world's conception of attack, as these terrorist attacks changed the world's conception of what a terrorist attack can do. Nothing they did was novel, yet the attack was completely new. And our conception of defense must change as well. ** *** ***** ******* *********** ************* Airline Security Regulations Computer security experts have a lot of expertise that can be applied to the real world. First and foremost, we have well-developed senses of what security looks like. We can tell the difference between real security and snake oil. And the new airport security rules, put in place after September 11, look and smell a whole lot like snake oil. All the warning signs are there: new and unproven security measures, no real threat analysis, unsubstantiated security claims. The ban on cutting instruments is a perfect example. It's a knee-jerk reaction: the terrorists used small knives and box cutters, so we must ban them. And nail clippers, nail files, cigarette lighters, scissors (even small ones), tweezers, etc. But why isn't anyone asking the real questions: what is the threat, and how does turning an airplane into a kindergarten classroom reduce the threat? If the threat is hijacking, then the countermeasure doesn't protect against all the myriad of ways people can subdue the pilot and crew. Hasn't anyone heard of karate? Or broken bottles? Think about hiding small blades inside luggage. Or composite knives that don't show up on metal detectors. Parked cars now must be 300 feet from airport gates. Why? What security problem does this solve? Why doesn't the same problem imply that passenger drop-off and pick-up should also be that far away? Curbside check-in has been eliminated. What's the threat that this security measure has solved? Why, if the new threat is hijacking, are we suddenly worried about bombs? The rule limiting concourse access to ticketed passengers is another one that confuses me. What exactly is the threat here? Hijackers have to be on the planes they're trying to hijack to carry out their attack, so they have to have tickets. And anyone can call Priceline.com and "name their own price" for concourse access. Increased inspections -- of luggage, airplanes, airports -- seem like a good idea, although it's far from perfect. The biggest problem here is that the inspectors are poorly paid and, for the most part, poorly educated and trained. Other problems include the myriad ways to bypass the checkpoints -- numerous studies have found all sorts of violations -- and the impossibility of effectively inspecting everybody while maintaining the required throughput. Unidentified armed guards on select flights is another mildly effective idea: it's a small deterrent, because you never know if one is on the flight you want to hijack. Positive bag matching -- ensuring that a piece of luggage does not get loaded on the plane unless its owner boards the plane -- is actually a good security measure, but assumes that bombers have self-preservation as a guiding force. It is completely useless against suicide bombers. The worst security measure of them all is the photo ID requirement. This solves no security problem I can think of. It doesn't even identify people; any high school student can tell you how to get a fake ID. The requirement for this invasive and ineffective security measure is secret; the FAA won't send you the written regulations if you ask. Airlines are actually more stringent about this than the FAA requires, because the "security" measure solves a business problem for them. The real point of photo ID requirements is to prevent people from reselling tickets. Nonrefundable tickets used to be regularly advertised in the newspaper classifieds. Ads would read something like "Round trip, Boston to Chicago, 11/22 - 11/30, female, $50." Since the airlines didn't check ID but could notice gender, any female could buy the ticket and fly the route. Now this doesn't work. The airlines love this; they solved a problem of theirs, and got to blame the solution on FAA security requirements. Airline security measures are primarily designed to give the appearance of good security rather than the actuality. This makes sense, once you realize that the airlines' goal isn't so much to make the planes hard to hijack, as to make the passengers willing to fly. Of course airlines would prefer it if all their flights were perfectly safe, but actual hijackings and bombings are rare events and they know it. This is not to say that all airport security is useless, and that we'd be better off doing nothing. All security measures have benefits, and all have costs: money, inconvenience, etc. I would like to see some rational analysis of the costs and benefits, so we can get the most security for the resources we have. One basic snake-oil warning sign is the use of self-invented security measures, instead of expert-analyzed and time-tested ones. The closest the airlines have to experienced and expert analysis is El Al. Since 1948 they have been operating in and out of the most heavily terroristic areas of the planet, with phenomenal success. They implement some pretty heavy security measures. One thing they do is have reinforced, locked doors between their airplanes' cockpit and the passenger section. (Notice that this security measure is 1) expensive, and 2) not immediately perceptible to the passenger.) Another thing they do is place all cargo in decompression chambers before takeoff, to trigger bombs set to sense altitude. (Again, this is 1) expensive, and 2) imperceptible, so unattractive to American airlines.) Some of the things El Al does are so intrusive as to be unconstitutional in the U.S., but they let you take your pocketknife on board with you. Airline security: FAA on new security rules: A report on the rules' effectiveness: El Al's security measures: More thoughts on this topic: Two secret FAA documents on photo ID requirement, in text and GIF: Passenger profiling: A CATO Institute report: "The Cost of Antiterrorist Rhetoric," written well before September 11: I don't know if this is a good idea, but at least someone is thinking about the problem: ** *** ***** ******* *********** ************* Biometrics in Airports You have to admit, it sounds like a good idea. Put cameras throughout airports and other public congregation areas, and have automatic face-recognition software continuously scan the crowd for suspected terrorists. When the software finds one, it alerts the authorities, who swoop down and arrest the bastards. Voila, we're safe once again. Reality is a lot more complicated; it always is. Biometrics is an effective authentication tool, and I've written about it before. There are three basic kinds of authentication: something you know (password, PIN code, secret handshake), something you have (door key, physical ticket into a concert, signet ring), and something you are (biometrics). Good security uses at least two different authentication types: an ATM card and a PIN code, computer access using both a password and a fingerprint reader, a security badge that includes a picture that a guard looks at. Implemented properly, biometrics can be an effective part of an access control system. I think it would be a great addition to airport security: identifying airline and airport personnel such as pilots, maintenance workers, etc. That's a problem biometrics can help solve. Using biometrics to pick terrorists out of crowds is a different kettle of fish. In the first case (employee identification), the biometric system has a straightforward problem: does this biometric belong to the person it claims to belong to? In the latter case (picking terrorists out of crowds), the system needs to solve a much harder problem: does this biometric belong to anyone in this large database of people? The difficulty of the latter problem increases the complexity of the identification, and leads to identification failures. Setting up the system is different for the two applications. In the first case, you can unambiguously know the reference biometric belongs to the correct person. In the latter case, you need to continually worry about the integrity of the biometric database. What happens if someone is wrongfully included in the database? What kind of right of appeal does he have? Getting reference biometrics is different, too. In the first case, you can initialize the system with a known, good biometric. If the biometric is face recognition, you can take good pictures of new employees when they are hired and enter them into the system. Terrorists are unlikely to pose for photo shoots. You might have a grainy picture of a terrorist, taken five years ago from 1000 yards away when he had a beard. Not nearly as useful. But even if all these technical problems were magically solved, it's still very difficult to make this kind of system work. The hardest problem is the false alarms. To explain why, I'm going to have to digress into statistics and explain the base rate fallacy. Suppose this magically effective face-recognition software is 99.99 percent accurate. That is, if someone is a terrorist, there is a 99.99 percent chance that the software indicates "terrorist," and if someone is not a terrorist, there is a 99.99 percent chance that the software indicates "non-terrorist." Assume that one in ten million flyers, on average, is a terrorist. Is the software any good? No. The software will generate 1000 false alarms for every one real terrorist. And every false alarm still means that all the security people go through all of their security procedures. Because the population of non-terrorists is so much larger than the number of terrorists, the test is useless. This result is counterintuitive and surprising, but it is correct. The false alarms in this kind of system render it mostly useless. It's "The Boy Who Cried Wolf" increased 1000-fold. I say mostly useless, because it would have some positive effect. Once in a while, the system would correctly finger a frequent-flyer terrorist. But it's a system that has enormous costs: money to install, manpower to run, inconvenience to the millions of people incorrectly identified, successful lawsuits by some of those people, and a continued erosion of our civil - - ------------------------------ Date: Wed, 03 Oct 2001 06:01:25 -0500 From: linzellr@datastar.net (Robert Linzell) Subject: Fwd: CRYPTO-GRAM SPECIAL ISSUE, September 30, 2001 (2 of 3) liberties. And all the false alarms will inevitably lead those managing the system to distrust its results, leading to sloppiness and potentially costly mistakes. Ubiquitous harvesting of biometrics might sound like a good idea, but I just don't think it's worth it. Phil Agre on face-recognition biometrics: My original essay on biometrics: Face recognition useless in airports: According to a DARPA study, to detect 90 per cent of terrorists we'd need to raise an alarm for one in every three people passing through the airport. A company that is pushing this idea: A version of this article was published here: ** *** ***** ******* *********** ************* Diagnosing Intelligence Failures It's clear that U.S. intelligence failed to provide adequate warning of the September 11 terrorist attacks, and that the FBI failed to prevent the attacks. It's also clear that there were all sorts of indications that the attacks were going to happen, and that there were all sorts of things that we could have noticed but didn't. Some have claimed that this was a massive intelligence failure, and that we should have known about and prevented the attacks. I am not convinced. There's a world of difference between intelligence data and intelligence information. In what I am sure is the mother of all investigations, the CIA, NSA, and FBI have uncovered all sorts of data from their files, data that clearly indicates that an attack was being planned. Maybe it even clearly indicates the nature of the attack, or the date. I'm sure lots of information is there, in files, intercepts, computer memory. Armed with the clarity of hindsight, it's easy to look at all the data and point to what's important and relevant. It's even easy to take all that important and relevant data and turn it into information. And it's real easy to take that information and construct a picture of what's going on. It's a lot harder to do before the fact. Most data is irrelevant, and most leads are false ones. How does anyone know which is the important one, that effort should be spent on this specific threat and not the thousands of others? So much data is collected -- the NSA sucks up an almost unimaginable quantity of electronic communications, the FBI gets innumerable leads and tips, and our allies pass all sorts of information to us -- that we can't possibly analyze it all. Imagine terrorists are hiding plans for attacks in the text of books in a large university library; you have no idea how many plans there are or where they are, and the library expands faster than you can possibly read it. Deciding what to look at is an impossible task, so a lot of good intelligence goes unlearned. We also don't have any context to judge the intelligence effort. How many terrorist attempts have been thwarted in the past year? How many groups are being tracked? If the CIA, NSA, and FBI succeed, no one ever knows. It's only in failure that they get any recognition. And it was a failure. Over the past couple of decades, the U.S. has relied more and more on high-tech electronic eavesdropping (SIGINT and COMINT) and less and less on old fashioned human intelligence (HUMINT). This only makes the analysis problem worse: too much data to look at, and not enough real-world context. Look at the intelligence failures of the past few years: failing to predict India's nuclear test, or the attack on the USS Cole, or the bombing of the two American embassies in Africa; concentrating on Wen Ho Lee to the exclusion of the real spies, like Robert Hanssen. But whatever the reason, we failed to prevent this terrorist attack. In the post mortem, I'm sure there will be changes in the way we collect and (most importantly) analyze anti-terrorist data. But calling this a massive intelligence failure is a disservice to those who are working to keep our country secure. Intelligence failure is an overreliance on eavesdropping and not enough on human intelligence: Another view: Too much electronic eavesdropping only makes things harder: Israel alerted the U.S. about attacks: Mostly retracted: ** *** ***** ******* *********** ************* Regulating Cryptography In the wake of the devastating attacks on New York's World Trade Center and the Pentagon, Senator Judd Gregg and other high-ranking government officials quickly seized on the opportunity to resurrect limits on strong encryption and key escrow systems that ensure government access to encrypted messages. I think this is a bad move. It will do little to thwart terrorist activities, while at the same time significantly reducing the security of our own critical infrastructure. We've been through these arguments before, but legislators seem to have short memories. Here's why trying to limit cryptography is bad for Internet security. One, you can't limit the spread of cryptography. Cryptography is mathematics, and you can't ban mathematics. All you can ban is a set of products that use that mathematics, but that is something quite different. Years ago, during the cryptography debates, an international crypto survey was completed; it listed almost a thousand products with strong cryptography from over a hundred countries. You might be able to control cryptography products in a handful of industrial countries, but that won't prevent criminals from importing them. You'd have to ban them in every country, and even then it won't be enough. Any terrorist organization with a modicum of skill can write its own cryptography software. And besides, what terrorist is going to pay attention to a legal ban? Two, any controls on the spread of cryptography hurt more than they help. Cryptography is one of the best security tools we have to protect our electronic world from harm: eavesdropping, unauthorized access, meddling, denial of service. Sure, by controlling the spread of cryptography you might be able to prevent some terrorist groups from using cryptography, but you'll also prevent bankers, hospitals, and air-traffic controllers from using it. (And, remember, the terrorists can always get the stuff elsewhere: see my first point.) We've got a lot of electronic infrastructure to protect, and we need all the cryptography we can get our hands on. If anything, we need to make strong cryptography more prevalent if companies continue to put our planet's critical infrastructure online. Three, key escrow doesn't work. Short refresher: this is the notion that companies should be forced to implement back doors in crypto products such that law enforcement, and only law enforcement, can peek in and eavesdrop on encrypted messages. Terrorists and criminals won't use it. (Again, see my first point.) Key escrow also makes it harder for the good guys to secure the important stuff. All key-escrow systems require the existence of a highly sensitive and highly available secret key or collection of keys that must be maintained in a secure manner over an extended time period. These systems must make decryption information quickly accessible to law enforcement agencies without notice to the key owners. Does anyone really think that we can build this kind of system securely? It would be a security engineering task of unbelievable magnitude, and I don't think we have a prayer of getting it right. We can't build a secure operating system, let alone a secure computer and secure network. Stockpiling keys in one place is a huge risk just waiting for attack or abuse. Whose digital security do you trust absolutely and without question, to protect every major secret of the nation? Which operating system would you use? Which firewall? Which applications? As attractive as it may sound, building a workable key-escrow system is beyond the current capabilities of computer engineering. Years ago, a group of colleagues and I wrote a paper outlining why key escrow is a bad idea. The arguments in the paper still stand, and I urge everyone to read it. It's not a particularly technical paper, but it lays out all the problems with building a secure, effective, scalable key-escrow infrastructure. The events of September 11 have convinced a lot of people that we live in dangerous times, and that we need more security than ever before. They're right; security has been dangerously lax in many areas of our society, including cyberspace. As more and more of our nation's critical infrastructure goes digital, we need to recognize cryptography as part of the solution and not as part of the problem. My old "Risks of Key Recovery" paper: Articles on this topic: Al-Qaeda did not use encryption to plan these attacks: Poll indicates that 72 percent of Americans believe that anti-encryption laws would be "somewhat" or "very" helpful in preventing a repeat of last week's terrorist attacks on New York's World Trade Center and the Pentagon in Washington, D.C. No indication of what percentage actually understood the question. ** *** ***** ******* *********** ************* Terrorists and Steganography Guess what? Al-Qaeda may use steganography. According to nameless "U.S. officials and experts" and "U.S. and foreign officials," terrorist groups are "hiding maps and photographs of terrorist targets and posting instructions for terrorist activities on sports chat rooms, pornographic bulletin boards and other Web sites." I've written about steganography in the past, and I don't want to spend much time retracing old ground. Simply, steganography is the science of hiding messages in messages. Typically, a message (either plaintext or, more cleverly, ciphertext) is encoded as tiny changes to the color of the pixels of a digital photograph. Or in imperceptible noise in an audio file. To the uninitiated observer, it's just a picture. But to the sender and receiver, there's a message hiding in there. It doesn't surprise me that terrorists are using this trick. The very aspects of steganography that make it unsuitable for normal corporate use make it ideally suited for terrorist use. Most importantly, it can be used in an electronic dead drop. If you read the FBI affidavit against Robert Hanssen, you learn how Hanssen communicated with his Russian handlers. They never met, but would leave messages, money, and documents for one another in plastic bags under a bridge. Hanssen's handler would leave a signal in a public place -- a chalk mark on a mailbox -- to indicate a waiting package. Hanssen would later collect the package. That's a dead drop. It has many advantages over a face-to-face meeting. One, the two parties are never seen together. Two, the two parties don't have to coordinate a rendezvous. Three, and most importantly, one party doesn't even have to know who the other one is (a definite advantage if one of them is arrested). Dead drops can be used to facilitate completely anonymous, asynchronous communications. Using steganography to embed a message in a pornographic image and posting it to a Usenet newsgroup is the cyberspace equivalent of a dead drop. To everyone else, it's just a picture. But to the receiver, there's a message in there waiting to be extracted. To make it work in practice, the terrorists would need to set up some sort of code. Just as Hanssen knew to collect his package when he saw the chalk mark, a virtual terrorist will need to know to look for his message. (He can't be expected to search every picture.) There are lots of ways to communicate a signal: timestamp on the message, an uncommon word in the subject line, etc. Use your imagination here; the possibilities are limitless. The effect is that the sender can transmit a message without ever communicating directly with the receiver. There is no e-mail between them, no remote logins, no instant messages. All that exists is a picture posted to a public forum, and then downloaded by anyone sufficiently enticed by the subject line (both third parties and the intended receiver of the secret message). So, what's a counter-espionage agency to do? There are the standard ways of finding steganographic messages, most of which involve looking for changes in traffic patterns. If Bin Laden is using pornographic images to embed his secret messages, it is unlikely these pictures are being taken in Afghanistan. They're probably downloaded from the Web. If the NSA can keep a database of images (wouldn't that be something?), then they can find ones with subtle changes in the low-order bits. If Bin Laden uses the same image to transmit multiple messages, the NSA could notice that. Otherwise, there's probably nothing the NSA can do. Dead drops, both real and virtual, can't be prevented. Why can't businesses use this? The primary reason is that legitimate businesses don't need dead drops. I remember hearing one company talk about a corporation embedding a steganographic message to its salespeople in a photo on the corporate Web page. Why not just send an encrypted e-mail? Because someone might notice the e-mail and know that the salespeople all got an encrypted message. So send a message every day: a real message when you need to, and a dummy message otherwise. This is a traffic analysis problem, and there are other techniques to solve it. Steganography just doesn't apply here. Steganography is good way for terrorist cells to communicate, allowing communication without any group knowing the identity of the other. There are other ways to build a dead drop in cyberspace. A spy can sign up for a free, anonymous e-mail account, for example. Bin Laden probably uses those too. News articles: My old essay on steganography: Study claims no steganography on eBay: Detecting steganography on the Internet: A version of this essay appeared on ZDnet: ** *** ***** ******* *********** ************* News - - ------------------------------ End of roc-digest V2 #470 *************************