Go to previous post:
My very important Bruce Springsteen opinion

Go to Electrolite's front page.

Go to next post:
Poor old horse

Our Admirable Sponsors

August 15, 2002

What doesn’t work and what does If you read just one article this month about “security” post-9/11, read this profile of cryptologist and security expert Bruce Schneier in the Atlantic Monthly. Bruce is one of the smartest human beings I know, and if I had my way he’d be delivering his views to a joint session of Congress. He’d convince them, too.

“The most critical aspect of a security measure is not how well it works but how well it fails.” This central insight, the e=mc2 of a coherent model of what security is and isn’t, has enormous implications for the various costly and dangerous follies we’re now embarked upon. I wish every blogger interested in contemporary “national security” issues, not just crypto gearheads, would read this piece. [09:25 AM]

Welcome to Electrolite's comments section.
Hard-Hitting Moderator: Teresa Nielsen Hayden.

Comments on What doesn't work and what does:

Charles Kuffner ::: (view all by) ::: August 15, 2002, 10:23 AM:

I'll second that recommendation. It's a great and informative read. Glad to see it's online now.

Mary Kay ::: (view all by) ::: August 15, 2002, 11:01 AM:

Thanks for the link. I've been wanting to read it since we met the guy who wrote it at a party at Neal Stehephenson's neighbor's house after George Dyson's reading. Demonstrating small world effect all *over* the place.


Chad Orzel ::: (view all by) ::: August 15, 2002, 11:35 AM:

You might want to check the link-- it 404's on me. Searching their site for "Schneier" turns up a bunch of similar URL's, which also throw a "page not found" error. I don't know if this is a temporary glitch, or a subscriber-only link, or what.

Mary Kay ::: (view all by) ::: August 15, 2002, 12:01 PM:

Following up Chad's comment: the link worked for me, but none of the sidebar links in the article would work.


Simon Shoedecker ::: (view all by) ::: August 15, 2002, 12:23 PM:

Well, all the links worked for me just now. Try again?

Anyway, the first paragraph of this article particularly grabbed me. It reads:

"To stop the rampant theft of expensive cars, manufacturers in the 1990s began to make ignitions very difficult to hot-wire. This reduced the likelihood that cars would be stolen from parking lots—but apparently contributed to the sudden appearance of a new and more dangerous crime, carjacking."

Y'know, I remember making exactly this point a few years ago in an online discussion on the subject of - wait for it - gun control. My point was that using guns for deterrence won't necessarily decrease crime, but only encourage criminals to find even nastier ways to get around the deterrence and commit their crimes.

Now, my conclusion doesn't necessarily follow either. (The point about unforeseen consequences like the above is that they're unforeseen.) But what I found interesting is that the gun-advocate I was arguing with never grasped the initial point at all. He thought he'd countered it by saying that carjacking rates had declined slightly in the previous couple years.

Jim Meadows ::: (view all by) ::: August 15, 2002, 12:29 PM:

I also was unable to link to the Schneier piece in the Atlantic Monthly.
In looking at the Atlantic's website, moreover, I saw that the Schneier article is in the September issue, but the "current issue" online was only June. Could this be part of the linking problem many of us had?

Erik V. Olson ::: (view all by) ::: August 15, 2002, 12:44 PM:

I've got a gripe with the first sidebar -- esp. since it takes a somewhat relevant point, but misses a more relevant one.

The lact of tactical flexibility of the Maginot Line was an issue, but that's not the reason is so utterly failed to protect France. It failed, for the same reason so many excellent locks fail.

The French locked the front door. (The Germany-France frontier.) The Germans went in through the window. (Belgium.) All those tanks, bunkers and fortifications didn't slow down the German blitz one bit -- the Germans went around the line. France assumed that the Belgium frontier, held by an ally, was safe. Germany looked at the line, then looked at Belgium, and said "Belgium's easier."

Weeks later, the Germans took the Maginot line -- from the back.

The relevance to Bruce's work should be obvious.

Patrick Nielsen Hayden ::: (view all by) ::: August 15, 2002, 01:06 PM:

I have no idea why some people are having trouble withy the link. It works for me. I'm not a subscriber to the Atlantic or to its web site.

Derek James ::: (view all by) ::: August 15, 2002, 02:18 PM:

Interesting article...thanks for the link (works fine for me).

I was interested in particular about the part criticizing the plan to fingerprint and photograph certain people as they enter the country. This is one place where it seems that technology wouldn't be a brittle panacea, but might actually be very useful.

When I lived in Japan, I was required to be photographed and fingerprinted, and to carry my gaikokujin card with me at all times. Presumably, this would make it much easier for Japanese police to find, arrest, and prosecute me if I do something horrible.

When describing how this effort is supposed to allow law enforcement to check such pictures and prints against existing databases of terrorist the article laments:
"Alas, no such database of terrorist fingerprints and photographs exists."

Wouldn't this possibly be a good strategy to build one up? And I wonder, how did law enforcement get clear, clean mugshots of all the hijackers so soon after 9/11, and peg their identities? Were they not using some sort of database?

Phil ::: (view all by) ::: August 15, 2002, 03:14 PM:

Actually Erik, the sidebar is largely accurate description of 1940. You should really read the book to get the context. The Maginot Line itself did not fail. But the self-confidence that it engendered in the French and British caused a monstrous failure. The Line was intended to prevent an entry into France directly from Germany. It WAS impenetrable. It was INTENDED to force a German invasion through Belgium and the Netherlands.

But they didn't do that either, really. The main attack was north of the Maginot through the Ardennes, through Luxembourg and southern Belgium, hitting the Allies where they were at their weakest, with the result that the best units were stuck away from the action, in danger of being cut off from supplies, facing German armies that were merely fakes. The book makes the point that the massive failure was in reliance on the technology and reliance on preconceived notions of German war planning, going so far as to assert that if the French had even merely entertained the possibility of an attack through the Ardennes, Germany's goose would have been cooked, as the juke north by the Germans would likely have been seen for what it was. According to May, even so the Germans still had to get pretty lucky.

Phil ::: (view all by) ::: August 15, 2002, 03:18 PM:

To use your analogy, yeah, the French locked the front door, but not to completely seal the house, but to force Germany go around to the back. Problem is yes, Germany jumped through the kitchen window, and were lucky not fall onto the stove.

Ginger ::: (view all by) ::: August 15, 2002, 03:30 PM:

If the hijackers got their visas since the mid 90s, the State Department had the photos taken for the visas.

I'm iffy on the comprehensive fingerprint/photo database. What I've heard so far hasn't impressed me as more than a PR effort, honestly. The INS doesn't have systems in place to process the information it's getting; witness the failure to crossreference with law enforcement in the Railroad Killer case.

How they'll put huge amounts of additional information to effective use (i.e., in a database) in the next few years is beyond me. The foreign student tracking system that's been kicking around for the last few years comes to mind.

(No trouble with the link here.)

Chad Orzel ::: (view all by) ::: August 15, 2002, 04:06 PM:

The link works now, on a different computer, using Internet Exploder instead of Opera. I'm not sure which of those factors made the difference.

For what it's worth, I also saw the "Current Issue" as June 2002 when I tried earlier, and it didn't work. It's now properly showing September 2002.

I'll take my bad computer karma out of your comments section, now.

Simon Shoedecker ::: (view all by) ::: August 15, 2002, 06:12 PM:

If the Maginot line were intended to make the Germans go through Belgium, three things would follow: first, the Belgians would have gotten really annoyed; second, the French could have put their troops on the Belgian frontier; third, they could have solved the whole problem by having the line cover the Belgian as well as the direct German frontier.

That is not my understanding. What I've read, though I have no sources handy to cite, is that the line avoided the Belgian frontier for two reasons: first, the French did not want to annoy Belgium by putting a bristling defensive line on their frontier; second, the French were confident the Germans wouldn't violate Belgian neutrality again as they had in 1914 when doing so had been one of Germany's major propaganda blunders.

But certainly, regardless of any other factors, it made the French too overconfident.

The broader point of the article which covers all these possibilities is this: that it doesn't matter how much security you use if there's a hole in it.

I keep thinking of this principle when I see DNA tests being used in court. Prosecutors citing DNA evidence always use high probability figures for identity, based solely on the unlikelihood of another person having the same DNA profile. They never factor in collection problems, accidental contamination, error in analysis, deliberate malfeasance, or any of a number of factors much more likely, esp. in aggregate, than a similarity in actual DNA.

Mike Scott ::: (view all by) ::: August 16, 2002, 04:54 AM:

Violating Belgian neutrality in WWI wasn't just a propaganda blunder for Germany. It's what brought Britain into the war, and thus probably what lost the war for Germany. That wasn't an issue in WWII, of course, when Britain was already in the war.

Phil ::: (view all by) ::: August 16, 2002, 02:27 PM:

Which is exactly what the French and British did. They were expecting a redo of the Schlieffen Plan, and sent their troops, not on the border with Belgium, but actually into Belgium. French and British troops were trapped far north of the Maginot Line, not behind it. Belgium is small, but there's still room enough to have uneven concentrations of troops as well as decisions as to where the best troops will go. The thing is the strongest part of the German attack was concentrated on the Ardennes Forest, which was considered a difficult barrier to cross. Which is why France had relatively small numbers of inexperienced and poorly trained troops to defend it. And so on.

The point is security always has a hole, and only human flexibility can truly compensate for it. The Maginot Line was emblematic of a lack of flexibility in thinking on the part of the French and British.

David Moles ::: (view all by) ::: August 16, 2002, 03:35 PM:

If y'all haven't already, you probably want to check out Schneier's newsletter, Crypto-Gram.