Phishing and Clearances

Apparently, the CISO of US Homeland Security, a Paul Beckman, said that:

“Someone who fails every single phishing campaign in the world should not be holding a TS SCI [top secret, sensitive compartmentalized information—the highest level of security clearance] with the federal government” (Paul Beckman, quoted in Ars technica)

Now, I’m sure being in the government and trying to defend against phishing attacks is a hard problem, and I don’t want to ignore that real frustration. At the same time, GAO found that the government is having trouble hiring cybersecurity experts, and that was before the SF-86 leak.

Removing people’s clearances is one repsonse. It’s not clear from the text if these are phishing (strictly defined, an attempt to get usernames and passwords), or malware attached to the emails.

In each case, there are other fixes. The first would be multi-factor authentication for government logins. This was the subject of a push, and if agencies aren’t at 100%, maybe getting there is better than punitive action. Another fix could be to use an email client which makes seeing phishing emails easier. For example, an email client could display the RFC-822 sender address (eg, “<>” for any email address that that email client hasn’t sent email to, rather than the friendly text. They could provide password management software with built-in anti-phishing (checking the domain before submitting the password. They could, I presume, do other things which minimize the request on the human being.

When Rob Reeder, Ellen Cram Kowalczyk and I created the “NEAT” guidance for usable security, we didn’t make “Necessary” first just because the acronym is neater that way, we put it first because the poor person is usually overwhelmed, and they deserve to have software make the decisions that software can make. Angela Sasse called this the ‘compliance budget,’ and it’s not a departmental budget, it’s a human one. My understanding is that those who work for the government already have enough things drawing on that budget. Making people anxious that they’ll lose their clearance and have to take a higher-paying private sector job should not be one of them.

Choice Point Screening

Stamford Police said Jevene Wright, 29, created a fictitious company called “Choice Point Screening” and submitted false invoices for background checks that were submitted to Noble Americas Corporation, an energy retailer firm located in Stamford. (Patrick Barnard, “The Stamford (CT) Patch“)

I don’t want to minimize the issue here. Assuming the allegations are correct, the company’s assurance in their trust of their employees is diminished, they may face compliance or contractual issues, and they’re out at least 1.4 million dollars, most of which has likely been spent. A good number of folks are having bad days, and I don’t want to add to that.

At the same time, I do have a number of comments.

First, Those background check services sure are expensive! I wonder how many people that was.

Hmmm, according to their website, “In the past six years Noble has grown from 1,500 employees to over 14,000.” I do wonder how many of the “background checks” came back with false allegations of past misconduct. If there were 14,000 people with no red flags, isn’t that something of a red flag in and of itself? I also wonder (in a law school hypothetical sort of way, and assuming with no evidence that Wright or an accomplice fabricated false reports on some people so that his fraud went undetected) what sorts of claims might be available to those denied employment based on those untrue statements?

Second, there’s something of a natural experiment here that lets us assess the value of background checking. Assuming Noble Americas Corporation runs a second set of background checks, I’m very curious to know how well spent that $2m* will have been: how many employees do they fire, having learned of something so heinous that the employee can’t be kept, and how many do they fire, having been handed a reason to get rid of a poor performer? (Naturally, those 2 numbers will be rolled into one.)

Lastly, there’s an interesting social engineering angle here. There’s a real company “ChoicePoint” now part of LexisNexis. (ChoicePoint was made famous for their awesome handling of a 2003 data breach, which this blog diligently covered.) So when naming a false background check company, Choice Point Screening seems like it might be a new brand for the company. An auditor, seeing all those background checks, is unlikely to focus in on the extra space. It’s a nice touch.

Age and Perversity in Computer Security

I’ve observed a phenomenon in computer security: when you want something to be easy, it’s hard, and when you want the same thing to be hard, it’s easy. For example, hard drives fail at seemingly random, and it’s hard to recover data. When you want to destroy the data, it’s surprisingly hard.

I call this my law of perversity in computer security.

Today, Kashmir Hill brings a great example in “So which is it?”

Privacy online

Contradiction much? When it comes to the state of online privacy, the media tend to send mixed messages, but this is one of the more extreme examples I’ve seen.

It’s just perverse: it’s hard to be sure when someone wants to rely on the data to protect kids, but it’s easy (for marketing firms) when we prefer to remain private.

Chaos Emerges from Demanding Facebook Passwords

On the off chance that you’ve been hiding under a rock, there’s been a stack of news stories about organizations (both private and governmental) demanding people’s Facebook passwords as part of the process of applying for jobs, with much associated hand-wringing.

In “I hereby Resign“, Raganwald discusses the downside to employers of demanding to look through people’s Facebook profiles:

I got her out of the room as quickly as possible. The next few interviews were a blur, I was shaken. And then it happened again. This time, I found myself talking to a young man fresh out of University about a development position. After allowing me to surf his Facebook, he asked me how I felt about parenting. As a parent, it was easy to say I liked the idea. Then he dropped the bombshell.

His partner was expecting, and shortly after being hired he would be taking six months of parental leave as required by Ontario law. I told him that he should not have discussed this matter with me. “Oh normally I wouldn’t, but since you’re looking through my Facebook, you know that already. Now of course, you would never refuse to hire someone because they plan to exercise their legal right to parental leave, would you?”

I think it’s a fascinating bit of chaotic blowback, and one that employers and applicants will be exposed to more and more as “social network background check” services help focus what search engines or marketers can already tell us.

In other words, be careful what you ask for, you might just get it.

For the first time in a long time, I’m tempted to set up a Facebook account.

Best autoresponse message

As Brad Feld says, this is the best auto-responder in a long time:

I am currently out of the office on vacation.

I know I’m supposed to say that I’ll have limited access to email and won’t be able to respond until I return — but that’s not true. My blackberry will be with me and I can respond if I need to. And I recognize that I’ll probably need to interrupt my vacation from time to time to deal with something urgent.

That said, I promised my wife that I am going to try to disconnect, get away and enjoy our vacation as much as possible. So, I’m going to experiment with something new. I’m going to leave the decision in your hands:

If your email truly is urgent and you need a response while I’m on vacation, please resend it to and I’ll try to respond to it promptly.

If you think someone else at First Round Capital might be able to help you, feel free to email my assistant, Fiona ( and she’ll try to point you in the right direction.

Otherwise, I’ll respond when I return…

Warm regards,

It avoids any lies, and drives responsibility and choice onto the sender. You can learn a lot about senders this way. It’s probably better than many background checks.

Israeli Draft, Facebook and Privacy

A senior officer said they had found examples of young women who had declared themselves exempt posting photographs of themselves on Facebook in immodest clothing, or eating in non-kosher restaurants.

Others were caught by responding to party invitations on Friday nights – the Jewish Sabbath. (“Israeli army uses Facebook to expose draft dodgers,” Wyre Davies, BBC)

What’s interesting to me about this story is that it illustrates how part of the cost of using Facebook is the occluded future. If you’d asked me if Facebook impacted on military draft, I’d have said no. Predictions are hard, especially about the future. And the young women in question probably didn’t think that their use of a social networking site would cause them to be drafted.

A second interesting aspect to this is that it indicates that one’s Facebook profile, in aggregate, is a religious identifier. That’s interesting because religious information is categorized specially under the Canadian privacy act (PIPED) and possibly also under European data protection laws. I haven’t seen this aspect covered in the analyses that I’ve read from those regulators. (Admittedly, I have not read all of those analyses.)

Databases or Arrests?

From Dan Froomkin, “FBI Lab’s Forensic Testing Backlog Traced To Controversial DNA Database,” we see this example of the mis-direction of key funds:

The pressure to feed results into a controversial, expansive DNA database has bogged down the FBI’s DNA lab so badly that there is now a two-year-and-growing backlog for forensic DNA testing needed to solve violent crimes and missing persons cases.

Civil libertarians call the database — which increasingly includes everyone convicted of every federal law, legally innocent people awaiting trial and non-citizens detained in the U.S. for any reason — unnecessary and unconstitutional.

And yet a review by the Department of Justice’s Inspector General released on Monday concludes that the need to analyze and upload some 96,973 or more DNA samples a year into that database is contributing to a backlog of forensic DNA cases that stood at 3,211 in March.

That translates into a delay of about 150 days to over 600 days for law enforcement agencies who need answers right away.

We need to defund the database and use that money for something more useful, like getting that 150 days down to 5 or 10 for active criminal cases.

Via Michael Froomkin, “FBI Prefers Building DNA Database to Solving Crimes

How not to address child ID theft

(San Diego, CA) Since the 1980?s, children in the US have been issued Social Security numbers (SSN) at birth. However, by law, they cannot be offered credit until they reach the age of 18. A child?s SSN is therefore dormant for credit purposes for 18 years. Opportunists have found novel ways to abuse these “dormant” numbers. Unfortunately, credit issuers do not currently have the ability to verify if a SSN belongs to an adult or a minor. If they knew that the SSN presented belonged to a minor they would automatically deny opening a credit account.

Years ago, the Identity Theft Resource Center envisioned a simple solution to this problem. It is called the Minors 17-10 Database and ITRC has been talking with various government entities and legislators about this concept since July 2005. (…)

The creation of a Minors 17-10 Database would provide credit issuers the tool to verify if the SSN provided belongs to a child. This proposed SSA record file would selectively extract the name, month of birth, year of birth, and SSN of every minor from birth to the age of 17 years and 10 months. This record file, maintained by SSA, would be provided monthly to approved credit reporting agencies. When a credit issuer calls about the creditworthiness of a SSN, if
the number is on the Minors 17-10 Database, they would be told that the SSN belongs to a minor.

That’s from a press release mailed out by the normally very good Identity Theft Resource Center. Unfortunately, this idea is totally and subtly broken.

Today, the credit agencies don’t get lists from the SSA. This is a good thing. There’s no authorization under law for them to do so. The fact that they’ve created an externality on young people is no reason to revise that law. The right fix is for them to fix their systems.

The right fix is for credit bureaus to delete any credit history from before someone turns 18. Birth dates could be confirmed by a drivers license, passport or birth certificate.

Here’s how it would work:

  1. Alice turns 18.
  2. Alice applies for credit and discovers she has a credit history
  3. Alice calls the big three credit agencies and gets a runaround explains she’s just turned 18, and apparently has credit from when she was 13.
  4. The credit agency asks for documents, just like they do today (see “when do I need to provide supporting docs”)
  5. The credit agency looks at the birthday they’ve been provided, and substracts 18 years from the year field.
  6. The credit agency removes the record from the report

It’s easy, and doesn’t require anything but a change in process by the credit bureaus. No wonder they haven’t done it, when they can convince privacy advocates that they should get lists of SSN/name/dob tuples from Uncle Sam.

Credit Scores and Deceptive Advertising

Frank Pasquale follows a Joe Nocera article on credit scores with a great roundup of issues that the credit system imposes on American citizens, including arbitrariness, discriminatory effects and self-fulfilling prophecies. His article is worth a look even if you think you understand credit scores.

I’d like to add one more danger of credit scores: deceptive advertising. The way it works is that a bank advertises a great rate for those with “perfect credit.” What it doesn’t advertise is what the curve of credit scores versus rates looks like. There are two issues here. The first is that the market is inefficient, as figuring out what actual rates are often involves talking to a human, and usually disclosing enough personal information to make a fraudster drool. Inefficient markets favor the side with more information (the loan offerer) and lead to less trade than more transparent markets.

The second issue is that everyone is mislead by the headline rate. I’ve looked for data on what fraction of Americans are listed as having “perfect credit” or data on the distribution of interest rates people are really paying, and I’ve been unable to find it. For publicly traded companies, it’s sometimes possible to reverse engineer some of this, but not very much.

Showing ID In Washington State

Back in October, I endorsed Pete Holmes for Seattle City Attorney, because of slimy conduct by his opponent. It turns out that his opponent was not the only one mis-conducting themselves. The Seattle PD hid evidence from him, and then claimed it was destroyed. They have since changed their story to (apparent) lies about “computer problems.” See “Local computer security expert investigates police practices” in the Seattle PI. Some choice quotes:

…a charge was leveled against him in Seattle Municipal Court for obstructing a public officer. Controversial laws known as obstruction, “stop and frisk” and “stop and identify” statutes have been abused in other cities like New York, studies and news stories show. An obstruction case cited in a 2008 Seattle Post-Intelligencer investigation ended with a federal jury hitting Seattle police with a six-figure penalty.

Rachner’s criminal defense attorney sought dismissal of his gross misdemeanor charge, citing the Washington State Supreme Court decision that says arresting a person for nothing more than withholding identification is unconstitutional. One reason cited by the court: This practice allows police too much discretion to pick targets and punish with arrest. Also, the state constitution is more protective of these rights than the U.S. constitution.

The microphone picks up Letizia explaining the arrest to Rachner and a police sergeant, citing only the failure to provide identification as the reason Rachner was in handcuffs. No other provocations before the arrest were documented.

“The explanation is our servers failed,” said Seattle Police spokesman Sgt. Sean Whitcomb. “Data was lost, more than his, and it took some time to recover it.” “There is absolutely nothing in the activity log to support that claim,” said Rachner. “Moreover, if the video was unavailable, it was dishonest of them to claim the video could no longer be obtained because it was past the 90-day retention period. It is completely at odds with what they told me in writing.”

I say these are lies because their story keeps changing.

I hate paying the salaries of people who can’t tell me the truth, and I think I’ll be writing city hall for an explanation. If you live in Seattle, I suggest you do the same.

Credit Checks are a Best Practice in Hiring

The New York Times reports that “As a Hiring Filter, Credit Checks Draw Questions:”

In defending employers’ use of credit checks as part of the hiring process, Eric Rosenberg of the TransUnion credit bureau paints a sobering picture. […]

Screening the backgrounds of employees “is critical to protect the safety of Connecticut residents in their homes and offices, in their cars and in all other places they travel,” Mr. Rosenberg testified to Connecticut legislators in February 2009, explaining why TransUnion markets its credit reports to employers.

Trouble is, researchers say there is no evidence showing that people with weak credit are more likely to be bad employees or to steal from their bosses, a fact that Mr. Rosenberg himself later admitted.

“At this point we don’t have any research to show any statistical correlation between what’s in somebody’s credit report and their job performance or their likelihood to commit fraud,” he said in separate testimony to Oregon legislators in January.

But please keep sending Transunion your money, they really like your money, and it makes them happy.

So why do I say it’s a best practice? Because most best practices, like this one, seem to be good ideas, but actually have no evidence that they work. It’s like torture. There are people who think torturing people helps prevent terrorist plots, but there’s no evidence for that, and lots of evidence it undercuts our security. People keep advocating anyway.

Businesses would actually be better off sending their money to TransUnion and not getting the credit report: that way, all those people they reject for the wrong reasons would still be in their hiring pools.

Businesses would be even better off spending their money on something that protects them or their customers.

Your credit worthiness in 140 Characters or Less

In “Social networking: Your key to easy credit?,” Eric Sandberg writes:

In their quest to identify creditworthy customers, some are tapping into the information you and your friends reveal in the virtual stratosphere. Before calling the privacy police, though, understand how it’s really being used.

To be clear, creditors aren’t accessing the credit reports or scores of those in your social network, nor do those friends affect your personal credit rating. Jewitt asserts that the graphs aren’t being used to penalize borrowers or to find reasons to reject customers, but quite the opposite: “There is an immediate concern that it’s going to affect the ability to get a financial product. But it makes it more likely” that it will work in their favor,” says Jewitt. [vice president of business development of Rapleaf, a San Francisco, Calif., company specializing in social media monitoring.]

I’ll give Jewitt the benefit of the doubt here, and assume he’s sincere. But the issue isn’t will it make it more or less likely to get a loan. The issue is the rate that people will pay. If you think about it from the perspective of a smart banker, they want to segment their loans into slices of more and less likely to pay. The most profitable loans are the ones where people who are really likely to pay them back, but can be convinced that they must pay a higher rate.

The way the banking industry works this is through the emergent phenomenon of credit scores. If banks colluded to ensure you paid a higher rate, it would raise regulatory eyebrows. But since Fair Issac does that, all the bankers know that as your credit score falls, they can charge you more without violating rules against collusion.

Secretive and obscure criteria for differentiating people are a godsend, because most people don’t believe that it matters even when there’s evidence that it does.

Another way to ask this is, “if it’s really likely it will work in my favor, why is it so hard to find details about how it works? Wouldn’t RapLeaf’s customers be telling people about all the extra loans they’re handing out at great rates?”

I look forward to that story emerging.

How to Make Your Dating Site Attractive


There’s a huge profusion of dating sites out there. From those focused on casual encounters to christian marriage, there’s a site for that.

So from a product management and privacy perspectives I found this article very thought provoking:

Bookioo does not give men any way to learn about or contact the female members of the site. Men can join for free, if they have been invited—and if a current Bookioo member can vouch for their information. They can then post a profile for the perusal of the female—and paying—members of the site. It’s those paying women, however, who get to call the shots.

As interesting as the approach is, what’s more interesting is how they came to it. They focused on a set of female customers, and asked what is it that they worry about, and what do they want? Co-founder David Olmos:

We think that women don’t feel comfortable with the current dating sites. The latter are too masculine: they were designed by men and they fundamentally address men’s needs. We know that many women prefer a different approach: they’re eager to socialize, to meet new people, and we propose to do that through activities. It may lead them to find a partner, of course, but they may as well enjoy an afternoon in a museum with a new girl friend whom they met Bookioo! So we propose to socialize through activities, common hobbies and common tastes.

As you can see, we actually want to revamp the “dating” concept, taking the perspective of women. The key issue for us is to make sure that women enjoy the level of privacy they wish and that the males’ profiles are fully validated. (“Bookioo: dating and social networking site gives women full control.”)

It’s also a very different approach to “creep management,” which we’ve covered in past posts like “Emerging dating paranoia,” “Dating and Background Checks in the UK” or “Dating & Background Checks in China

The New School of Air Travel Security?

As I simmer with anger over how TSA is subpoening bloggers, it occurs to me that the state of airline security is very similar to that of information security in some important ways:

  • Failures are rare
  • Partial failures are generally secret
  • Actual failures are analyzed in secret
  • Procedures are secret
  • Procedures seem bizarre and arbitrary
  • External analysis seems to show that the procedures are fundamentally flawed
  • Those charged with doing the work appear to develop a bunker mentality

In this situation, anyone can offer up their opinions, and most of us do.

It’s hard to figure out which analysis are better than others, because the data about partial failures is harder to get than opinions. And so most opinions are created and appear equal. Recommendations in airline security are all ‘best practices’ which are hard to evaluate.

Now, as Peter Swire has pointed out, the disclosure debate pivots on if an attacker needs to expose themselves in order to test a hypothesis. If the attacker needs to show up and risk arrest or being shot to understand if a device will make it through a magnometer, that’s very different than if an attacker needs to send packets over the internet.

I believe much of this swivels on the fact that most of the security layers have been innocently exposed in many ways. The outline of how the intelligence agencies and their databases work is public. The identity checking is similarly public. It’s easy to discover at home or at the airport that you’re on a list. The primary and secondary physical screening layers are well and publicly described. The limits of tertiary screening are easily discovered, as an unlucky friend discovered when he threw a nazi salute at a particularly nosy screener in Amsterdam’s Schiphol airport. And then some of it comes out when government agencies accidentally expose it. All of this boils down to partial and unstructured disclosure in three ways:

  1. Laws or public inquiries require it
  2. The public is exposed to it or can “innocently” test it
  3. Accidents

In light of all of this, the job of a terrorist mastermind is straightforward: figure out a plan that bypasses the known defenses, then find someone to carry it out. Defending the confidentiality of approaches is hard. Randomization is an effort to change attacker’s risk profiles.

But here’s the thing: between appropriate and important legal controls and that the public goes through the system, there are large parts of it which cannot be kept secret for any length of time. We need to acknowledge that and design for it.

So here’s my simple proposal:

  1. Publish as much of the process as can be published, in accordance with the intent of Executive Order on Classified National Security Information:

    “Agency heads shall complete on a periodic basis a comprehensive review of the agency’s classification guidance, particularly classification guides, to ensure the guidance reflects current circumstances and to identify classified information that no longer requires protection and can be declassified,”

    That order lays out a new balance between openness and national security, including terrorism. TSA’s current approach does not meet that new balance.

  2. Publish information about failed attempts and the costs of the system
  3. Stop harassing and intimidating those like Chris Soghoian, Steven Frischling or Christopher Elliott who discuss details of the system.
  4. Encourage and engage in a fuller debate with facts, rather than speculation.

There you have it. We will get better security through a broad set of approaches being brought to the problems. We will get easier travel because we will understand what we’re being asked to do and why. Everyone understand we need some level of security for air travel. Without an acrimonious, ill-informed firestorm, we’ll get more security with less pain and distraction.

Observations on the Christmas Bomber

Since there’s been so much discussion about the Chrismas Bomber, I want to avoid going over the same ground everyone else is. So as much as I can, I’m going to try to stick to lightly-treaded ground.

This is a failure for the terrorists. A big one. Think about it; put yourself on the other side of the chessboard and read this movie-plot description. Yemeni Al Qaeda has a newly-radicalized, rich engineering student who wants to strike a blow against the evilness of George Clooney and Vera Farmiga. Despite being ratted out by his father, the student gets a visa, likely because he’s “wealthy, quiet, unassuming.” Using the very clever tactic of getting on a plane in Africa and transferring onto an American flight, he has one of the most powerful high explosives known sewn into his pants. Before landing in MoTown, he — fails to detonate it. Think about that again. An engineering student from one of the best universities in the world fails to set off a bomb in his lap. Worse, he ended up with a fire in his pants, leading to many humiliating jokes.

Fail, fail, fail. Epic fail. Face-palm-worthy epic fail. Worse, the US is sending counter-terrorism folks to Yemen to help find the people who planned this epic failure. For them, this is just bad, and about as bad as it gets. Supposedly, recruit these guys with promises of a half-gross of virgins, not with burning their nuts off. Ridicule is one of the most powerful forces there is, and this is deserved.

On top of this, now that the would-be bomber has been captured, he is singing like the proverbial canary. So that means that the planners really should be looking for new places to stay, because even their allies will want to purge losers from their ranks, or at least not take the fall for them.

Yet, all is not lost for the forces of terrorism. The world’s security services have panicked and instituted to security procedures that will actually make it easier for the next person by setting up rules that everyone’s supposed to stay in their seats in the last hour of flight. But that’s pretty slim pickings for them. It’s not even as good as the one-last-shocker in the traditional horror film.

Defense-in-Depth Works. The major problem in fighting terrorism is that the fraction of figure to ground is between six and nine orders of magnitude. If you look at it as a signal processing issue, that’s -60 to -90 decibels of signal in noise.

Any detection system has to deal with false positives and false negatives. In the counter-terrorism biz, that means you have to deal with the inevitability that for every terrorist, you’ll be stopping tens if not hundreds of thousands of innocents. And remember as well, the times that the terrorist is not actually on a terror mission, they’re innocents.

So yeah, the guy was on a watch list. So are a million other people. (And yes, this is a reason why we need to trim the watch list, but that’s a different issue and has a different set of problems.) (And yes, yes, those million other people are only the US citizens on the list.) This still leaves the problem of what they’re supposed to do when some rich guy complains that his son has fallen in with the wrong crowd.

Here are some hard questions: Do we search every kid who pissed off a relative? Do we search everyone who ever went to Yemen? Damascus? How about people who change planes? Travel in carry-on? Have funny underwear?

The answer is that we can’t do that, and even if we do, we merely teach the bad guys how to adapt. The point of defense-in-depth is that you stack a series of defenses, each of which is only a partial solution and the constellation of them works, not any given one. Airport screening worked some — he didn’t get in a good detonator. Passenger resistance worked some — once there was a firecracker-like explosion and a fire, they saved the plane. Defense-in-depth in toto worked.

This is not the reason to disband DHS. This is not the reason to sack Napolitano. Note that I did not say that DHS shouldn’t be disbanded. Nor did I say that Napolitano shouldn’t be sacked, merely that if you’re looking for a reason, this isn’t it.

If we look at what happened and think about what we could do better, DHS isn’t involved. The visa issue is the one to examine and DHS doesn’t give out visas, State does.

My criticism of DHS is that they flinched. They’ve put up these brain-dead stupid policies that are going to annoy travelers and are as likely to make us less safe, not more safe. They should have said that the system worked and there will be no changes so have a happy new year and stay calm.

I am willing to cut them a bit of slack, but if they don’t change their tune to “Keep Calm and Carry On,” then there will be a reason to start demanding heads. Sending people to Yemen was the right response. No headphones on the plane is the wrong one.

If DHS and TSA want to give people reason to call for firings and disbandings, they should keep doing what they’re doing now, not then.

Life is Risk. Keep calm and carry on is good advice for the rest of us, too. The vast majority of us are more likely to be struck by lightning while being eaten by a shark than we are to be a victim of a terrorist. Nonetheless, there are bad, crazy people out there. Sooner or later, no matter what we do, somethings’s going to happen. A plane will go down, a ship will have a bomb on it, a train will be attacked, or something will happen.

The actual risk of terrorism is so low that most adaptations are worse than the threat. More people died in traffic accidents as a result of shunning airplanes after 9/11 than in the actual attacks. After those attacks, the best terrorist second punch would have been a simple suicide bomber in the airport security lines.

When we wring our hands because we think that risk should be zero, we’re part of the problem, too. Schneier is right: we need more investigation and counter-terrorism and less security. Kudos to CNN and Maddow for airing a bit of reason.

So we should all thank our lucky stars that PETN isn’t as easy to detonate as we’re told. We should thank the same stars for passenger resistance. And we should breathe a sigh of relief for an incident that was botched so badly it’ll make others think twice or three times or more. And while you’re at it, don’t play with sharks in a thunderstorm.