Authors: Bruce Schneier
the police use it:
Walter L. Perry et al. (2013), “Predictive policing:
The role of crime forecasting in law enforcement operations,” RAND Corporation, https://www.ncjrs.gov/pdffiles1/nij/grants/243830.pdf.
Terrorist plots are different:
John Mueller and Mark G. Stewart (2011),
Terror, Security, and Money: Balancing the Risks, Benefits, and Costs of Homeland
Security
, Oxford University Press, chap. 2, http://books.google.com/books?id=jyYGL2jZBC4C.
even highly accurate . . . systems:
Jeff Jonas and Jim Harper (11 Dec 2006), “Effective counterterrorism and the limited
role of predictive data mining,” Cato Institute, http://www.cato.org/publications/policy-analysis/effective-counterterrorism-limited-role-predictive-data-mining.
Fred H. Cate (Summer 2008), “Government data mining: The need for a legal framework,”
Harvard Civil Rights-Civil Liberties Law Review
43, http://www.law.harvard.edu/students/orgs/crcl/vol43_2/435-490_Cate.pdf.
false positives completely overwhelm:
G. Stuart Mendenhall and Mark Schmidhofer (Winter 2012-13), “Screening tests for
terrorism,”
Regulation
, http://object.cato.org/sites/cato.org/files/serials/files/regulation/2013/1/v35n4-4.pdf.
Corey Chivers (6 Jun 2013), “How likely is the NSA PRISM program to catch a terrorist?”
Bayesian Biologist
, http://bayesianbiologist.com/2013/06/06/how-likely-is-the-nsa-prism-program-to-catch-a-terrorist.
Marcy Wheeler (15 Jun 2013), “The inefficacy of Big Brother: Associations and the
terror factory,”
Empty Wheel
, http://www.emptywheel.net/2013/06/15/the-inefficacy-of-big-brother-associations-and-the-terror-factory.
millions of people will be falsely accused:
In statistics, this is called the base rate fallacy, and it applies in other domains
as well. For example, even highly accurate medical tests are problematic as screening
tools if the incidence of the disease is sufficiently rare in the general population.
I am deliberately not walking you through the math. Those who are interested can read
the details. Jeff Jonas and Jim Harper (11 Dec 2006), “Effective counterterrorism
and the limited role of predictive data mining,” Cato Institute, http://object.cato.org/sites/cato.org/files/pubs/pdf/pa584.pdf.
“you need the haystack”:
J. D. Tuccille (19 Jul 2013), “Why spy on everybody? Because ‘you need the haystack
to find the needle,’ says NSA chief,”
Reason
, http://reason.com/blog/2013/07/19/why-spy-on-everybody-because-you-need-th.
adding much more noise:
Mike Masnick (15 Oct 2013), “Latest revelations show how collecting all the haystacks
to find the needle makes the NSA’s job harder,”
Tech Dirt
, https://www.techdirt.com/articles/20131014/17303424880/latest-revelations-show-how-collecting-all-haystacks-to-find-data-makes-nsas-job-harder.shtml.
so much irrelevant data:
Chris Young (12 Mar 2012), “Military intelligence redefined: Big Data in the battlefield,”
Forbes
, http://www.forbes.com/sites/techonomy/2012/03/12/military-intelligence-redefined-big-data-in-the-battlefield.
NSA’s eavesdropping program:
Matt Briggs (7 Jun 2013), “Data mining: PRISM, NSA and false positives: Update,”
William M. Briggs
, http://wmbriggs.com/blog/?p=8239.
thousands of tips:
Lowell Bergman et al. (17 Jan 2006), “Spy agency data after Sept. 11 led F.B.I. to
dead ends,”
New York Times
, http://www.nytimes.com/2006/01/17/politics/17spy.html.
Suspicious Activity Reports:
US Government Accountability Office (26 Mar 2013), “Information sharing: Additional
actions could help ensure that efforts to
share terrorism-related suspicious activity reports are effective,” Report GAO-13-233,
http://www.gao.gov/assets/660/652995.pdf.
led to just one success:
Yochai Benkler (8 Oct 2013), “Fact: The NSA gets negligible intel from Americans’
metadata. So end collection,”
Guardian
, http://www.theguardian.com/commentisfree/2013/oct/08/nsa-bulk-metadata-surveillance-intelligence.
Peter Bergen (Jan 2014), “Do NSA’s bulk surveillance programs stop terrorists?” New
America Foundation, http://newamerica.net/publications/policy/do_nsas_bulk_surveillance_programs_stop_terrorists.
that was probably trumped up:
Marcy Wheeler (12 Dec 2013), “Did DOJ prosecute Basaaly Moalin just to have a Section
215 ‘success’?”
Empty Wheel
, http://www.emptywheel.net/2013/12/12/did-doj-prosecute-basaaly-moalin-just-to-have-a-section-215-success.
Each rare individual:
Airplane security provides many examples. In 2001, Richard Reid put a bomb in his
shoe, and the primary effect is that we’ve all had to take our shoes off at airports
since then.
Several analyses:
Francis Gouillart (10 Jun 2013), “Big data NSA spying is not even an effective strategy,”
Fortune
, http://management.fortune.cnn.com/2013/06/10/big-data-nsa-spying-is-not-even-an-effective-strategy.
Ed Pilkington and Nicholas Watt (12 Jun 2013), “NSA surveillance played little role
in foiling terror plots, experts say,”
Guardian
, http://www.theguardian.com/world/2013/jun/12/nsa-surveillance-data-terror-attack.
Washington’s Blog (13 Jun 2013), “The dirty little secret about mass surveillance:
It doesn’t keep us safe,”
Washington’s Blog
, http://www.washingtonsblog.com/2013/06/the-dirty-little-secret-about-nsa-spying-it-doesnt-work.html.
Data mining is simply the wrong tool:
Jeffrey W. Seifert (3 Apr 2008), “Data mining and homeland security: An overview,”
Congressional Research Service, http://www.fas.org/sgp/crs/homesec/RL31798.pdf.
enabled the NSA to prevent 9/11:
Peter Bergen (30 Dec 2013), “Would NSA surveillance have stopped 9/11 plot?” CNN,
http://www.cnn.com/2013/12/30/opinion/bergen-nsa-surveillance-september-11.
wasn’t able to prevent:
Simon Shuster (19 Apr 2013), “The brothers Tsarnaev: Clues to the motives of the
alleged Boston bombers,”
Time
, http://world.time.com/2013/04/19/the-brothers-tsarnaevs-motives.
The NSA collected data:
Marcy Wheeler (12 Apr 2014), “The day after government catalogs data NSA collected
on Tsarnaevs, DOJ refuses to give Dzhokhar notice,”
Empty Wheel
, http://www.emptywheel.net/2014/04/12/the-day-after-government-catalogs-data-nsa-collected-on-tsarnaevs-doj-refuses-to-give-dzhokhar-notice.
failures were the result:
National Commission on Terrorist Attacks (2004),
The 9/11 Commission Report: Final Report of the National Commission on Terrorist Activities
upon the United States
, http://www.gpo.gov/fdsys/pkg/GPO-911REPORT/pdf/GPO-911REPORT.pdf.
Mass surveillance didn’t catch:
Dan Eggen, Karen DeYoung, and Spencer S. Hsu (27 Dec 2009), “Plane suspect was listed
in terror database after father alerted U.S. officials,”
Washington Post
, http://www.washingtonpost.com/wp-dyn/content/article/2009/12/25/AR2009122501355.html.
the liquid bombers . . . were captured:
Dominic Casciani (7 Sep 2009), “Liquid bomb plot: What happened,”
BBC News
, http://news.bbc.co.uk/2/hi/uk_news/8242479.stm.
comes from targeted surveillance:
The NSA has touted 54 terrorist successes, but this number
doesn’t pass scrutiny. Most weren’t actually terrorist plots, and they were mostly
outside the US. Justin Elliott and Theodoric Meyer (23 Oct 2013), “Claim on ‘attacks
thwarted’ by NSA spreads despite lack of evidence,”
Pro Publica
, http://www.propublica.org/article/claim-on-attacks-thwarted-by-nsa-spreads-despite-lack-of-evidence.
FBI identifies potential terrorist plots:
Kevin Strom and John Hollywood (2010), “Building on clues: Examining successes and
failures in detecting U.S. terrorist plots,” Institute for Homeland Security Solutions,
http://sites.duke.edu/ihss/files/2011/12/Building_on_Clues_Strom.pdf.
the money we’re wasting:
Bruce Schneier (8 Sep 2005), “Terrorists don’t do movie plots,”
Wired
, http://archive.wired.com/politics/security/commentary/securitymatters/2005/09/68789.
the attacker has the advantage:
Bruce Schneier (2012),
Liars and Outliers: Enabling the Trust That Society Needs to Thrive
, Wiley, chap. 16, http://www.wiley.com/WileyCDA/WileyTitle/productCd-1118143302.html.
It’s easier to break things:
Ross Anderson (2 Oct 2001), “Why information security is hard: An economic perspective,”
University of Cambridge Computer Laboratory, http://www.acsac.org/2001/papers/110.pdf.
Matthew Miller, Jon Brickey, and Gregory Conti (29 Nov 2012), “Why your intuition
about cyber warfare is probably wrong,”
Small Wars Journal
, http://smallwarsjournal.com/jrnl/art/why-your-intuition-about-cyber-warfare-is-probably-wrong.
Complexity is the worst enemy:
Bruce Schneier (19 Nov 1999), “A plea for simplicity: You can’t secure what you don’t
understand,”
Information Security
, https://www.schneier.com/essay-018.html.
Software security is generally poor:
Edward Tufte (2003), “Why producing good software is difficult,”
Edward Tufte Forum
, http://www.edwardtufte.com/bboard/q-and-a-fetch-msg?msg_id=
000
0D8. James Kwak (8 Aug 2012), “Software runs the world: How scared should we be that
so much of it is so bad?”
Atlantic
, http://www.theatlantic.com/business/archive/2012/08/software-runs-the-world-how-scared-should-we-be-that-so-much-of-it-is-so-bad/260846.
retailer Target Corporation:
Michael Riley et al. (13 Mar 2014), “Missed alarms and 40 million stolen credit card
numbers: How Target blew it,”
Bloomberg Businessweek
, http://www.businessweek.com/articles/2014-03-13/target-missed-alarms-in-epic-hack-of-credit-card-data.
a catastrophe for the company:
Elizabeth A. Harris et al. (17 Jan 2014), “A sneaky path into Target customers’ wallets,”
New York Times
, http://www.nytimes.com/2014/01/18/business/a-sneaky-path-into-target-customers-wallets.html.
its CEO, Gregg Steinhafel, resigned:
Elizabeth A. Harris (6 May 2014), “Faltering Target parts ways with chief,”
New York Times
, http://www.nytimes.com/2014/05/06/business/target-chief-executive-resigns.html.
Compare this with the:
Nicole Perlroth (31 Jan 2013), “Hackers in China attacked the Times for last 4 months,”
New York Times
, http://www.nytimes.com/2013/01/31/technology/chinese-hackers-infiltrate-new-york-times-computers.html.
Multiprogram Research Facility:
Its current goal is exaflop computation speeds, or one quintillion operations per
second. James Bamford (15 Mar 2012), “The NSA is building the country’s biggest spy
center (watch what you say),”
Wired
, http://www.wired.com/threatlevel/2012/03/ff_nsadatacenter/all.
It secretly inserts weaknesses:
Bruce Schneier (4 Oct 2013), “Attacking Tor: How the NSA targets users’ online anonymity,”
Guardian
, http://www.theguardian.com/world/2013/oct/04/tor-attacks-nsa-users-online-anonymity.
“endpoint security is so terrifically weak”:
Glenn Greenwald and Edward Snowden (17 Jun 2013), “Edward Snowden: NSA whistleblower
answers reader questions,”
Guardian
, http://www.theguardian.com/world/2013/jun/17/edward-snowden-nsa-files-whistleblower.
Discoverers can sell vulnerabilities:
The ethics of this is discussed here. Serge Egelman, Cormac Herley, and Paul C. van
Oorschot (9-12 Sep 2013), “Markets for zero-day exploits: Ethics and implications,”
New Security Paradigms Workshop, Banff, Alberta, Canada, http://www.nspw.org/papers/2013/nspw2013-egelman.pdf.
a robust market in zero-days:
Stefan Frei (5 Dec 2013), “The known unknowns: Empirical analysis of publicly-unknown
security vulnerabilities,” NSS Labs, https://www.nsslabs.com/system/files/public-report/files/The%20Known%20Unknowns_1.pdf.
both governments and:
Andy Greenberg (21 Mar 2012), “Meet the hackers who sell spies the tools to crack
your PC (and get paid six-figure fees),”
Forbes
, http://www.forbes.com/sites/andygreenberg/2012/03/21/meet-the-hackers-who-sell-spies-the-tools-to-crack-your-pc-and-get-paid-six-figure-fees.
Both Russia and North Korea are big spenders when it comes to zero-days. Nicole Perlroth
and David E. Sanger (13 Jul 2013), “Nations buying as hackers sell flaws in computer
code,”
New York Times
, http://www.nytimes.com/2013/07/14/world/europe/nations-buying-as-hackers-sell-computer-flaws.html.
Office of the Secretary of Defense (4 Feb 2014), “Military and security developments
involving the Democratic People’s Republic of North Korea 2013,” http://www.defense.gov/pubs/North_Korea_Military_Power_Report_2013-2014.pdf.
discoverers can sell to criminals:
Dancho Danchev (2 Nov 2008), “Black market for zero day vulnerabilities still thriving,”
ZDNet
, http://www.zdnet.com/blog/security/black-market-for-zero-day-vulnerabilities-still-thriving/2108.
Undiscovered zero-day vulnerabilities:
Here is the most important research into that question. Eric Rescorla (7 Feb 2005),
“Is finding security holes a good idea?” RTFM, Inc., http://www.rtfm.com/bugrate.pdf.
Sandy Clark et al. (6–10 Dec 2010), “Familiarity breeds contempt: The honeymoon effect
and the role of legacy code in zero-day vulnerabilities,” 26th Annual Computer Security
Applications Conference, Austin, Texas, http://dl.acm.org/citation.cfm?id=1920299.
Andy Ozment and Stuart E. Schechter (11 May 2006), “Milk or wine: Does software security
improve with age?” MIT Lincoln Laboratory, https://research.microsoft.com/pubs/79177/milkorwine.pdf.