According to the EFF blog, customs has taken to randomly searching electronic devices for suspicious data.  It is somewhat mysterious what they are searching them for — given only a few minutes and a technically unskilled border guard doing the searching, it’s hard to imagine them actually finding anything better hidden than a file on the desktop labeled “terroristic threats.doc” and a hyperlink to the Al-Qaeda Homepage.

Thus, from a security perspective, this just isn’t a good idea.  There’s a large tradeoff in inconvenience, delay, and civil liberties violation for a miniscule increase in security.  However, it does get me thinking about an interesting problem — how does one hide data from people inclined to search your electronic devices for it?

A legal search is a totally different kind of threat from a hacker attack.  With a hacker attack, you simply have to keep them out of the data — with a legal attack, you have to hide the existence of the data, as the legal system has at their disposal an additional channel for getting the data — they can subpoena it and demand you disable any protective measures and hand over the data.  Thus, encryption — the primary defense against data disclosure to hackers — is of limited use against a legal attack.  (And note that a “legal attack” doesn’t just mean law enforcement or other rightful authorities — it also means attack via lawsuit.  Abuse of the legal system is not limited to the political administration — competitors and other adversaries can and do use the legal system to get at things they shouldn’t have.  In other words, this information isn’t of value only to criminals — there are a lot of perfectly legitimate reasons to hide data.)

The EFF points out a few possible ways of avoiding scrutiny from customs:

• Create multiple accounts on the machine, and just log in with an account with nothing sensitive in it when asked to log in.  This is basically taking advantage of the lack of technical expertise on the part of the searcher.
• Take only the data you need on the trip — just minimize what there is to find.  This is a good idea anyway, but probably unsatisfactory if you are carrying, say, diplomatic communications.
• Bring no data at all, and when you arrive at your destination, retrieve the information via VPN.  Before flying back, VPN the data back and delete it.
• For sensitive business communications, have the data encrypted by someone else who provides the key only when you arrive at your destination.  This would work to protect the data, but it also means that, being unable to comply with an order to reveal the data, you may just have to miss your flight.

I have two more that they didn’t mention:

• Encrypt the data onto something that is not an “electronic device” subject to search, like a CD-ROM, USB key, or whatever.  It no longer falls under the search provision.  Obviously it could be searched if you were actually arrested or sued, but it gets around this particular issue.
• Use TrueCrypt Hidden Volumes.  Merely hiding an encrypted file on a disk will not hide it from a skilled attacker, because cryptographic data is distinctive.  Statistically, it has a uniform distribution, which makes it look unlike any other kind of data except white noise (random numbers.)  Essentially, it looks so bland and generic that it stands out — because no real data is that essentially devoid of information.  Since nobody keeps a hard disk full of random noise files, if one exists, it must be encrypted data — which means you can be subpoenaed for the key.  TrueCrypt’s hidden volume feature gets around this in a novel way, which I’ll discuss below.

Hidden volumes take advantage of the similarity between random noise & encrypted files.  A section of disk is reserved for an encrypted virtual disk.  When this is created, it is filled with random noise, which is replaced by encrypted data as needed.  The trick is that you can create another encrypted virtual disk inside the first one.  So long as some data is in the “outer” volume (as no one would have a huge encrypted file on their hard drive with nothing in it — it’s not plausible), there is no evidence that the “inner” volume even exists unless you have the key.  The inner volume’s encrypted data blends into the outer volume’s white noise.  Thus, you put slightly-secret data in the outer volume, and really-secret data in the inner volume.  When asked to reveal the key, you reveal the key to the outer volume only, and have plausible deniability of the inner volume’s existence.

As with any countermeasure, though, there are limits.  If you’re hiding from the NSA or some foreign government’s equivalent, just putting a couple TrueCrypt volumes on your laptop’s hard disk will not do the job.  The problem is that the operating system and the applications you use may leave traces that reveal the existence of the inner volume (e.g. Word’s file history notes that you opened a file on Drive F:, when your laptop doesn’t have an F:…)  For extremely sensitive data, it would be necessary to not only put it in a hidden inner volume, but also to only ever access that inner volume from an ephemeral operating system (e.g. a LiveCD, or an OS you boot off a USB key and load into a RAMdisk.)  If the OS you use never makes any changes to the disk outside the encrypted volume, evidence of the volume remains hidden.  You would of course want a normal OS and outer volume to be present and used, for plausible deniability to be present (as, once again, it’s not reasonable to have a laptop with only random noise on the hard drive.)  You would also want to access the outer volume with the laptop’s native OS after any session in which you accessed the inner volume (as otherwise the access date on the encrypted file could be newer than the last boot date on the OS, once again leaving a breadcrumb trail.)

And all this makes me wonder once again what the government plans to get out of casually searching the data on laptop hard disks.  The only people whose data will be discovered are those with nothing to hide.

HexView has an article about tracking vehicles with RFID tire pressure monitors. The devices are found in tires and transmit tire pressure to the engine control module, which sounds innocuous enough, but to prevent modules from reading neighboring cars’ tires by accident, they also transmit a unique ID. Thus, you can follow a car around town based on its ID, turning tire pressure monitors into tracking devices.

RFID devices are becoming more and more common, and this trend will continue — they’re too convenient for many purposes for the security risks around them to stop them. You may not want every consumer good you buy to be tagged with an ID that lets people watch your shopping from 100 yards away, but the scenario of being able to check out at the grocery store by instantaneously scanning every item in your cart simultaneously is too compelling for people to resist.

Bruce Schneier has a post on the ineffectiveness of security cameras, but while calling them ineffective it does note that criminals moved their crimes to somewhere the cameras couldn’t see. This may be “ineffective” for a government camera system designed to deter crime, but it’s precisely what privately-owned security cameras are meant to do — make a target unappealing so criminals go elsewhere. This actually shows that cameras do deter crime… but only where they can see it.

However, both of these technologies can have pernicious effects, too. The HexView article points out that you could use the RFID tire monitors to commit murder — set a bomb with a radio trigger that goes off when the “right” car drives over it. It would also be just as useful to private investigators spying on citizens as it is to law enforcement chasing down criminals. And speaking of law enforcement, these cameras create a dangerous imbalance in their favor — the camera evidence is all under their control, and thus can come up when needed to prove a perpetrator’s guilt yet be conveniently lost in cases of police brutality, abuse of power, corruption etc.

This is an interesting time for surveillance — police and government surveillance ability is skyrocketing (London is practically blanketed in cameras at this point, as the British seem much less uncomfortable with them than Americans are) but it is still largely in the hands of authority figures. This is dangerous because of how fast the change is coming — our criminal laws and sentencing structures are based on the principle that most criminals get away with it. A $75 fine for speeding seems pretty reasonable, but what if that fine were levied every time a car hit 1 mph over the speed limit? Most of us would get fined a dozen times a day, every day, despite not even meaning to speed, because our behaviors are based on the idea that we probably won’t get caught and that even if we are police are unlikely to punish us for very minor transgressions. If people were caught for speeding every time, and fined every time, a $75 fine would be absurd — the fine could probably be under $1 and still bring in a few hundred dollars a month from every citizen. What is the right legal structure here? I can see two possibilities:

• Raise the speed limits to the speeds we really think no one should exceed, and continue to fine every time.  Maybe you should get charged every time you exceed, say, 85 on a highway or 55 on a city street.  Set them high enough that there’s no leeway required.
• Leave the speed limits where they are but set the fine really low, say a $0.25 per minute of speeding.  This makes speeding discretionary — you can obey the law, or not, but if you choose not to you pay a penalty.  This is a fundamental change in the whole idea of crime and punishment, and itself has some pernicious consequences — it means that a certain income level can render you “above the law,” which is not a good thing.  Obviously some crimes (such as murder) should not be treated as discretionary, but for traffic violations it could make sense.

It’s not just traffic laws that are like this; consider the War on Drugs.  If every person who ever smoked marijuana went to prison, we would have a nation of felons — there’d be few people left who could vote, get security clearances, hold most jobs, etc.  The RIAA lawsuits against file-sharers are a good example of what happens when technology that catches everyone gets used to enforce laws designed under the assumption that only the worst and most flagrant criminals will be caught — people being hit by millions of dollars in fines for using technology to do something that wouldn’t even raise an eyelash if done by old, physical means (e.g. posting a song on BitTorrent vs. handing it to a friend on a cassette tape.)

A surveillance society needs a different kind of jurisprudence — one that sets punishments that fit the crime even if applied every time.  On the bright side, actually doing this would lower crime rates tremendously due to the psychology of criminals.  Escalating punishments does little to deter crime because criminals are risk-seekers — they do not expect to get caught.   Even a small punishment can be a strong deterrent if applied every time — if criminals are usually caught, such that all criminals have some first-hand experience with being caught and punished, it would break this idea.  On the not so bright side, a surveillance society must have very liberal laws to avoid being a police state — our current legal system, applied to everyone every time, would result in tyranny.  We all break 10 laws a day, it’s only sloppy enforcement that allows us to live our lives.  Unfortunately, the technology for ubiquitous enforcement will come well before the legal system changes to make it livable do.

What’s interesting to me is what will happen when surveillance becomes even more common: that is, when it is no longer monopolized by authority.  This has already started with cellular phones.   Almost everyone carries around a device which, while primarily for communication, contains a camera and often a voice recorder and videocamera as well.  Everyone is equipped to carry out impromptu surveillance at any time.  Devices like these glasses from ThinkGeek (found via BoingBoing) coupled with the rapidly falling cost of storage capacity will change this to everyone actually carrying out impromptu surveillance all the time.  This will have a chilling effect on human behavior at first — would you act differently if you knew everyone around you was videotaping everything you did?  Everything you say will, indeed, be able to be used against you, and not just in a court of law.  However, look at what young people put on MySpace and Facebook these days — the next generation does not have the assumption of privacy.  They’ve grown up in a world where they know everything goes on a permanent record, and have simply accepted it.  Sure, they’ll be occasionally shocked by it (e.g. the first time their party photos on MySpace disqualify them from a job), but the knowledge of permanence has not stopped them from sharing themselves, and eventually the rest of us will adjust, too.

Consider what the democratization of surveillance does to government power.  When we’re all recording, someone is watching the watchers.  Corruption, abuse of power, etc. all rely on the fact that authority figures can get away with crimes because they are more reliable witnesses in court than their victims are.  When everything is on the record — and not just the official record, but everyone’s record — police and government officials become compelled to act within the law.  While this may not be much of an impediment in truly totalitarian societies like China where the courts are as corrupt as everyone else, it’s a very strong bulwark of freedom in any society with an independent judiciary and a liberal tradition like the Untied States and Europe.  This is the next generation of surveillance — everyone sucking in light and sound from their glasses, or lapel pens, or even contact lenses, recording every moment of their lives on multi-terabyte devices that fit in their pockets.  It’s probably only 5-7 years away, and it washes away the current problems of a surveillance society and replaces them with new ones.

I think this cycle will continue for some time.  After all, once we’re past the era of democratized surveillance, computer graphics and artificial intelligence technology will improve to the point that ordinary people can modify their recordings to create perfect video of events that never happened, indistinguishable from the real thing.  What happens to recordings in law courts then, when they cease to be reliable evidence and become hearsay?  Tapes will become the new eyewitnesses, known to be unreliable and requiring corroboration from others.  When it becomes truly easy to make forged video, perhaps we will have emerged from the surveillance society from the other side — why bother to record anything when there’s no way to tell if it’s real?  Sometimes the only way out is through.

Today I found a link to an article by my least-favorite current presidential candidate, Rudy Giuliani. I was expecting a cavalcade of fear-mongering — his usual stock in trade — but discovered to my surprise an article entitled “The Resilient Society.” This gave me pause, as resilience is precisely what I believe must be the necessary societal response to the distributed threat of terrorism. Security must be divided into prevention, detection, response, and recovery — resilience is the ability to quickly recover from attack at as low a cost as possible. Resilience is the difference between a society changing its entire way of life in response to a terrorist attack vs. society being able to return quickly to normalcy, thus making itself impossible to terrorize. I was not expecting to hear about resilience from Rudy Giuliani — after all, this is the one aspect of national security that cannot be centralized around an all-powerful government (Giuliani’s obvious goal), but rather relies on the distributed strength of every citizen. Was I about to actually agree with an article by Giuliani?

It turns out that I had nothing to worry about. Despite its title, there are only four paragraphs about resilience in the 41-paragraph article, and even those are wrong.

So what does Giuliani think must be done to defend a society from terrorism? Primarily a command-and-control response process combined with offensive attacks on the sources of terrorism.

With regard to prevention, Giuliani favors deployment of massive detection nets to fight against the attacks we’ve already faced — radiation and biohazard detectors at every port and point of entry. The cost-benefit ratio of this would be astronomically poor; as a free society with mostly open borders, there are a phenomenal number of entry points to the United States, and only very rarely (possibly never, so far, though the government would not be likely to tell us if it did happen) does anyone try to smuggle weapons-grade nuclear material or biological weapons through it. This isn’t to say that these measures would do no good, but they protect only against specific attacks and are obvious. They signal to terrorists “you can’t bring a nuclear or biological weapon through a shipping container in a port,” thus letting them know they should instead a.) use conventional weapons, b.) acquire nuclear/biological materials already inside the United States, or c.) enter via uncontrolled border space. If I, in three minutes, can think of three easy ways around a measure that will take billions of dollars to implement, it’s not very cost-effective.

He discusses the difficulties in information sharing between law enforcement and military agencies, clearly seeing these as an unalloyed negative. He’s right that there have been clear communications breakdowns, where these organizations had information that they were legally free to share, but chose not to out of myopia or the desire to preserve the institutional sovereignty of their silo. Despite the Central Intelligence Agency being founded to ensure all military and civilian intelligence agencies share information, it has in many cases become the most isolated hoarder of information of them all, and this is a problem. However, in other cases the obstacles to information-sharing are the civil liberties guaranteed by the Constitution. Giuliani has no issue with sweeping these away — this is, after all, the person who claims “Freedom is about authority. Freedom is about the willingness of every single human being to cede to lawful authority a great deal of discretion about what you do. You have free speech so I can be heard.” (That quote is not taken out of context in any way. He did not, however, go on to add “War is Peace. Freedom is Slavery. Ignorance is Strength.”)

Judicial oversight is not inimical to detecting and stopping international terrorism. Judges do not want terrorist attacks to happen, either; these protections exist to ensure that normal people are able to live their lives without constant monitoring. Surveillance is not unintrusive. Comamnd-and-control executives like Giuliani think that it does not matter if people are being watched, as only the “bad guys” will be prosecuted, but this simply isn’t true. First of all, people change their behavior when they know they’re being watched. It has a chilling effect not just on actually criminal behavior, but also on any behavior that people consider “socially unacceptable.” Surveillance drives everyone toward the mainstream center of society, homogenizing them; it creates the very opposite of a free society. (For a chilling illustration of this, I highly recommend Charles Stross’s sci-fi novel Glasshouse, one of the best and most terrifying books I’ve ever read, though it requires a high tolerance for transhumanist concepts.) Second, who watches the watchers? Even if Giuliani’s motives are pure (they’re not), and he wants to use these tools of warrantless surveillance, imprisonment without trial, etc. only against international terrorists, no one can possibly believe the entire law enforcement apparatus of a 300-million-person nation is entirely free of corruption and petty tyranny. Security has a cost — Giuliani looks only at how these measures benefit security, ignoring their unintended consequences. Security is of limited value — a terrorist attack is tragic but it does not end the world. We must not embrace “security at any cost” — instead we must consider security at a cost that we can bear, and most importantly, not allow the cost of security to exceed the cost of terrorism.

Giuliani also wants a “good Samaritan” law for people who report suspicious activity, protecting them from lawsuits. This is a terrible idea. Lawsuits are there to provide a cost for making a false of frivolous report — people will still report the man walking down the street with a pile of dynamite, but they think twice about reporting possibly-suspicious but almost certainly innocuous activity, like speaking Arabic in an airport, or loitering in a parking lot. Making reporting costless means you’ll get an inevitable excess of it, resulting in both the chilling effect of universal surveillance and a waste of law enforcement’s time. When people are encouraged to report everything unusual, you drown in reports and make people paranoid. This teaches people to react to the unknown with fear — that is, it accomplishes precisely what terrorists aim to accomplish. People reporting suspected terrorist activities should not be immune from lawsuits; rather, courts should decide whether the report was reasonable and take appropriate action. Often the reporters should be held blameless, having had a reasonable reaction that turned out to be incorrect, but doing so automatically makes filing false reports a simple way for private citizens to use the nation’s law enforcement apparatus as a means for private revenge.

Giuliani also calls for “tamper-proof biometric ID cards” for all non-citizens. As a security professional I can’t help but chuckle when anyone uses the word “tamper-proof.” But there’s nothing terribly wrong with this… except that it doesn’t do any good. We already know when people enter the country legally, and we identify them then; if they sneak in, they’re not going to have a “tamper-proof biometric ID card” any more than they have a regular ID card now. In addition, identity alone does not provide security. The fact that you know who someone is does you little to no good if he does not have a background in committing terrorist acts. And if he has a background in committing terrorist acts, why would you hand him a “tamper-proof biometric ID card?” Just deport him!

Giuliani supports fences around borders and stepping up guards, but claims to want to avoid turning the nation into a “fortress” in order to “deepen the connections between America and the Islamic world that will prove essential in prevailing over radical Islamic extremism.” On one hand, he’s on to something there — the only way to truly prevent terrorism is to eliminate the motivation for terrorism. Otherwise, 100% prevention is impossible — total prevention requires that you succeed every time, while the villains only have to succeed once. On the other hand, he simultaneously advocates precisely the foreign policy that creates that motivation — worldwide interventionism and American control and support of often-corrupt foreign governments. Now, the fact that a given policy makes people want to kill you doesn’t necessarily mean that that policy is wrong – but it is a cost of that policy that must be taken into account, and to claim that it will not have this effect is disingenuous.

Stepping up epidemiological surveillance and data gathering is the one good idea Giuliani has. Not only would it be helpful to detect bioterror attacks, but more importantly, it can help detect and contain natural pandemics. The emergence of a serious disease threat at some point in the future is a certainty, and unlike surveillance of people’s activities, this sort of surveillance has very little civil liberties cost.

Giuliani is obvious very proud of New York’s CompStat method of crime detection and prevention, given his desire to apply the same methodology to everything. For terrorism and border control, it makes some sense, as these are essentially law enforcement problems with a lot of parallels. However, for emergency preparedness it does not. Dividing up funding based on “need” determined by a statistical formula is absolutely certain to result in “gaming the system.” Emergency preparedness must be decentralized; there is no way for the Federal government to take care of it on a nationwide basis, or even to effectively coordinate and monitor it. Fundamentally, preparedness requires having appropriate materials on site and appropriate plans made, and no one can make those plans from afar.

Finally, Giuliani gets to the putative subject of the essay, resilience. He says, rightly, “Government should harness the inherent strength of the American people and the private sector in order to build a society that may bend—but not break—if catastrophe does strike.” It is somewhat ironic to hear this from Giuliani, who has just spent the preceding 30 paragraphs calling for increased central control of everything. His entire resilience proposal is as follows:

• Create government-organized response teams of private citizens who have been trained and equipped by government to respond to disaster,
• Pass a law shielding people from lawsuits if they are trying to help in disaster response, and
• Set government standards for how businesses, citizens, and charitable organizations should respond to disasters.

Ah, for every problem a government solution. This is precisely what resilience isn’t. A resilient society is one that responds to and recovers from disaster on its own — one that is not broken by disaster but continues to function mostly unchanged. The model of a resilient society is England during the IRA period: terrorist attacks happened, and life went on largely unchanged.

Western society is still phenomenally resilient, but not as much as it once was. You cannot build a resilient society using only government. A resilient society comes from a variety of factors, and these can do more to protect against the impact of terrorism than any technological or centralized security measure. They include:

• A culture of hope. People have to believe that every terrorist attack is an abberation, and that life will return to normal. This is what prevents a localized disaster from having repercussions on an entire nation for years to come; without this, with a culture of fear instead, the damage of a terrorist attack is multiplied a hundredfold.
• A citizenry that trusts itself. People must believe they are competent to solve their own problems, so the first reaction to a disaster is not “how will I get help,” but rather “what do I need to do?” Government cannot save everyone; if the able-bodied and passably intelligent people save themselves, government is freed up to help those who genuinely need it, and not simply those who abrogated their responsibility to plan.
• A populace that cares for others while still expecting them to take care of themselves. When disasters like Hurricane Katrina or 9/11 occur, there is an outpouring of charity from the populace to help. It doesn’t take government to solicit this; general benevolence will do, the desire to help anyone hurt by a disaster rather than using disaster as am impetus to hoard more for yourself and your tribe. However, people also must recognize the limits of charity, and be willing to go back to their own lives as time passes.

All of these are cultural shifts; we can’t impose them, and as Giuliani is running for head of government, it makes sense for him to talk about government actions. However, the statements he’s making are precisely what damages resilience. When all we hear from government is how they are expecting impending doom, and how government will save us when it happens, it does not teach us to have hope, trust ourselves, and help others! It teaches us to always anticipate disaster, do nothing and wait for help when it happens, and expect the government to do all the helping. Regardless of what the government does, this rhetoric from our politicians itself reduces the resilience of our society.

Bruce Schneier has a good post today called “The War on the Unexpected,” about the unintended results of asking the general population to report anything suspicious.  Even discounting deliberate malfeasance (reporting the neighbor you don’t like as “suspicious”), people find a lot of things suspicious, and the gatekeepers have no motivation to apply intelligent filtering to public reports.  When someone makes a specious report and the police overreact, they’re praised for their vigilance, while the real victim in the situation is lucky to escape without prison time.  The result is a paranoid society where merely being unusual can get you into trouble — the very opposite of a free society where your actions are none of anyone else’s business unless you’re directly harming them.

Of course, there’s not much motivation for government to reduce these overzealous “awareness” programs, either.  A paranoid populace is always supportive of more government intervention to “protect” them, and making everyone into a criminal makes social control quite easy, since there is no one not subject to arrest, only the people you haven’t chosen to arrest yet.

Terrorism can never be absolutely prevented because terrorism is easy — it is a sad fact of chemistry that many things explode, and there are many ways of being dead.  A free society can only prevent crime because criminals have something to lose — people acting in self-interest do not want to die or go to prison, and a free society must fight crime via punishing criminals after the crime has been committed.  Since terrorists of the current radical Islamic model aren’t deterred in this way, we are deprived of our normal security responses and forced to try to fight with prevention only, rather than the standard responses of detection & punishment.  To truly eliminate this sort of terrorism requires changing the culture from which it emerges — removing the “feed stock” of terrorist organizations by giving people something to live for.  This is not a short-term project.
The proper response of a free society to terrorism is not “prevention at all costs,” but rather prevention where the cost is justified and resilience where it is not.  Western society is distributed, and has a phenomenal depth of resources that is absent in many other societies — our culture is, in short, extremely hard to destroy.  As catastrophic as the September 11th attacks were, your chances of dying in a terrorist attack remain smaller than your chances of dying of heatstroke, inhalation of a foreign object, or drowning in a swimming pool; our society is threatened not by the direction damage of terrorist attacks but by the response those attacks cause in us.  Some threats are direct and obvious enough that mitigates them makes sense, but for many threats the rational response is to accept the risk; that is, recognize that the risk is there, understand that the chances of it affecting you, personally, are nearly nil, and that absolute safety does not exist.  We need to go on about our lives, and work to recover from attacks in the same way that we recover from natural disasters.  When a disaster happens, we mourn, we help the people affected, we rebuild the damage — but we do not change our way of life because of them.  Somehow, we think that human-caused disasters should be entirely different, but this is not necessarily the case.

I was reading an article about web scanner coverage and false positives by Larry Suto that RSnake linked to on ha.ckers. Though this is only tangentially related to the actual paper, it reminded me of something interesting — the inevitability of false positives when detecting something rare.

When measuring the error of a detection process, there are three pertinent statistics — Type I error (false positive, detecting something that isn’t really there,) Type II error (false negative, missing something that is there,) and crossover error rate (the error rate at which the rates of Type I and Type II error are equal — essentially, the minimum error of the process.) We normally think of trying to minimize the crossover error rate — after all, we want detection processes that are as accurate as possible — but sometimes one sort of error is objectively worse than the other, so we will choose, say, to minimize false negatives even if this leads to more false positives being detected.

For instance, it is very annoying if the fingerprint scanner used to log onto your laptop fails to recognize you routinely, requiring you to use the reader repeatedly. Thus, too many false negatives annoy the user. Of course, if it let everyone in, that would be even worse, but we’re willing to run the risk that somebody with fingerprints sort of similar to yours might be able to get in if it makes the thing work better. On the other hand, if the fingerprint scanner is on the vault with the nuclear weapons in it, false positives are very bad, while a false negative is really not too terrible — you probably don’t need to access the nuclear weapons very often, so if you need to swipe your finger four times to get in, that’s okay. In this process, you’ll optimize to minimize Type I error, even if this raises your rate of Type II error and your crossover error rate.

However, what people often fail to recognize is that error rates become very oddly skewed when the thing to be detected is exceedingly rare. For instance, we currently have many processes in the country designed, ultimately, to detect terrorists — border guards, profiling, no-fly lists, etc. These all have error rates — sometimes, they would miss a real terrorist, and to the dismay of civil libertarians and air travelers everywhere, sometimes they “catch” innocent people.

A Type I error rate of 0.001% sounds pretty good. Imagine you have a terrorist detector with a Type II error rate of zero — it always detects real terrorists. And its Type I rate is only 0.001% — it generates false alarms only one time in 10,000. Sounds great, doesn’t it? We should make use of them immediately! If this thing points out a terrorist, you’ve got the right guy. The government can proudly advertise that their detector is 99.999% accurate.

But wait… there are 280 million people in the United States. How many are actual terrorists? I hope not very many, but let’s be paranoid and imagine there are 1,000 lying in wait (though I’d wager if there were, we might have seen at least one terrorist attack on U.S. soil sometime within the last 5 years.) This means that we’ll be scanning a real terrorist — and set off the alarm, since our terrorist detector has a false negative rate of zero — 0.000036% of the time. Our false positive rate is 0.001% is actually more than the rate of real terrorists in the population. In fact, while a negative from our terrorist detector is right every time, a positive from it is wrong 97% of the time. In other words, if the alarm goes off, you can be 3% sure that you’ve got the right guy!

Doesn’t sound so good put that way. When the alarm goes off, you can be almost certain (97% certain, at least) that you’ve got an innocent man. The problem of detecting a rare thing without false positives is actually quite difficult.

Forbes.com recently had an article called “America’s Hackable Backbone” regarding the recent surge in SCADA hacking. SCADA, Supervisory Control And Data Acquisition, is a truly ancient protocol, in use for over 20 years, which was not remotely designed with security in mind. At the time, SCADA was used only on dedicated networks that lacked any connectivity to a network to which you could attach a general-purpose computer. Thus, the security it relied on was a combination of physical security — you needed to tap a line to get in — and obscurity — if you did get in, you’d need to both know SCADA and know the particular “magic names” of the devices you were trying to control.

I saw Ganesh Devarajan’s presentation on SCADA hacking at DefCon back in August. The protocol is relatively simple — simple enough to figure it out just running a sniffer for a while. And the things controlled by these systems can be utterly critical — nuclear power plants, subway systems, pipelines, manufacturing plants, etc. Some of what Devarajan demonstrated was attacking through simple fuzzing — just throwing masses of junk data into the systems and seeing what happens, since the input (presumed to come from trusted sources on a private network) is seldom validated. When fuzzing makes something fall over, that’s almost certainly a sign that a buffer overflow vulnerability lurks there — so even if you can’t stop the subway with a SCADA command, you can probably execute arbitrary code with one, and that can do anything (though it is, admittedly, significantly harder.)

However, as Forbes points out, you don’t need to really know how to control the system to extort ransom out of someone — the mere threat of controlling, say, a water treatment plant may get you what you want.

Fixing these systems normally requires replacing them — they’re so old that updating to a more modern system is seldom an option. Likewise, encryption is a decade out of reach for these systems. At the very least, they need to be completely isolated — a computer that can access a SCADA system should not be connected to a computer that can access the Internet. This creates a potential path for an attacker. Unfortunately, companies are moving in the opposite direction — rather than replacing and isolating SCADA, they’re wrapping it in XML, so that modern applications can use web services to manipulate SCADA systems. This makes sense from a usability perspective — just because your oil pipeline’s valves use 20-year-old control software doesn’t mean your engineers have to be working on 20-year old green-monochome-screened DOS boxes to operate them. However, from a security perspective it makes things even worse. The machines running these apps are on corporate LANs with Internet connectivity — and hacking SCADA wrapped in XML is every bit as easy as hacking raw SCADA. Putting something in XML doesn’t render it more secure — indeed, the accompanying metadata often makes it easier to decipher.

The real worry of these systems is that as the SCADA networks become more integrated with the Internet (SCADA over TCP/IP is already normal, and SCADA over XML is growing), we come closer to a world in which those action-movie scenarios where a hacker breaks into a computer and starts blowing up power plants, manipulating traffic lights, etc. are actually possible. Right now, “hacker terrorism” is mostly a financial threat — there’s little you can do to life safety from an Internet terminal most of the time. It would be preferable to keep it that way.