Schneier on Security
A blog covering security and security technology.
« Intel Quietly Adds DRM to CPUs |
| Ice Cream Locks »
June 12, 2005
Orlando Trusted Traveler Program
I've already written about what a bad idea trusted traveler programs are. The basic security intuition is that when you create two paths through security -- an easy path and a hard path -- you invite the bad guys to take the easy path. So the security of the sort process must make up for the security lost in the sorting. Trusted traveler fails this test; there are so many ways for the terrorists to get trusted traveler cards that the system makes it too easy for them to avoid the hard path through security.
The trusted traveler programs at various U.S. airports are all run by the TSA. A new program in Orlando Airport is run by the company Verified Identity Pass Inc.
I've already written about this company and what it's doing.
And I've already written about the fallacy of confusing identification with security.
Posted on June 12, 2005 at 8:57 AM
• 25 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
I agree 100% with you. The first thing that comes to mind is the old "weakest link" analogy. Anyone who desires to take a "trusted traveller" path will find the easiest point of entry into the system, which will probably be far up the chain from anything even near the airport. An authorization system that relies on an external mechanism of "trust", which is completely outside its control, could simply mean a more expensive authentication solution without any significant risk reduction (threats are the same, vulnerabilities have been shifted rather than reduced, and assets are just as valuable).
The people dreaming up this stuff obviously lead sheltered lives. They can't possibly have seen a movie with any manner of bad guy exploiting any manner of security sytem ever.
I emailed this company asking if I could come down to their NY offices and get their side of the story for my blog, but they never got back to me.
You'd almost think that security isn't what the people involved in this are really after, but that could never be. Nobody would dare profiteer or take advantage of governmental confusion or lack of expertise during "wartime", would they?
Chris: It seems like basically what they are doing is taking people who wouldn't be getting much security anyway, and making them pay for the continued priviledge of getting less security. Is any security added? No. Is any security taken away? Not necessarily either. It seems like they just found another way to make money off the process without much changing it, other than the obvious privacy issues.
Unfortunately, I get to see this line of thinking far too often. The conversations go along the lines of:
- Why this is not very effective...
- How so?
- Because the terrorist will get a trusted traveller card.
- But they can't get one, that's the whole point.
- Why can't they get one?
- Because they won't let them.
- Why won't they let them?
- Because they're terrorists!!! Are you simple or something?
- Well, how will they be able to tell if they're terrorists or not?
- Oh well... they have ways...
I usually wave my hands in dispair at that point. As long as it has an assuring name and they tell you it's safe, people will implicitly trust it. No wonder so many people open email attachments.
Eric Rescola also made the point that the Orlando airport has an economic interest in the private program, and so therefore has an incentive to make the normal security MUCH worse.
isn't this system just a cleverly disguised ruse to get the public to agree to willingly hand over their biometric and other personal data? this is a fine example of snakeoil security (fraud) that benefits noone other than big buisiness and the politicians in their pocket....
This Salon.com article http://www.salon.com/tech/col/smith/2005/06/10/... is quite good. Basically it talks about how all the maintenance/service crew for the airlines are subjected to none of the screening that pilots and flight attendants are.
I'm only going to include a short excerpt:
"Perhaps it surprises you to learn that flight crewmembers -- pilots and flight attendants -- are among the few groups of airport workers subject to concourse screening, while tens of thousands of personnel like Hector -- caterers, cleaners, mechanics, gate agents and baggage loaders -- whose duties require unfettered access to jetliners, are able to bypass this checkpoint entirely. Most of these people are themselves airline employees, though a high percentage are contract staff belonging to outside companies. While Steve sits in the cockpit running through the preliminary checklists, everything from his flashlight batteries to his underwear having been given the once-over by a guard, Hector is out back, rummaging through the plane's unminded spaces, free and clear."
Yes, I agree that the idea is flawed...
On the other hand I did Email to them requesting that I be sold a "Trusted American" card. I think that it is probably worth the money to have a certification that the Government trusts me and thus I can assume that I am not saying anything, contributing to any group, etc. that might get me in trouble.
They may not be deliberately decreasing security, but any system like this can be subverted. Agreed that this is just $$ being pursued.
@Nick -- Don't get me started on the interlocking economic and political interests on this ;^).
There must be the obvious exceptions of course.
1. All law enforcement personnel must have Trust passes, including ones with cover names and ones where the cop assumes the identity of a real person.
2. All the really rich will bypass the entire system by flying in aircraft they own but are paid for by corporations they control.
3. Tying in the RealID with voter registration will speed the issuing of Trust passes to voters with the correct affiliation.
Is there any good data on Iris scans? I am wondering if they can ever overlap or be confused for another person's iris. This is assuming firstly that they start out with a good picture of each person's iris, which is verified by a human, and secondly that the more people you have in the database the closer each iris is analyzed. Obviously you can always hold up a picture of someone else in front of the camera, but not counting that I am wondering if there are any obvious attacks or flaws.
The Salon article is a useful read. Along the same lines, and back to the "weakest link" point, airlines might not have secured anything brought on board by their supply/catering companies. If it is plausable to get a entry-level position with a catering company, for example, then it would be trivial to slip just about anything you would like onto a flight, right? Like the spy v. spy episodes, imagine a special meal that conceals a weapon...
While that is just speculation, I can say from first-hand experience that when I did some work with an ex-airline executive (at an unrelated company) I was told that the reason the little alchohol bottles were eliminated from his airline was not due to pricing (they had about a 1000% markup) but because 80% of the merchandise was unaccounted for at any time and rarely made it to the planes. I asked why the supply-chain was never secured, and he asked "how would you do that?". Then again this was at a time when flight attendants were not required to have random drug tests after flights, etc. so perhaps things have changed elsewhere too.
You really can't hold up a picture to the camera to fool an iris scan. The reason being, the image gets magnified to the point that you'd see that there are ink dots. (If you don't magnify the image that much, you can't have any certainty of correct matches, even if you can be entirely certain that the eyes are both real.)
On the other hand, if someone registers their iris when they're wearing custom contacts that appear to be real irises (and those are painted by hand, I believe), then anyone can take those contacts and pose as that person. Not very secure.
Anoyone else here reminded of the movie Air Force One, where the bad guys get through security (including fingerprints) because of someone inside (a secret service agent)???
They have any weapons when they entered the plane, they just used the ones already stowed on board.
I never understood all the complaining about security checks at airports. Even with a 2 hour wait to get though security, its not that bad in my opinion. I only fly 3 or 4 times a year though.
Just some ideas:
If I were in charge of the world, i would throw out the random super checks that Bruce loves, and just super check everybody. I would make the waiting area very enjoyable with movable seats, air conditioning, TV, video game and other amenities so its not much of a bother.
Also, do away with the overhead bins. Just 1 carry on that can fit under the seat infront of you and thats it. This is not for security, it just makes boarding faster.
Also, no longer waiting for people who arent on the plane on time. I HATE THIS.
Once you get on the plane. You cannot get off without forfeiting your seat.
mjk, I don't know how much your time is worth, but wasting 2 hours or even 15 minutes waiting in a line costly to me. The fact that the line that wastes my time provides the appearance of security while offering very little actual security only adds insult to injury. To me, time is money. Waste my time unreasonably, and you're dipping into my wallet. The current system in a farce. It was before 9/11 and is even worse after it.
I, too, only fly a handful of times per year. And I resent to the core of my being having to wait in those lines. I also happen to live in Orlando, and I'm not looking forward to the fast security lane. Resources at the security gates are limited enough as it is, and having them diluted by allowing a small percentage of travelers to have exclusive access to this resource can only make things worse.
I will give the Orlando Airport (or TSA) credit where it's due. The lines often look intimidatingly long, but I typically have to wait about 20 minutes to get through. Sometimes even less time, and once in a while even more. The agents are professional and courteous always, and things do move smoothly. It's just that the whole thing seems quite unnecessary and rather invasive to me.
There is a fair amount of information available. Actually, iris scans have the best EER of low-intrusiveness biometrics (or to put it another way, all methods with better EER are much more uncomfortable, much slower, and/or require samples of body fluids.) EER ("equal error rate") is simply the error rate when the machine's sensitivity is adjusted so that the false rejection rate (FRR) equals the false acceptance rate (FAR), so error rates can be expressed in one number. You need to be careful of the source of error rate information within the biometrics field, because a lot of companies publish information that seems to be exaggerated, or tested under excessively favourable conditions. Nevertheless, the EER for iris scans appears to be on the order of 1 in a million, which is quite adequate for this application. You might think it is more than adequate, but remember that US airports accept hundreds of millions of passengers per annum, so we will probably want to turn the FRR down to much lower than 1 in a million; that's OK, we can probably accept a FAR much higher than 1 in a million, so it's adequate.
Another parameter to bear in mind is the failure-to-enrol rate, which for iris scanning is about 5%. That means for about 1 person in 20 the machine simply can't get a good scan. That may be because of missing eyes, cataracts, scarring, or just plain weird iris patterns, but it's a problem you really need to consider in an application like this. If you say that users who fail to enrol can never be trusted travellers, the ACLU is going to sue you. But if you fall back to a weaker method for these users, then that's an avenue a terrorist could exploit.
Umm, sorry, wrong. In actual tests it has proved easy, in fact trivial, to fool iris scanners with photographs. See:
(However, it is obviously much harder to get up to these sorts of tricks if the machine is supervised by an appropriately trained guard.)
I don't think the method you suggest could be effective even in principle, because the recognition algorithm has to work in the presence of a lot of natural variation, such as lighting, reflections, dust motes in the air, etc. Possibly you could check that the iris pattern is behind a real human eye lens by probing the optical properties of the lens (e.g. by scanning with several wavelengths of visible and IR light and examining the dispersion), but then iris scanning becomes just as intrusive as retinal scanning (which many people find physically painful).
As a small aside, someone was commenting that many airport staff are not screened at all, making such rigorous checking of pilots and passengers rather bizarre. This has recently become a big issue in Australia, with the revelation that at least dozens of airport baggage handlers have been working for organised crime to smuggle drugs. This shouldn't have surprised anyone (I recall reading a late-1990s RCMP report into exactly this sort of thing at Canadian airports), but it has caused a sensation because it came during the drug smuggling trial (in Bali, Indonesia) of a young Australian woman who may be a victim of a screw-up by such crooked airport staff. (At any rate, polls indicate that ~80% of Australians believe this to be the case.)
Roger: Thanks for the info. Do you have any relevants links or other recommended resources for learning more about Iris scans?
The flip side is some very valuable untrusted travellers are getting very peeved...
In the CEO's office at Xiamen Airlines, one of
Boeing's most loyal customers sits beside a
portrait of Mao and a photo of a 737 cockpit and
describes the humiliation he felt trying to enter
the United States last year.
What passes for "security" at airports these days isn't security at all. It is placation of the masses at the expense of frequent travelers. I am on planes an average of once a week, traveling both domestially and internationally. I am grateful that some airports offer premium screening (same screening, shorter lines), and would instantly sign up for trusted traveler status were it to be offered at my primary airport. I'm even willing to register the items that I'll carry on board!
Why? Because I am fully aware that the screening serves virtually no useful purpose, most people going through don't even bother to figure out what's OK and what's not, thus slowing down the process for everyone, and I just want to get through with the minimum possible hassle and expense in terms of my wasted time.
If we really want to do security, upgrade the staff to those with IQs somewhat higher than room temperature and start using the real scanners that show EVERYTHING. Don't like it that your rolls will be seen? Lose the weight!
Consider, too, that what has happened in the past will never happen again. The worst one of these idiots can do is to take out a plane. Planes will never be used as weapons again, simply because those on-board won't let it happen (Flt 93, anyone?). We're spending a lot of time and effort on stuff that just doesn't matter--but most people find it comforting, so the government will keep placating them by doing it.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.