Bruce Schneier

 

Blog

Crypto-Gram Newsletter

Books

Essays and Op Eds

News and Interviews

Audio and Video

Speaking Schedule

Password Safe

Cryptography

About Bruce Schneier

Contact Information

 

Schneier on Security

A blog covering security and security technology.

« Cloning an RFID Passport | Main | The Difficulty of Profiling Terrorists »

March 13, 2007

Airport Credentials Manipulated to Commit Crime

Some airport baggage handlers used their official credentials to bypass security and smuggle guns and marijuana onto an airplane.

This kind of thing is inevitable. Whenever you have a system that requires trusted people -- that is, every security system -- there is the possibility that those trusted people will not behave in a trustworthy manner.

But there are ways of minimizing this risk.

Posted on March 13, 2007 at 3:30 PM23 Comments

To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.

Comments

idlelineMarch 13, 2007 4:06 PM

This is an ancient question. Quis custodiet ipsos custodes?

nzrussMarch 13, 2007 4:24 PM

>>>...... a duffel bag containing 14 guns and drugs on a commercial flight from Florida....

The rest of us have enough trouble with a tube of toothpaste or some cologne!

McGavinMarch 13, 2007 4:30 PM

This brings up a good point that I don't see much in the Security debate these days:

Trusted vs. Trustworthy

Rob MayfieldMarch 13, 2007 4:37 PM

@McGavin: true, but?
Trusted: a label you apply to someone/thing before you know for sure (or before you know better)
Trustworthy: a label you can only apply with hindsight

SpiderMarch 13, 2007 4:42 PM

"Whenever you have a system that requires trusted people -- that is, every security system -- there is the possibility that those trusted people will not behave in a trustworthy manner.

But there are ways of minimizing this risk."

Exactly. Thats why my passwords are a secret even to me.

You'd be amazed at you productivity when you've locked yourself out of your email account.

MathFoxMarch 13, 2007 4:42 PM

I've talked to a luggage handler on Amsterdam airport; he gets a metal detector and bag X-ray treatment like the passengers. (As a passenger I've watched it happen to apron personnel.) Copying this to the US would close a security hole.

jkohenMarch 13, 2007 4:44 PM

@nzruss

That's only until hygiene issues surpass terrorism in media attention. Maybe we should stop bathing and brushing our teeth at least one week before flying.

DPMarch 13, 2007 4:54 PM

I'm just wondering where they got 14 guns and 8 pounds of weed for 1800 bucks. It's a mystery.

jkohenMarch 13, 2007 5:00 PM

@DP

Someone might be holding a garage sale http://ca.news.yahoo.com/s/capress/070310/...

David Dyer-BennetMarch 13, 2007 5:00 PM

Where are the Arisians when we need them?

McGavinMarch 13, 2007 5:54 PM

@Rob Mayfield:

"Trusted: a label you apply to someone/thing before you know for sure (or before you know better)

Trustworthy: a label you can only apply with hindsight"

Yes, if we assume you are talking about people.

bzelbobMarch 13, 2007 7:06 PM

"Whenever you have a system that requires trusted people -- that is, every security system -- there is the possibility that those trusted people will not behave in a trustworthy manner."

Awesome quote!

This perfectly describes government itself. I wonder if anyone has done a detailed analysis of the types of security failures that can occur within government itself?
(i.e. - Analysis of the government as if it was a computer operating system.)

...And how many people here believe that the government of the USA currently has multiple trojans/viruses/worms/rootkits in it?

AaronMarch 13, 2007 7:48 PM

"And how many people here believe that the government of the USA currently has multiple trojans/viruses/worms/rootkits in it?"

If they're smart? The same people who believe that of EVERY government...

Filias CupioMarch 13, 2007 9:39 PM

From the "Evil Overlord List" http://www.eviloverlord.com/

147. I will classify my lieutenants in three categories: untrusted, trusted, and completely trusted. Promotion to the third category will be awarded posthumously.

John DaviesMarch 14, 2007 3:47 AM

@MathFox

"I've talked to a luggage handler on Amsterdam airport; he gets a metal detector and bag X-ray treatment like the passengers. (As a passenger I've watched it happen to apron personnel.) Copying this to the US would close a security hole."

That's a good start but if it's your partner in crime doing the X-raying ...

BobMarch 14, 2007 8:05 AM

I just went thur OIA mar 3 & returned mar 9, and this comes as no surprise. Some of the tsa people looked like america's most wanted- ie sleazy and on my return they took 2 spare rechargeable camera batteries along with a small bottle of colonge, and a bottle of beer> Westvleteren '98. The were there when I went thur Customs... as I had the fun of having all my bags gone thur and yet they were gone when I picked them up later.

This was AFTER flying and being approved by the Custom's agents.

This also brings up another beef I had with tsa, I had to do the xray/metal det./shoes before I could leave! Theres no reason or need to be checked as you have never been exposed to a unsecure location after coming thur customs- and yet they give you a final search to retrive baggage? Thats just a waste of our tax $$$ , the baggage pickup is open to the street and yet the people coming in from the street haven't been checked, yet flyers who just went thur Customs,ect. need to be rechecked? B*^$%@!%*^#

Lets not go into how my wife gets the shaft- they cut open her tampons each & every last one! They are made to be sterile and now .... My wife is a federal worker , flying on tickets bought by the gov. using gov. CCard, ect and yet each & everytime she flies she gets the special treatment.

Its all a bunch of crap and a waste of time & money- OUR TAX $$$$

EdwinMarch 14, 2007 10:28 AM

Screening of passengers for risk analysis is primarily performed by examining reservation data and no-fly lists. However matching of passengers to ID is performed independently at the screening checkpoint, without reference to the reservation data.

Therefore:

Mr. OnNoflylist wishes to fly to a meeting within the USA. He simply makes a reservation and purchases a ticket in the name of Mr. SafetoFly. He then prints a boarding pass, and modifies digitally it on his computer to reflect the name OnNoflylist. (quite a trivial operation).

At the checkpoint, he presents his valid ID as Mr. OnNoflylist, together with his modified boarding pass. Then he simply boards the flight using his Mr. SafetoFly boarding pass.

There are many refinements to the technique, but the main point is that NoFly lists have little meaning for flights in the USA (and most other countries). [If unlucky enough to have been selected for special screening, Mr. OnNoflylist will of course have removed that SSSS indication from his boarding pass too]. [Even at some locations where international passengers have identity checked before boarding, this is manual and not crosschecked to reservation or INS data, so that any old fake ID with a fake boarding pass will do nicely]

It is a good example of the futility of the present approach to airport security.

Ed KohlerMarch 14, 2007 12:54 PM

Make sense to me. Smuggling is good money for a few minutes work. The credentials are worth more than the salary in cases like this.

quincunxMarch 14, 2007 2:08 PM

"But there are ways of minimizing this risk."

Not if it's in the hands of a compulsory monopolist.

X the UnknownMarch 14, 2007 5:48 PM

@quincunx: "Not if it's in the hands of a compulsory monopolist."

Security is ALWAYS in the hands of a compulsory monopolist, at least at the local level - otherwise they couldn't even pretend to enforce security.

averrosMarch 15, 2007 3:43 AM

X the Unknown --

> Security is ALWAYS in the hands of a
> compulsory monopolist,

This is just plainly untrue. Walk in a mall. See the private security guards. Which emphatically do not have monopoly on security services, even at the local level.

Are you claiming they do not provide security or are you claiming police have no powers in shopping malls?

The problem with government-provided security is precisely in the fact that it is monopolistic. The basic economics tells us that monopolies always deliver crappier and more expensive goods than competitive market. Production of security is no different.

AlvarezMarch 18, 2007 11:30 AM

Looks like airport security still neither have money incentive
to stop incidents like that nor any fines to pay for their mistakes.

aeschylusMarch 20, 2007 8:31 PM

"marajuana"?

Bruce, I guess you're either not a smoker, or you smoked so much you forgot how to spell "marijuana". :^)

Post a comment




E-mail is optional and will not be displayed on the site.


Remember Me?


Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Powered by Movable Type. Photo at top by Geoffrey Stone.

Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.

 
Bruce Schneier
Subscribe
Atom Feed Facebook Twitter E-Mail Newsletter (Crypto-Gram)
Subscribe via Kindle
Blog Menu

Search

Powered by DuckDuckGo


blog only
essays and op eds only
whole site

Blog Home Page
100 Latest Comments

Archives by Date

2013 J F M A M
2012 J F M A M J J A S O N D
2011 J F M A M J J A S O N D
2010 J F M A M J J A S O N D
2009 J F M A M J J A S O N D
2008 J F M A M J J A S O N D
2007 J F M A M J J A S O N D
2006 J F M A M J J A S O N D
2005 J F M A M J J A S O N D
2004 J F M A M J J A S O N D

Tags

more tags

Support Bloggers' Rights!
Defend Privacy--Support Epic
Latest Book
Liars & Outliers
more books by Bruce Schneier