From: Harvey Newstrom (mail@HarveyNewstrom.com)
Date: Wed Jul 24 2002 - 10:33:44 MDT
On Wednesday, July 24, 2002, at 12:05 am, Hal Finney wrote:
> We have occasionally discussed the use of profiling as a security
> measure
> in airport security, attempting to identify those people who would be
> more likely to be terrorists. Harvey Newstrom has often cautioned
> against
> this approach, writing for example on May 23,
>
>> As a security professional, I really must insist that standards require
>> search of everyone or random searches. You cannot let guards try to
>> detect the possible "guilt" of people by looking at them. They do not
>> have that skill, and it is not effective enough to base a security
>> policy on. Security profiling must be based on individuals, meaning
>> behavior or situation. Groupism that includes or excludes whole
>> genders
>> or races will instantly fail because the bad guys then have a magic
>> profile that will let them through. Just choose a person who looks
>> right as your agent, and you get through security. Such a security
>> policy would be invalid according to any security standards I know.
>
> Today there is an article going around which illustrates the wisdom
> of Harvey's advice, from
> http://swissnet.ai.mit.edu/6805/student-papers/spring02-papers/caps.htm.
>
> This paper shows that, under plausible assumptions, the profiling
> methods
> currently being used by the airlines, under government supervision,
> are actually *less* likely to detect terrorists than random searches.
> The paper provides a method called "Carnival Booth" to allow terrorists
> to exploit profiling systems and escape detection along much the same
> lines discussed by Harvey above. The authors even offer evidence that
> the 9/11 hijackers had used a similar method to assure that they would
> be able to evade profiling and to carry out their plan without
> detection.
>
> The article is very well written, for an academic paper, and the first
> few
> sections are non-mathematical and well worth reading even for the
> layman.
> It certainly calls into question the methods currently being used by
> the airlines.
>
> Hal
Thanks for the support information! I appreciate it!
I really am a security professional. I'm not perfect, and I am still
human and make mistakes. But when I say as a security professional that
the best-practices understanding in my profession is that something
doesn't work, I really mean it literally. Security is a mature and
robust profession with scientific methods, technical theorems and
mathematical proofs. Proposed security methods must be proven with the
scientific method. They must be theorized, be analyzed, be
mathematically proven, predict observations, and be reproducible in the
real world. The profiling methodology has consistently failed in all
cases.
I know people think I am just preaching some politcally-correct
viewpoint, but that is not the case. It is an established fact among
security professionals that profiling fails to meet security
objectives. It is not proposed or allowed under any of the numerous
security evaluation criteria standards. It plain doesn't work. I know
people are sure that it should, but when calculated mathematically or
measured experimentally, it always fails.
-- Harvey Newstrom, CISSP <www.HarveyNewstrom.com> Principal Security Consultant <www.Newstaff.com>
This archive was generated by hypermail 2.1.5 : Sat Nov 02 2002 - 09:15:39 MST