Bruce Schneier : Architecture & Security

The criminology students at Cambridge have an excellent view of dystopian architecture

Bruce Schneier talks about ‘Architecture and Security’: architectural decisions based on the immediate fear of certain threats (e.g. car bombs, rioters) continuing to affect users of the buildings long afterwards. And he makes the connexion to architectures of control outside of the built environment, too:

“The same thing can be seen in cyberspace as well. In his book, Code and Other Laws of Cyberspace, Lawrence Lessig describes how decisions about technological infrastructure — the architecture of the internet — become embedded and then impracticable to change. Whether it’s technologies to prevent file copying, limit anonymity, record our digital habits for later investigation or reduce interoperability and strengthen monopoly positions, once technologies based on these security concerns become standard it will take decades to undo them.

It’s dangerously shortsighted to make architectural decisions based on the threat of the moment without regard to the long-term consequences of those decisions.”

Indeed.

The commenters detail a fantastic array of ‘disciplinary architecture‘ examples, including:

  • Pierce Hall, University of Chicago, “built to be “riotproof” by elevating the residence part of the dorm on large concrete pillars and developing chokepoints in the entranceways so that rioting mobs couldn’t force their way through.” (There must be lots of university buildings like this)
  • “The Atlanta Fed building has a beautiful lawn which surrounds the building, and is raised 4 or 5 feet from the surrounding street, with a granite restraining wall. It’s a very effective protection against truck bombs.”
  • The wide boulevards of Baron Haussmann’s Paris, intended to prevent barricading (a frequently invoked example on this blog)
  • The UK Ministry of Defence’s Defence Procurement Agency site at Abbey Wood, Bristol, “is split into car-side and buildings; all parking is as far away from the buildings (car bomb defence), especially the visitor section. you have to walk over a narrow footbridge to get in.

    Between the buildings and the (no parking enforced by armed police) road is ‘lake’. This stops suicide bomber raids without the ugliness of the concrete barriers.

    What we effectively have is a modern variant of an old castle. The lake supplants the moat, but it and the narrow choke point/drawbridge.”

  • SUNY Binghamton’s “College in the Woods, a dorm community… features concrete “quads” with steps breaking them into multiple levels to prevent charges; extremely steep, but very wide, stairs, to make it difficult to defend the central quad”
  • University of Texas at Austin: “The west mall (next to the Union) used to be open and grassy. They paved it over with pebble-y pavement to make it painful for hippies to walk barefoot and installed giant planters to break up the space. They also installed those concrete walls along Guadalupe (the drag) to create a barrier between town and gown, and many other “improvements.””
  • I’m especially amused by the “making it painful for hippies to walk barefoot” comment! This is not too far from the anti-skateboarding corrugation sometimes used (e.g. the third photo here), though it seems that in our current era, there is a more obvious disconnect between ‘security’ architecture (which may also involve vast surveillance or everyware networks, such as the City of London’s Ring of Steel) and that aimed at stopping ‘anti-social’ behaviour, such as homeless people sleeping, skateboarders, or just young people congregating.

    19 thoughts on “Bruce Schneier : Architecture & Security”

    1. Certainly, Aapo. I’m sure US readers will be able to explain more, but as I understand it, there were a significant number of student protests (against the Vietnam war, in favour of civil rights, and various other causes) at American universities, particularly during the 1960s and 70s, many of which turned violent with the involvement of law enforcement or the military, and thus architects were instructed to plan university and college layouts to make it more difficult for students to gather en masse.

      For example:

      The shootings at Kent State University, in Ohio, 1970, when a riot broke out amid demonstrations against the US’s invasion of Cambodia, and the National Guard killed four students;

      People’s Park at Berkeley, where a student was shot dead by police in 1969 amid a protest about the university destroying the park;

      The Jackson State College killings, in 1970, when police opened fire on students protesting about “the Vietnam War, the… Kent State shootings, and racial tensions”;

      There have also been riots related to university sports (e.g. Michigan State).

      It’d be interesting to know whether the architecture of a university itself has ever contributed to student unrest. For example, when I was an undergraduate at Brunel University in the UK, the prospect of my department moving from this building to this building was sufficient to cause a number of students to forgo a placement year and thus finish their course a year early rather than have to live and work in such a different environment. That’s a long way from rioting, but it certainly caused ‘unrest’!

    2. These Architectures of control aren’t new: temples in India and Morocco have gateways with lintels so low that people must dip or bow to enter the temple, just in case they weren’t intending to respect their gods.

    3. These examples seem to run the gamut from justified to outrageous. For example, making important defense-related structures fortresslike has obvious justification. On the other hand, inhibiting people from congregating is another matter. Particularly and calling the behavior “antisocial”, since it’s clearly quite the opposite, especially in a nation whose bill of rights clearly and explicitly includes the “freedom to peacably assemble” as an “inalienable right”.

      (Violently assemble is another matter, but the protests noted above seemed to become violent only when police or even actual soldiers attempted to violate their rights to “peacably assemble”. Probably when they started it by throwing the first punch, or canister of gas, or whatever. The police should not have the right to launch a pre-emptive strike because they think someone might commit a crime.)

      Others I find especially offensive include: making a quad less defensible (making something less attackable makes sense; making it less defensible can only serve the purpose of disempowering or disenfranchising, and so is antidemocratic); making it painful for hippies to walk barefoot (!! — this is a completely inoffensive behavior, not in the least “antisocial”, and narrowly targeted at a particular group of people because you disagree with their politics. Moreover, the behavior targeted clearly falls under free expression, and need not be accompanied by any overt evangelization of those politics whatsoever. Where I come from, if you disagree with someone’s politics but they are not being violent or stealing, you ignore them or you debate them, but you do not gratuitously interfere with their behavior out of pure malice.); stopping homeless people sleeping.

      Homeless people. What are they expected to do, remain awake 24/7? Die of exposure? Well, actually, it’s go away and stay out of sight, out of mind. I think the best thing that could be done to solve the problem is to ban anti-vagrancy laws, including anything that’s intended to function as such however phrased. Only when the well-to-do can no longer simply sweep the problem under the rug and walk to their cushy jobs and back to their fancy homes each day unperturbed by reminders that others are less fortunate will something be done by anyone with the power (or money!) to do something effective. Making them hide in alleys or even in volunteer-run shelters with the priority not being public safety or theft-prevention but making them go away and be invisible is simply terrible public policy. Making a segment of the population invisible disenfranchises and demoralizes them. Undemocratic! They should have shelters to retreat to in bad weather, yes — and they should have the right to be visible, and to beg for money or do other things so long as they don’t get violent or steal or otherwise become more than a minor nuisance. But let them be minor nuisances if they choose, and let them be visible! Only then will there even be many volunteers for those shelters, let alone any chance of addressing the huge unemployment/no job security problems, gaping holes in the safety net, and other issues causing poverty and gross inequities in wealth and opportunity. Certainly any shelters have to include reasonable (cheap) free clothing and the ability to bathe, too — anyone with no more access to those has zero hope of future employment. But letting them climb up and compete for jobs isn’t what the powers that be want, is it? Benefiting from highly unequal wealth distribution while being spared reminders of what this costs some fraction of the population is what they want…)

    4. MODIFICATION to thwart “duplicate comment detected”. First posting attempt threw up an astonishing 403 Forbidden! What, I’m banned??? Surely not. Second attempt said “duplicate comment detected”, probably because before it rejected the first comment, it did record a hash or something for the duplicate detector. Now to see if I’m really banned, or if the posting software is just behaving badly.

      Original post follows:

      These examples seem to run the gamut from justified to outrageous. For example, making important defense-related structures fortresslike has obvious justification. On the other hand, inhibiting people from congregating is another matter. Particularly and calling the behavior “antisocial”, since it’s clearly quite the opposite, especially in a nation whose bill of rights clearly and explicitly includes the “freedom to peacably assemble” as an “inalienable right”.

      (Violently assemble is another matter, but the protests noted above seemed to become violent only when police or even actual soldiers attempted to violate their rights to “peacably assemble”. Probably when they started it by throwing the first punch, or canister of gas, or whatever. The police should not have the right to launch a pre-emptive strike because they think someone might commit a crime.)

      Others I find especially offensive include: making a quad less defensible (making something less attackable makes sense; making it less defensible can only serve the purpose of disempowering or disenfranchising, and so is antidemocratic); making it painful for hippies to walk barefoot (!! — this is a completely inoffensive behavior, not in the least “antisocial”, and narrowly targeted at a particular group of people because you disagree with their politics. Moreover, the behavior targeted clearly falls under free expression, and need not be accompanied by any overt evangelization of those politics whatsoever. Where I come from, if you disagree with someone’s politics but they are not being violent or stealing, you ignore them or you debate them, but you do not gratuitously interfere with their behavior out of pure malice.); stopping homeless people sleeping.

      Homeless people. What are they expected to do, remain awake 24/7? Die of exposure? Well, actually, it’s go away and stay out of sight, out of mind. I think the best thing that could be done to solve the problem is to ban anti-vagrancy laws, including anything that’s intended to function as such however phrased. Only when the well-to-do can no longer simply sweep the problem under the rug and walk to their cushy jobs and back to their fancy homes each day unperturbed by reminders that others are less fortunate will something be done by anyone with the power (or money!) to do something effective. Making them hide in alleys or even in volunteer-run shelters with the priority not being public safety or theft-prevention but making them go away and be invisible is simply terrible public policy. Making a segment of the population invisible disenfranchises and demoralizes them. Undemocratic! They should have shelters to retreat to in bad weather, yes — and they should have the right to be visible, and to beg for money or do other things so long as they don’t get violent or steal or otherwise become more than a minor nuisance. But let them be minor nuisances if they choose, and let them be visible! Only then will there even be many volunteers for those shelters, let alone any chance of addressing the huge unemployment/no job security problems, gaping holes in the safety net, and other issues causing poverty and gross inequities in wealth and opportunity. Certainly any shelters have to include reasonable (cheap) free clothing and the ability to bathe, too — anyone with no more access to those has zero hope of future employment. But letting them climb up and compete for jobs isn’t what the powers that be want, is it? Benefiting from highly unequal wealth distribution while being spared reminders of what this costs some fraction of the population is what they want…)

    5. OK, looks like you’ve blocked comment posting from my original IP. I can only assume someone else that shares my ISP abused it, because I know I didn’t.

      MODIFICATION to thwart “duplicate comment detected”. First posting attempt threw up an astonishing 403 Forbidden! What, I’m banned??? Surely not. Second attempt said “duplicate comment detected”, probably because before it rejected the first comment, it did record a hash or something for the duplicate detector. Now to see if I’m really banned, or if the posting software is just behaving badly.

      Original post follows:

      These examples seem to run the gamut from justified to outrageous. For example, making important defense-related structures fortresslike has obvious justification. On the other hand, inhibiting people from congregating is another matter. Particularly and calling the behavior “antisocial”, since it’s clearly quite the opposite, especially in a nation whose bill of rights clearly and explicitly includes the “freedom to peacably assemble” as an “inalienable right”.

      (Violently assemble is another matter, but the protests noted above seemed to become violent only when police or even actual soldiers attempted to violate their rights to “peacably assemble”. Probably when they started it by throwing the first punch, or canister of gas, or whatever. The police should not have the right to launch a pre-emptive strike because they think someone might commit a crime.)

      Others I find especially offensive include: making a quad less defensible (making something less attackable makes sense; making it less defensible can only serve the purpose of disempowering or disenfranchising, and so is antidemocratic); making it painful for hippies to walk barefoot (!! — this is a completely inoffensive behavior, not in the least “antisocial”, and narrowly targeted at a particular group of people because you disagree with their politics. Moreover, the behavior targeted clearly falls under free expression, and need not be accompanied by any overt evangelization of those politics whatsoever. Where I come from, if you disagree with someone’s politics but they are not being violent or stealing, you ignore them or you debate them, but you do not gratuitously interfere with their behavior out of pure malice.); stopping homeless people sleeping.

      Homeless people. What are they expected to do, remain awake 24/7? Die of exposure? Well, actually, it’s go away and stay out of sight, out of mind. I think the best thing that could be done to solve the problem is to ban anti-vagrancy laws, including anything that’s intended to function as such however phrased. Only when the well-to-do can no longer simply sweep the problem under the rug and walk to their cushy jobs and back to their fancy homes each day unperturbed by reminders that others are less fortunate will something be done by anyone with the power (or money!) to do something effective. Making them hide in alleys or even in volunteer-run shelters with the priority not being public safety or theft-prevention but making them go away and be invisible is simply terrible public policy. Making a segment of the population invisible disenfranchises and demoralizes them. Undemocratic! They should have shelters to retreat to in bad weather, yes — and they should have the right to be visible, and to beg for money or do other things so long as they don’t get violent or steal or otherwise become more than a minor nuisance. But let them be minor nuisances if they choose, and let them be visible! Only then will there even be many volunteers for those shelters, let alone any chance of addressing the huge unemployment/no job security problems, gaping holes in the safety net, and other issues causing poverty and gross inequities in wealth and opportunity. Certainly any shelters have to include reasonable (cheap) free clothing and the ability to bathe, too — anyone with no more access to those has zero hope of future employment. But letting them climb up and compete for jobs isn’t what the powers that be want, is it? Benefiting from highly unequal wealth distribution while being spared reminders of what this costs some fraction of the population is what they want…)

    6. Hi -
      I promise I haven’t banned or done anything active to block your IP – must be some quirk of the SpamKarma plugin that this blog uses. I’m not able to sort it out right now but will definitely look into it in a few days’ time. Many apologies if you’ve lost anything important you posted, I very much appreciate your comments.

      Dan

    7. Eh. It’s a rogue bot? Odd. None of my comments contained links. Most were posted OK, then one triggered the 403 thing and now I have to use an anonymizer to post successfully. Probably the whole ISP’s been blocked. Moreover, the posts I made before were all deleted! Even the ones that were not objectionable (i.e., before the one that failed, or maybe the one before that one, which suggested working around bad ink cartridges that whine at you to put a coin in the slot to continue and was quite on-topic).

      Why is anything automatically nuking posts given the captcha anyway? If bots can’t post, there’s no need for bots to moderate.

      Simple quick fix — just disable the rogue bot. The captcha will keep any big blitzkrieg spam runs too big for a human to cope with from happening.

      I’ve seen similar rogue bots cause problems elsewhere, though never so extreme as blanket-banning IP ranges and deleting someone’s entire history of posts after objecting to just one of them before. In my opinion, they are nothing but trouble, and a captcha and the odd manual check and deletion should suffice. If an actual human being takes the time to spam, it can’t be so much that an actual human being can’t take the time to delete the spam, after all.

      Certainly, the bot should limit itself to deleting the one post it decides is offending and taking no other action. Probably to just flagging it as “suspicious” for your attention. How often does a live human validate themselves at the captcha and then post a spam, anyway?

      Another little hint: the bot can surely safely ignore posts with no links (or even URLs-as-text) inside and a bogus one supplied to the URI form. :)

      Also, the behavior observed seems to have likely required some human component. I don’t recall anything in the posts that should have twigged a bot. Besides the strong pro-legitimacy weighting the lack of links should have granted, there were no swear words, excessive caps/punctuation, or words in languages like Chinese that pretty much scream “spam” when they are used in an English-language blog’s comment form. Basically, no Bayesian filter with even a minimum of proper training should have identified any of them as spam. Which suggests some idiosyncratic criterion unrelated to the content at all, or else twigging on something that wasn’t indicative of spam but of, say, an unwelcome opinion being expressed (albeit civilly). Rogue bot it may well be, but it “looks like” censorship given the lack of obvious “red flags” from a purely anti-spam standpoint, and the strong “green flag” that should make postings either go through without question, or at least with an overwhelming number of strongly-weighted “red flag” items required to counterbalance it. Nobody spams a blog without including a link(!), and non-spam abuse (especially that survives a captcha) can generally be coped with without resorting to bots set to shoot-first-ask-questions-later.

      Sorry to carp on, but this kind of thing is troubling and disturbing to me. Especially seeing as the problem with “architectures of control” (when they move beyond wacky-pronged plugs designed not to be accidentally hooked up in “fry the fancy $3000 video-editing computer” rather than “power the fancy $3000 video-editing computer” configuration, anyway) is basically that they trample all over peoples’ property rights, due process rights, right to elect their legislature, and so forth. (The DMCA, especially, gives the force of criminal law to arbitrary, corporation-written “laws”. Basically allowing CEOs to legislate from the conference room. Repealing the DMCA or requiring CEOs be elected by popular vote seems indicated, in order to preserve even a semblance of democracy. It’s bad enough that a lot of legislation, especially regulatory legislation, is now routinely ghost-written by the very people it’s supposed to regulate…yes that includes all the copyright laws and such, since those were supposed to regulate publishers, i.e. what are now the Big Media Conglomerates(tm), NOT Joe Citizen…Oh, and did I mention that DRM and the like also function as cop, judge, jury, and executioner, while the DMCA prevents appealing to the Eighth Circuit Court of Circumvention Devices? I’d object even if the “jury” emulation was impartial. When I see .wma on a file name my soul cries out for due process! Where is the music’s legal aid? Whither my data’s habeas corpus rights? Suspended as part of the war on terror? Aiiieee!)

    8. Honestly, there is no human involvement in removing your posts. I’m on holiday, I’m posting from an inernet café, I don’t have the WordPress login details with me, so please believe me when I say that I’ll sort it out in a few days’ time.

      If you want to see (fascinating) genuinely human-censored comment, check Newsniffer!

    9. OK, I’ve recovered all (I think) your comments – though I had to post the cartridge one manually. The software (SpamKarma2) doesn’t seem to have recovered it even when I told it to do so; I don’t know why. I’ll keep a very careful eye on what it flags as spam in the future. As far as I know, it has only had a couple of false positives in the 9 months or so I’ve been using it.

      In case it’s of interest, this is a screenshot of SpamKarma2′s ‘reasoning’ behind classing one of your comments as spam. You can see it’s initially given the comment a ‘black mark’ because you commented on a post which was dated 11 months ago, and a common characteristic of comment spam is that it often accompanies posts that are many months or years old. In this particular case, the result is my fault: I re-stickied the ‘Welcome’ post to explain the blog to new readers, but didn’t change the recorded posting date. To counter this problem in future, I’ve now disabled the date-related component of the spam filter. Looking at the screenshot again, you can see the ‘retro-spanking’ triggered by later comments from your IP, which I presume included the ‘duplicate’ (from the filter’s point of view), and thus it subsequently deleted the earlier comment as well.

      I apologise for the episode but it really is a result of unfortunate filtering and nothing deliberate.

      Nobody spams a blog without including a link

      Sadly that isn’t true. About a quarter of the 150-odd spam comments I now get each day are simply hexadecimal strings with no links. I presume this is as part of a ‘test’ by spam bots to identify ‘vulnerable’ blogs, i.e. those which will allow meaningless or irrelevant posts, as a prelude to a later attack.

      By the way, of course I agree with you about the ridiculous distortion of the meaning of ‘anti-social’. I only found the anti-barefoot paving amusing from an “what must be running through the minds of these planners?” point of view. You’ve hit the nail on the head with the use of architectures of control to enforce pseudo-’laws’ to regulate (alter, force, coerce) behaviour purely at the behest of companies or governments who could not otherwise get such power. Please do keep posting and I will try to make sure that the comments are not wrongly itnerpreted again.

    10. Thank you. And I’m glad to hear that the postings were apparently quarantined rather than simply erased.

      I’m surprised about linkless blog spam. I’ve seen none anywhere else.

      Is there anywhere that “architectures of control”, and especially anti-circumvention laws, are discussed as a constitutional issue, as an effective end-run around due process and a host of bill of rights clauses, up to and including the first amendment? And international equivalents, of course.

      To what extent is this crypto-fascist people-control creep being resisted with civil disobedience? Some of the “anti-sit” devices look susceptible to being pried off or otherwise removed. (Not to mention, susceptibility to liability lawsuits.)

      The effects on the disabled should merit discussion too, I think. The gadgets long used to prevent shopping cart theft deny access to wheelchairs. They seem to have been phased out in many places, in favor of cart-return spaces in parking lots (without any serious cart-theft resulting, as I understand); but many of these architectures of control pose greater obstacles to the disabled. People with emphysema or metabolic disorders and anti-sit devices; people with color blindness or other visual impairments and actinic blue light in public restrooms; the list of potential problems goes on. Will there one day be a wrongful-death lawsuit against a park with questionable benches, or even none at all, and against the city containing the park, and the manufacturer, because of an exertion-triggered heart attack? Or a fall onto a window ledge that impales? I wonder.

    11. “making it painful for hippies to walk barefoot”

      Surely ‘making it painful to sit down’ is more likely? A lawn is an attractive place to congregate, whereas I imagine the Texan sun would quickly become uncomfortable while standing around on stone.

      Of course, this means you’d have to stop people sitting on the planters too: opportunity for some spikes!

    12. hello to everyone I would like to ask if any of the experts here publishing can say something about security and the design of the future airporis. having is mind the the complexity of the time today and a various threats constantly indangering the safty of the aviation industry.
      what is your opinion?
      when and at what stage should the sicurity be involved and be implemented in the design and documentation of an airport? and how important is it overall?
      how far does architects knowledge about security in reach?
      in advance i thank you for your opinion.
      best regards
      aleks

    Comments are closed.