LA Airport Uses Random Numbers To Catch Terrorists

An anonymous reader writes "Los Angeles International Airport (LAX) is using randomization software to determine the location and timing of security checkpoints and patrols. The theory is that random security will make it impossible for terrorists to predict the actions of security forces. The ARMOR software, written by computer scientists at the University of Southern California, was initially developed to solve a problem in game theory. Doctoral student Praveen Paruchuri wrote algorithms on how an agent should react to an opponent who has perfect information about the agent's choices."

Re:Doesn't Microsoft hold patents on that?

[JackMeyhoff]

actually the Excel bug was a rendering bug, the actual calculated value was correct, to prove this, take the output that is visually wrong in the cell and use in a further calculation. You will the result is correct.

Re:Doesn't Microsoft hold patents on that?

[jkrise]

actually the Excel bug was a rendering bug, the actual calculated value was correct, to prove this, take the output that is visually wrong in the cell and use in a further calculation. You will the result is correct....

Wrong! It is random, actually. It's right there in the summary of the /. artice:

"Suppose the formula is in A1. =A1+1 returns 100,001, which appears to show the formula is in fact 100,000... =A1*2 returns 131,070, as if A1 had 65,535 (which it should have been). =A1*1 keeps it at 100,000. =A1-1 returns 65,534. =A1/1 is still 100,000. =A1/2 returns 32767.5."

So it's just not a simple rendering bug... on random ocassions, it calculates further using the faulty value.

Re:Government vs Commercial

[Anonymous Coward]

"BTW, the trains are very safe, too. No terrorists and very few accidents."

Apparently you didn't read the news in 2004.

http://en.wikipedia.org/wiki/2004_Madrid_train_bombings [wikipedia.org]

Or the news in 1998.

http://en.wikipedia.org/wiki/Eschede_train_disaster [wikipedia.org]

Not elementary!

[Ambitwistor]

Randomize checking so that an attacker can't predict the next check and avoid it? That's what I would do, too. Can I be a high-paid security consultant now?

The point is not that the strategy is random, but that the randomization is optimized to be robust against an adversary who knows what your randomization scheme is. That's what the game theory [wikipedia.org] is for: it's a classic mixed strategy [wikipedia.org].

Remember, there are many ways to be random: check area X Y% of the time; perform check W Z% of the time, etc. What should Y and Z be? How do you balance the occurrence of Type I and Type II errors? [wikipedia.org] Some strategies are better than others: there's a reason why game theory was invented.

Try reading the study [usc.edu]; the results are not trivial.

Government vs Commercial, or Train vs. Airplane?

[Ambitwistor]

I read a fascinating article in the Freeman comparing train security, mostly privately done, with airports security, done by the government. The key difference was that when it was done commercially the inconvenience to customers was quite minimal. On the other hand when the government runs it, it is very inconvenient for customers. Why do you think this?

You mean this article [fee.org]?

It's comparing apples and oranges, as far as I can tell. It describes private security companies and "posses" pursuing known perpetrators in the 19th century. This is essentially police work, and is a quite different issue from preventing unknown threats from boarding in the first place. It claims that going after criminals is better than screening large numbers of non-criminals. Well duh, the problem is to find out who the criminals are, in a way that safely prevents them from carrying out whatever acts they're trying to carry out.

The article also says the private companies also sent guards on trains to foil robberies and such. Well, that's what federal air marshals are for. We've already got those. The article appears to be arguing that we just need the air marshals, and don't need any airport screening. Well, that's debatable, but as far as I am concerned, it doesn't have much to do with private vs. government security.

I think the situation with train robbers vs., say, suicide bombers is quite different. The article gives an example of train robbers who threatened to blow up the train if they weren't allowed to escape. Well, that's quite different from a guy who intends to die with everyone else: he's got no reason to negotiate. If you let him on with a bomb, you've already lost, unless you're really, really counting on those air marshals or helpful passengers (a la Richard Reid). It's a harder security problem.

Finally, the article says that the railroads booted troublemakers off the premises instead of letting them board the trains. It also says that federal law prohibits airlines from doing the same. I don't understand this; I've certainly read news stories about suspicious passengers being removed from planes, and of course TSA can prevent them from boarding in the first place.

Now, I am not trying to argue in favor of draconian airport screening, but I think the differences between security against train robbers and security against airline terrorists have more to do with the completely different settings and goals, rather than private vs. government administration of the security measures.

Re:set of locations?

[Ambitwistor]

If you figure this is a sizable force, and that all of them use the randomization software, four years worth of recon (TFA gave that as a time period for pre-strike operations) ought to give the terrorist enough information to know where these "random points" are.

You're missing the point. The analysis assumes that the terrorist already knows that information anyway. The adversary is assumed to have perfect information about the randomization strategy, where the checkpoints are, etc. Then a randomization strategy is designed to minimize failures even in light of this information.

How do they account for the fact that there will always be an area that these security forces don't patrol because no one told the computer that the place exists.

That is a better point, but we don't know whether there have been lapses in specifying the layout of the airport. (Of course, there will always be security holes that nobody has thought of at all, but obviously it is hard to guard against those with ANY security method.)

Re:Smart, really smart

[Ambitwistor]

So, in order to improve airport security you give "vast amounts" of classified data about airport security to a collection of grad students to input into a program that produces allegedly randomized output.

Uh, there are plenty of grad students with security clearances: they work on classified research projects, like this one. You think you can't have a clearance if you are a student or something?

Or do you think there's something wrong with giving classified data to people with security clearances, just because they're also grad students?

Re:Government vs Commercial

[Teun]

Or the news in 1998.

http://en.wikipedia.org/wiki/Eschede_train_disaster [wikipedia.org]

I fail to see what bad maintenance practice has to do with terrorism.

There have been several incidents in Germany where terrorists were picked up just in time to prevent them blowing up a train, here is one of them:
Suit case bombs(Print version) [stern.de]
(Sorry when you didn't pay attention in your German classes)

Re:Doesn't Microsoft hold patents on that?

[jkrise]

No, it's still a rendering bug. The occasions that it appears to calculate further using the faulty value is actually when it still triggers the rendering bug.

Is that so? If you actually took the trouble of reading the responses to the conjectures in the blog (yes, conjectures and speculation.. not an official Microsoft statement) you will come across this bit:

David,

You said "Any calculations based off that cell will be accurate too. Hope that helps."

But that's not entirely correct. At least not from what I have seen. If you happen to be rounding your calculations (=ROUND(850*77.1,2)*2), it also rounds it to 100K making that permanent.

So, while it is true that most cases Excel treats the value as correct except for the visual side of it, in others it actually DOES treat it as 100K.

Rob

So it appears that this is just not a simple rendering bug. Also, it is unclear why floating point operations in this zone must result in this peculiar bug.. and again, only in Excel 2007, but not earlier versions. Until the whole truth emerges (which is impossible in a closed-source product) this can only be treated as 'random' behaviour in simple arithmetic operations.

Re:Security Through Obscurity!

[644bd346996]

You make some good points about getting humans to actually follow the random search patterns, but I don't think we need to worry too much about terrorists being able to steal the schedules. Because they are random, they don't need to be generated very far in advance, leaving would-be infiltrators at most a few hours to steal the information, plan the timing of an attack, and execute it. Even though the actual window of opportunity for slipping through security won't be reduced, it becomes much much harder to take advantage of a temporary gap.

Using random patrol patterns gets rid of the biggest known weakness of routine patrols. Only time will tell if the problems introduced by random patrolling are worse. In the meantime, I have no qualms with using the method that has fewer obvious exploits.