Talk:Lecture 13

Rescorla's biological security parallel

--Aiqbal - I was very interested in Eric's parallel between cybersecurity and biological security. Patches, as he mentioned, are very difficulty to create, and also take a very long time to distribute/implement (e.g. shot-based vaccines). I don't know if this parallel is used fairly frequently in discussions on biological warfare, but it may make for a good talking point in terms of policy. Using the cybersecurity model provides an example that has impacted almost every individual: at some point or another, our personal computer or our company's computer or our e-mails have been hit by a virus. That isn't necessarily the case with a deadly biological virus.

SMM: The astonishing stability of our world against WMD has historically been tied to the very large capital costs needed to get into the game. In the 1950s, the US military did enough homework to figure out that a true WMD bioweapons capability (as opposed to killing a few dozen people) would be comparable to the atomic bomb project. On-line viruses, of course, cost nothing to make once you have the first one. The analogy would, however, work if you could genetically engineer viruses that were not just lethal but also wildly contagious. This is a much harder problem for modern genetic engineering, mostly because our models of epidemics aren't good enough to predict whether a totally new bug would cause a plague or just peter out. Nature creates new plagues a couple of times per century, but it has a big budget -- presumably, there are thousands of new bugs for every disease that takes off.

Jeff Davis The analogy also breaks down when you consider I can easily wipe and reinstall a computer; it is not easy to fix a dead human. The analogy breaks down even if you limit yourself to patchs and vaccines, since it is much harder to create a virus from a vaccine then an exploit from a patch. Real virus also mutate of their own accord.

Discovering our Weaknesses (not really lecture-related)

--Gorchard 00:41, 24 November 2005 (PST) - I had an interesting thought while watching the PBS "Cyber-War" program that someone linked to back in the discussion page of lecture 5 or so. The cyber attack that we want to avoid at all costs is a terrorist attack aimed at taking down power grids, communications, or other critical infrastructure. So perhaps non-terrorist cyber attacks of recent years, especially those created 'just for fun', have actually benefitted us more than they've harmed us. They have alerted us to the extreme vulnerabilities in computers on the internet and the possible damage that could be done...and in response we've become much more aware and started to design systems and implement measures to make such attacks more difficult. One argument against that might be that those attacks have also alerted terrorists to the attack opportunities available via the internet, but I feel there is a 'bright side' to attacks and viruses of recent years that might be overlooked.

TedZ I suppose its kind of like tickling the immune system. If you're never exposed to a cold, you'll have a terrible immune response when you finally do get exposed to one.

Jeff Davis I think the analogy works better in this case.

High value vulnerabilities v. Low value

Chris Fleizach - One issue that wasn't discussed by Eric Rescorla is classifying vulnerabilities between critical and low priority. His research showed very little in terms of a trend in reducing the number of overall vulnerabilities, but how many of those vulnerabilties were major issues? For example, when next buffer overflow in CUPS (a printing server) is found in RedHat that allows a user to perform a DoS on printing services, does it affect that many people? Maybe no one noticed it before because no one really cares that much except the security researchers looking to increase the number of vulnerabilities they find.

Another point that was brought up briefly questions if the total number of investigators is increasing does it also point to an increase in vulnerabilities found over some longer time span. His model assumes an infinite number of possible vulnerabilities, which would mean the number of vulnerabilities found should be going up as more researchers enter the field. But, if the number of researchers is going up and the number of bugs found is at a constant rate (or going down), then it seems like the quality of software might be improving.

Eric Rescorla - Good questions. WRT to the question of the severity of vulnerabilities, you do get similar results if you look at just the vulnerabilities that ICAT rated as severe, though it's not clear how much those ratings tell you, of course. The question about the number of researchers in the field is a good one and one we have no good way to control for. On the other hand, we don't really know what the shape of that curve looks like and it's confounded by the amount of attention the researchers pay to any individual piece of software.

Jeff Davis I think the quality of software is improving (well, at least the quality of Windows is improving). Every new and interesting exploit adds a checkbox to the list of things to look for during code review and plan for during threat modeling. Software may be infinitely malleable, but I think it is reasonable to assume there are only so many classes of security bugs. Scanning tools, security literature and developers all get bettter. The future will be in finding very specific, clever exploits in things like system APIs, web browsers (the IE download dialog out of memory bug), etc, which I predict will lead to a decrease in found exploits.

Marty Lyons, UW CSE It's also only in recent years that the awareness level has escalated high enough that mature programming practices have emerged, to reduce the common vulnerabilities common in code. Texts such as "Writing Secure Code" [1] and "Code Complete" [2] have probably done more than universities in teaching good practice (how many of you ever recall a course on making your code safe from attack?). In this sense, industry has been forced to take the lead rather than academia, since the costs and potential legal issues with shipping faulty products got enough bad press. I'd make the comment that there is an emerging seperation coming, with Computer Science taught as one curriculum, and Software Engineering as another, to address these very issues.

Dirty Bombs

Sean West (2nd Year MPP/GSPP): One of the most interesting questions in homeland security today is that of the dirty bomb/radiological dispersal device. Most recently, we have heard of the threat of dirty bombs by Jose Padilla, accused of plotting to detonate an RDD in Chicago--only to be reclassified by the Bush Administration as a criminal rather than an enemy combatant in the last week. But the case of the dirty bomb raises a lot of questions about just how much more damaging one would be than a conventional bomb. Surely, we should fear any type of bomb or attack on our society, but in people's minds there seems to be a dichotomy between conventional attacks and what are generally referred to as "weapons of mass destruction." But just as Prof Ackerman described in a previous lecture, dirty bombs are more a weapon of mass disruption than one of destruction. Graham Allision makes a similar point in Italic textNuclear TerrorismItalic text, yet society at large remains much more fearful of an RDD than a conventional attack. While I do not wish to argue that we should not fear an RDD, or that the threat of radiation spreading post-attack to first responders isn't a major issue, I am wondering how we should reflect this understanding of the true limits of damage of an RDD in our homeland security policy. Should we treat it like a "Conventional AttackPlus" or should we continue to place it alongside WMD? How much should anticipation of public panic even in light of limited damage inform our policy?

Chris Fleiach - Many of the lectures/reading in this course have stressed repeatedly the general ineffectiveness of a dirty bomb. One lecture even conjected that Al Qaeda discouraged Padilla from attempting to use such an attack, because it would not accomplish much. So the course work on this issue, instead of focusing on damage and mitigation, has changed to one on perception. Whereas with chemical, biological and nuclear, the perception matches reality, radiological devices are in polar opposition. If it is only a perception point, ceretainly the public's mind can be changed. If that is done, then it won't be able to act as a weapon of mass disruption, and we will have removed one more attack vector from terrorists. Why has the White House allowed this threat perception be continued to be taken out of context... Perhaps, there is a usefulness in creating unnecessary anxiety for the purposes of extending power.

--Dennis Galvin 21:52, 28 November 2005 (PST) - Although the dirty bomb in and of itself may have little physical effect, our societal reaction to the detonation of such a bomb might have far greater effect. For instance the cost (monetary and otherwise) of the measures taken after the 9-11 attacks (depending on whether you count the activities in Iraq) may have easily exceeded the direct monetary cost of the destruction and damage of buildings. Additionally, the reduced liberty and American reactionism may have great costs eventually. It is difficult for me to fathom that Osama Bin Laden was ignorant of these effects when the attacks were conceived.

Ted Zuvich I think the most likely effect of a dirty bomb going off would (in the long term) be the creation of a slum area where the bomb went off. Anyone who could afford to move out of the area would move out. Probably with government assistance. The area would be cleaned up, amongst great public hue and cry and at great expense, but people still would not want to live there, no matter how much you educated them. Any attempts at education as to the real (nearly nonexistent) threat would be sneered at as "propaganda." The only people who would live in the area, for many years afterward, would be those that could not afford to live anywhere else. There's just too much fear wrapped up in the issue of radiation exposure.

Nilkund Aseef The theoretical situation occurs when terrorists get hold of radioactive material from a hospital or food-irradiation plant, attach it to an explosive, and detonate the bomb in an urban area. But the biggest health risk from a dirty bomb would not, be cancer, but panic. The best way to protect ourselves against radiological terrorism is to make sure the public and emergency responders are provided with the best information. But in the unfortunate event of a dirty bomb, the biggest enemy is fear. Radiation officers would be able to measure radiation levels fairly quickly and assess the situation. According to all imaginable scenarios, the public would suffer no measurable health risks by taking a few extra moments to evacuate the affected area in an orderly fashion.

Jeff Davis Sean: It is a matter of public perception which has been unduely influenced by bad journalism after 9/11.

Chris: I'm shocked, SHOCKED I say, that you would accuse the Bush administration of any such deviousness. Actually, you're probably right. However, I disagree that the public's mind could easily be changed. I would put money on the average American being unable to define "radiation." This is yet another manifestation of the brokeness of our education system.

Dennis: I suspect that we may never know OBL's intentions, but I bet the primary intention was to disrupt the financial power-house that is NYC. If you had told me on 9/10 what was going to happen I would have never forseen the insane American reaction. Maybe it's just youthful ignorance on my part.

Ted: Yep, except nobody would live there, poor or not. There was a development outside of St. Louis (my home town) called Times Beach that got evacuated because they put a bunch of dioxin in the streets. It was evacuated and nobody will go near it to this day, even though it is considered dioxin free now. The even deleted the exit ramps from the highway. Wikipedia claims there is a park there now (haven't been there myself) but I suspect it is one extremely unvisited park.

Nilkund: Very amusing. See my reply to Chris.

Marty Lyons, UW CSE -- A secondary part of this question is to what degree does the public continue to trust its own government to look out for their welfare? In parts of the country with known weather systems, most people have grown up with or taken it upon themselves to learn what to do. So if you live in "Tornado Alley", you know when the weather looks like things might spawn, you stay near shelter. If you're in Florida hurricane country, you probably know how to board up your house and where to evacuate. The situation here in the west is a little more tenuous, since earthquakes come without warning. You'd hope most people will be smart enough to have some food and water on hand for afterwards, etc. But ponder what's happened after the Hurricane Katrina disaster. Public mistrust of government to aid them has decreased dramatically, and some would see vanished. If someone came to your community a week after a radiological attack, would you trust their directions? Would you have trusted them *before* Katrina? It's going to take a long, long time for federal government credibility to return after the performance in the gulf region.

Lecture 13 Comments and Questions ...

Professor Maurer, this may have been implied by your lecture but how much do you think the Cold War situation effected the public's attitude towards nuclear energy? It seems likely to me that the baby boomers having to do duck and cover drills and live through the Cuban Missile Crisis must have really added to a negative perception of nuclear energy and radioactive substance generally.

SMM: Sure. They also went to a lot of movies about giant ants wriggling out of the desert...

Professor Maurer, as a former litigator, what is your stance on tort reform? You seemed to suggest that plaintiff’s attorneys play a large role in maintaining the public's negative perception of nuclear energy.

SMM: I don't think you should justify tort reform as a way of controlling "dangerous speech." It may make sense on other grounds, but that's not really related to the course.

I understand that FEMA primarily handles natural disasters. However, if there was a dirty bomb attack would they be tasked with the cleanup? If not, which agency would be? If so, and the Dept of Homeland Security believes that a radiological device is a real threat, we may all be in a bit of trouble since I understand that FEMA is undergoing huge budget cuts and is actually being downgraded, organizationally speaking, within the Dept of Homeland Security to more of an office than an agency.

SMM: FEMA handles all the disasters, it was originally tasked with nuclear war. Moving around the organization boxes rarely means that the capabilities will disappear, FEMA hasn't worked very well so it's at least reasonable to think that organizational reform could make things better.

Professor Maurer, you seemed to be pretty excited about benchmarking and mental models insofar as they might improve communication on the true dangers associated with nuclear energy. From what I understand, the new Energy Bill and the current leadership at the Dept of Energy are pushing nuclear energy -- has DOE been at the fore of developing/implementing such a PR campaign based on benchmarking and mental modeling? If so, do you have any examples?

SMM: No, academics have pushed this. Another place where the government should pay more attention?

Professor Maurer, when you mentioned that torture may have helped prevent the Philippines airliner attacks, were you referring to Bojinka or some other plot?

SMM: Yes, Bojinka. And that's controversial.

One of the students mentioned Israel and the Landau Commission, with respect to establishing limits on torture; can someone provide a bit more information on the Commission?

One of the students also commented on the notion of symmetry/symmetrical enforcement concerning the Geneva Conventions, according to Professor John Yoo who authored many of the memos upon which the Bush administration developed their policies on interrogation techniques, that is the precise reason why enemy combatants should not find protection under the Conventions. That is, because they are not, by definition, tied to any state, there is no way to ensure that they will reciprocate treatment.

Also, with respect to how far is too far, what are peoples' thoughts on the photos from Abu Ghraib. Personally, I am not so sure that using dogs to frighten people is over the line. With regard to humiliation, Professor Maurer, that came in rather high on your list of what was too far; to me humiliation seems acceptable -- were you classifying it in some specific form or not?

With regard to the White House's, and especially VP Cheney's refusal to back interrogation reform and set concrete limits, from a pure international political sense, would it not benefit the US to form such boundaries and then, if need be, simply break them later. I mean, we are signatories to the UN Charter but that hasn't stopped us from using force in a manner that doesn't always coincide with it. Politically, I don't see how the country goes wrong by instituting, or claiming to, such regulations if it, in reality, can always pull away from them later. Any thoughts?

Concerning interrogation techniques, what is wrong with setting broad boundaries and leaving wide discretion to those responsible for interrogation -- sort of like any authorizing statute/administrative agency relationship. It's not clear to me that anything was wrong with what has existed previously. If people go over the line, they should be held responsible under the law but I would think, it makes sense to leave a fair amount of discretion to those few professionals who have the requisite knowledge to make informed decisions about the subject and not judges or legislators.

SMM: The problem is that you should draw lines before you decide whether people have gone over them. Otherwise three things happen. First, the wrong people make decisions. Interrogation is ultimately about values, "professionals" have no advantage over legislators in this regard. Second, you end up punishing people in hindsight once the threat has gone away. This invites hypocricy and unfairness. Third, if government agents understand that Monday Morning Quarterbacking is the rule then they will stop well short of anything that might conceivably be criticized in a different political climate. So you end up with a government that is weaker than it would be with an honest, ex ante statement of what is and isn't ok to do.

Just as a reflection on Mr. Rescorla's point about black hats using old exploits to spread menace, I received two emails in the last couple of days, supposedly from the FBI, with an attached zip program. Looking online to see what this things does, it turns out that it uses your own computers zip capability, which you have to initiate to zip your files and send the bundle off to whomever sent the email. To me, this seems rather old school.

Mr. Rescorla also picked backed up a point that I tried to make on the wiki last week, that is that to the general public, so long as their individual system isn't impacted in a way that interferes with there use, they don't seems to care. As such, it seems ill-advised to spend so much on cyber security (apart from those systems that really contain sensitive information) if 1) there is no evidence that it is solving the problem 2) there isn't widespread public demand; unless, as was pointed out, marketing is a significant motive.

Professor Maurer, last year I visited the Hiroshima War Memorial and the museum placed a considerable emphasis on the lasting effects of the radiation from the A-bomb. If the consensus is that radiation has negligible effects (at least not statistically significant or detectable) I wonder why the Japanese government has continued to overemphasize the radiological component of the bomb?

Classified Testing Aimed at Enhancing Security

--Aiqbal - Not much of our discussion has focused on the reading on Joseph Hamilton and the classified plutonium testing. Firstly, it is appalling that such testing was allowed. I am sure many would agree that the injection of plutonium into a patient's body without that patient's approval is clearly a violation of their individual health and rights. However, given the time period in which Hamilton engaged in his activities, do you think he was warranted?

My comments regarding this article could well be transferred to the entire idea of security testing. As a journalist, I, of course, am forced to say that all testing information should be open to the public. My duty as a journalist is "sunshining," i.e. bringing all actions into the public's eye, especially when they relate to the citizenry's health and individual rights. However, from a security standpoint, doesn't classified research have to occur? Don't government officials have a duty to find solutions to threats, and at times, have to engage in research that is kept from the public - and nosy journalists? Of course, this is the premise of classification and the NSA. Is it right?

Most of us would probably say so. But most journalists would have difficulty accepting that argument.

Fear of radiological catastrophes - Cultural?

--Parvez Anandam 19:25, 25 November 2005 (PST): Prof. Maurer argues successfully that the US as a whole has an overly paranoid view of the risks of radiological disasters. Now, is there hope that this fear can be lessened?

It is useful to consider another society where this fear is not as deep-seated. That country would have to be a western, affluent, society for the comparison to hold value. France is such a country. Even though the US and France would often like to believe that they couldn't be more divergent, they clearly have much in common.

In their adoption of nuclear power, however, France and the US are vastly different. France has embraced it: over 80% of its energy is nuclear. The US hasn't: only 20% of its energys is nuclear (even though it is the largest producer in the world in absolute terms). While there are numerous reasons for this, certainly one of the reasons has to be the population's perception of dirty bombs (whether of the accidental or intentional variety).

The Energy Policy Act of 2005, signed into law in August, may be a sign of changing US perception. Therein is a strong thrust to augment the US nuclear energy program. One can hold hope for a feedback loop: seeing more nuclear reactors operational may serve to allay the public's fear of all things nuclear.

SMM: This is a very nice connection. You could further argue that reducing dissonance (in this case, the public's dislike for "gray area" risks) pushes society toward one of two options. In the US the public gets rid of the gray area by getting rid of powerplants, which leaves it with high fear of radioactivity. In the French model, the public gets plenty of powerplants but this makes people rationalize until the risk appears to be trivial. Neither model has much to do with underlying science, but as Parvaz implies the intuition is that a middling model (a few plants, modest fear) is unstable.

One loophole in the argument is that the powerplant situation says more about what French politicians think than the man-on-the-street. So Parvaz's point as actually a prediction that the average Frenchman isn't worried. Just for fun, I took a quick look on-line. I didn't find any surveys, but anecedotal evidence suggests that the French public is fine with nuclear. http://www.pbs.org/wgbh/pages/frontline/shows/reaction/etc/script.html.

Yi-Kai - That Frontline show also makes the point that France needs nuclear power, because it lacks other energy resources; whereas the US has plenty of alternatives (e.g., fossil fuels). That helps explain why France and the US ended up on opposite ends of this bipolar divide. It's also interesting that, while Americans are opposed to civilian nuclear power, almost no one feels that we should stop building nuclear submarines and aircraft carriers. People seem to have made a judgement that we do need nuclear power for military purposes.

Marty Lyons, UW CSE There is strong demand in the public nuclear power industry to hire ex-Navy nuclear personnel. It's widely acknowledged that the Navy nuclear designs and operations are probably the best in the world. I've often wondered if public sentiment would be helped if we build smaller reactors, but with a military to public technology (and staff) transfer program. You're retiring from the Navy nuc program, if you transfer to a civilian position, you get to keep accruing retirement benefits, etc. It seems to me that we need to build a better market mechanism to spur ongoing investment in the nuclear power industry. That might help push through some of the unfounded fears and replace them with presentation of good science.

Microsoft Vulerabilities Trends

Jack Menzel -- One of the things I didn't hear discussed in Eric's talk that would probably account for some of the strange trends he sees in the NT 4 bug fix trends aside from resources devoted to maintaining the operating system is the corporate philosophy regarding what bugs are actually fixed. Speaking from my three years experience working for Windows Serviceability producing hotfixes, there have been several dramitic shifts in the "bug bar". When I started in 2002 the trend was a simple and idealistic "bugs are BAD, if a customer reports a bug we must fix the bug", there was little regard for overall effect that the fix would have on the entire operating system. This combined with the security push had the result that though we fixed as many customer issues as we possibly could there was a very high regression rate. Then as everyone went through the difficulty of stabilizing the operating system for XP SP2 and W03 SP1 and a number of very visible recalls of security fixes the what-to-fix pendulum began its swing back to a much more conservative bug bar. Currently fixes are very carefully scrutinized. If they are not security, then they must have a strong business justification, have a very contained effect on the overall OS, and the fix itself should be made to minimize code churn.

Though this says little about how many bugs _actually_ exist in NT 4, because there is single entity making the fixes their philosophy on what is fixed, how, and when will highly influence the bug fix trends.

Ted Zuvich -- one problem that I had with this paper was that I did not feel that the data was analyzed properly. Most of the bug rates were presented versus time, but I don't think that's a valid comparison. A better plot might be versus "effort", or "$ spent". This would normalize out the changing emphasis placed on finding security bugs.

EKR -- The problem of effort is a difficult one that has an obvious impact on the data. Unfortunately, we have no actual data on the level of effort that's being applied to searching for vulnerabilities in any given package, let alone in that package over time, so rates versus time is what we have to live with. A similar problem, unfortunately, obtains wrt the issue that Jack raises.

--Brian McGuire Besides rates versus time, would it be beneficial to include some sort of severity weighting? I'd guess that the severity decreases over time as well as the rates.

Self justification of torture – Disturbing

Tolba I have to admit that last lecture’s topic wasn’t an easy one. The body almost shivers just when considering the thought of how cruel humans can be to one another. Jeremy Bentham’s theory of ‘driving more happiness for others from the suffering of the tortured’ and the other comments about investigators ‘”knowing” the person is guilty about possessing terrorist cell information’ strike some listeners - at least - as complete nonsense. This logic completely disregards the fact that those tortured people could very well be innocent. I’m also amazed by all the propagators of such ideologies like ‘but they do worse to us’. The premise here is that we are different and that self-restraint only matters when one has the ability to exercise power and doesn’t. Finally, the last thing we want to see is torturing in retaliation which can fuel the never ending circle of violence.

Avichal 15:31, 28 November 2005 (PST) Torture is probably abominable by everyone's standards. However the issue that investigators usually deal with is where to draw the line between interrogation and torture. Frankly the people we are dealing with in the war against terrorism are not nice people. You cannot expect an afghan terrorist to truthfully and candidly respond to polite questioning. The Geneva convention and such makes sense when we expect reciprocal treatment of our own personnel by opposing forces. But that point is moot when dealing with terrorist organization and states.

With the recent furor on prisoner/detainee treatment at Guantanamo Bay, Cuba and Abu Gharib prison, the military has had to issue strict statements regarding not using torture. However the problem is that the language used is so broad as to exclude even mild physical/mental discomfort. If our armed forces or investigative agencies are put in a position where they cannot use any kind of coercive measures during their interrogation processes, that will put us as a nation at a great disadvantage.

--Chris DuPuis 18:56, 28 November 2005 (PST) If the goal of the U.S. in Iraq is to completely destroy all who have the will to resist, hunt down every single person who harbors ill will towards us, and totally break the will of the Iraqi people while making the rest of the world vilify us, then torture would be a great tool for accomplishing this. However, it seems likely that the goal of the U.S. in Iraq is to bring law and order to a region that is currently on the brink of anarchy. As such, less attention should be paid to foiling individual plots (which, like Rescorla's bugs, are essentially infinite in the current environment) and more attention to doing things to reduce the level of hatred against the U.S. in Iraq. Torture, of course, is not on the list of things to try to make people like us.

--Dennis Galvin 21:22, 28 November 2005 (PST): In an informal discussion between the two halves of the lecture in Seattle, the subject of what can our military (and civillians for that matter) expect of our captors should we fall into not so friendly hands in light of the rough handling of detainees. The example (Ed Lazowska mentioned) of US soldiers wishing that North Viet Nam was a signatory to the Geneva Conventions was particularly compelling, in light of the fact the South Vietnamese took great liberties with prisoners from the North.

The case of William Sampson (a Canadian) is an interesting one. He has just published a book detailing his arrest, interrogation (much torture involved), sentencing (death), eventual release at the hands of our allies in Saudi Arabia. He has just published (October 2005) a book with the gruesome details Sampson, William, Confessions of an Innocent Man: Torture and Survival in a Saudi Prison. In interviews over the last few weeks (CBC, BBC, CTV, etc.), it was clear the intent of the interrogation and torture was not to garner information, but to extract a confession to trumped up charges. His captors in the Saudi facility eventually got him to sign a confession and make a video through the systematic use of sadistic mental, physical, sexual mistreatments applied. After hearing of his mistreatment, I wonder how many of the individuals the US and its western allies in Iraq have detained might have similar stories. From some that I have read and heard, the aim of our interrogations is to develop actionable intelligence.

Chris Fleizach - William Sampson sounds a lot like Maher Arar, a Canadian citizen abducted by Canadian officials acting on poor information from the US Department of Justice. He was then shipped off to Syria, a nation known for torturing, where he was promptly tortured and held for a year without any charges being filed. Eventually, he was released and returned to Canada, and never once was he charged with a crime. This was one example of America outsourcing its torture to other countries to try to get "actionable intelligence." In the upcoming papers, the Church report mentions most of the people in charge of interrogations are under pressure to extract any useful information. Although the report said that the pressure was not more than to be expected in a war zone, we also have to wonder why so many prisoners have died in American prisoners if pressure to obtain info was at normal levels. And moreover, is the information coming out of suspects useful if obtained under mental or physical duress. My guess is that it's not nearly close to being 100% truthful/useful, which is the only reason anyone could justify using torture.

Changing Public Perception

Last Best Chance

David Dorwin Professor Maurer talked about educating the public or trying to change perceptions about nuclear and radiological dangers. The "docudrama" [Last Best Chance] from the [Nuclear Threat Initiative] appears to have been created in part for this purpose, though the goal seems to be to increase worry rather than alleviate it. I would guess that the goal is to bring the issue to the attention of the public and thus force public officials to take action.

The movie was apparently shown on HBO and you can [order your own copy]. (What better way to reach Americans than through the TV?) This paragraph from the email they send you when you order the DVD gives a hint of their intentions:

Thank you for ordering a copy of Last Best Chance. We appreciate your support for our efforts to build awareness about the threat posted by unsecured nuclear weapons and materials. Together we can make a safer world.

Now for a disclaimer: I saw one review of this movie that said it "abruptly ends and doesn't bother to have a conclusion" so don't be disappointed if it does. I haven't seen it, so I can't comment on the ending.

How to Educate the Public?

David Dorwin I find the idea of trying to educate the public about the extent, likelihood, and potential damage of nuclear, radiological and other threats interesting. It is especially difficult when trying to convince them of something that is counter to their instincts. While I haven't seen Last Best Chance, my perception is that it puts the issue in your face and tries to increase your worry, and this seems like a much easier task. Despite the "good news" that Professor Maurer gave us in the lecture this week, I'm still baffled by the fact that we haven't secured all the nuclear material in the former Soviet Union.

Any thoughts on ways to calm the public's fears? Of course it may not be in the interest of the media or politicians who could do this. Fear attracts more viewers and a fearful public is more easily controlled.

Nilkund Aseef I would say educating the public is the key. I see there are two category of people. The first set simply donot care and are not aware of the threats regarding cyber criminal activity and/or cyber terroorist activities. The second category are overly worried. Here if we can speak out the facts, more particularly on the linkelyhood of carrying radiological/biological/chemical attacks by a terrorist organization that should ease the fear to some extent. Also in cases of other attacks we could take some steps to reduce its effects or the aftermath.

liebling Our white paper will be about terrorist attacks on schools. Although parents will likely express extremely emotional opinions about protecting their children from radiological attacks (because of misplaced perceptions), they are unlikely to actual pony up the money for defenses that are in reality largely unnecessary. So from a "put your money where your mouth is" perspective, things are aligned properly. On the flip side, they will probably lobby their school boards to shore up defenses against school shooters. An interesting read is Paul Slovic's book The Perception of Risk.

Manish Mittal Influencing public perceptions regarding the threats posed by nuclear and radiological terrorism is not a matter of working from a blank slate. One of the steepest challenges to effective risk communication on this is to reeducate members of the public about issues they think they understand, and to teach them to distinguish fact from fiction on the subject of radiological risks In the absence of reliable information, most people make intuitive risk judgments on the basis of memorable images and events within their own direct and indirect experience. The American public has for decades traded off the risks associated with maintaining an arsenal of nuclear weapons for safety and security from external threats.

The main challenge is to find ways to focus public attention on the real dimensions of the threat and to prepare communities for the full range of probabilities—without simultaneously educating terrorists about technical issues or pointing out vulnerabilities in security provisions and response plans. This paper [4] talks in detail about informing people of risks & realities of terrorism.