Schneier on Security
A blog covering security and security technology.
« Airplane Stowaways |
| Terrorist Tradecraft »
January 29, 2008
TSA Misses the Point, Again
They're checking IDs more carefully, looking for forgeries:
Black lights will help screeners inspect the ID cards by illuminating holograms, typically of government seals, that are found in licenses and passports. Screeners also are getting magnifying glasses that highlight tiny inscriptions found in borders of passports and other IDs. About 2,100 of each are going to the nation's 800 airport checkpoints.
The closer scrutiny of passenger IDs is the latest Transportation Security Administration effort to check passengers more thoroughly than simply having them walk through metal detectors.
More than 40 passengers have been arrested since June in cases when TSA screeners spotted altered passports, fraudulent visas and resident ID cards, and forged driver's licenses. Many of them were arrested on immigration charges.
ID checks have nothing to do with airport security. And even if they did, anyone can fly on a fake ID. And enforcing immigration laws is not what the TSA does.
In related news, look at this page from the TSA's website:
We screen every passenger; we screen every bag so that your memories are from where you went, not how you got there. We're here to help your travel plans be smooth and stress free. Please take a moment to become familiar with some of our security measures. Doing so now will help save you time once you arrive at the airport.
I know they don't mean it that way, but doesn't it sound like it's saying "We know it doesn't help, but it might make you feel better"?
And why is this even news?
So Jason -- looking every bit the middle-aged man on an uneventful trip to anywhere -- shows a boarding pass and an ID to a TSA document checker, and he is directed to a checkpoint where, unbeknown to the security officer on site, the real test begins.
He gets through, which in real life would mean a terrorist was headed toward a plane with a bomb.
To be clear, the TSA allowed CNN to see and record this test, and the agency is not concerned with CNN showing it. The TSA says techniques such as the one used in Tampa are known to terrorists and openly discussed on known terror Web sites.
Also relevant: "Confessions of a TSA Agent":
The traveling public has no idea that the changes the TSA makes come as orders sent down directly from Washington D.C. Those orders may have reasons, but we little screeners at a screening checkpoint will never be told what the background might be. We get told to do something, and just as in the military, we are expected to make it happen -- no ifs, ands or buts about it. Perhaps the changes are as a result of some event occurring in the nation or the world, perhaps it's based on some newly received information or interrogation. What the traveling public needs to understand the necessity for flexibility. If a passenger asks us why we're doing something, in all likelihood we couldn't tell them even if we really did know the answer. This is a business of sensitive information that is used to make choices that can have life changing effects if the information is divulged to the wrong person(s). Just trust that we must know something that prompts us to be doing something.
I have no idea why Kip Hawley is surprised that the TSA is as unpopular with Americans as the IRS.
EDITED TO ADD (1/30): The TSA has a blog, and Kip Hawley wrote the first post. This could be interesting....
EDITED TO ADD (1/31): There is some speculation that the "Confessions of a TSA Agent" is a hoax. I don't know.
EDITED TO ADD (2/4): More on the TSA blog.
Posted on January 29, 2008 at 3:13 PM
• 50 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
"We get told to do something, and just as in the military, we are expected to make it happen -- no ifs, ands or buts about it."
"If a passenger asks us why we're doing something, in all likelihood we couldn't tell them even if we really did know the answer."
"Just trust that we must know something that prompts us to be doing something."
Regulatory bureaucracy at its finest! Statists everywhere should be quite proud.
"Just trust that we must know something that prompts us to be doing something."
I don't trust them to be doing anything other than mindlessly following orders.
"Just trust that we must know something that prompts us to be doing something."
To be fair, that is a fairly rational and believable statement. They know something, they do something. I'm willing to grant them that.
The problem is that few travellers trust that the "something" they know is relevant or accurate, nor that the "something" they do is useful from a securty - or any other - POV.
On a related note, someone managed to use a magazine photo of himself as ID to board an airplane: http://www.cbc.ca/cp/Oddities/080129/...
It seems to me that glossy magazine pages may be easier to forge than fancy RFID-enabled biometric government-issued persional ID cards.
This "Confessions of a TSA Agent" seems like disembling. Or is this just me?
Personally, I tend to think that the TSA checking IDs for forgeries is a good thing and not besides the goal of preventing terrorists on flights.
Having and using fake IDs is a good initial indicator of someone actually being a terrorist or other criminal. At the very least, it would justify further checking and is itself an actual crime.
Assuming they're going to check IDs anyways, having the TSA staffers look for indicators of fake ones at the same time doesn't seem like a bad policy to me (assuming a low false positive rate).
Flying is a privilege not a right? The ability to travel is a privilege? This says it all to me about this guys attitude. Plus, what kind of cop wants to be a TSA screener? This article does not ring true.
You did catch that the screener said both "we little screeners at a screening checkpoint will never be told what the background might be" and "Just trust that we must know something that prompts us to be doing something" in the same paragraph, right? She's just rambling, trying to sound important and knowledgeable while not enough so to be responsible for anything. They don't know anything, they just do what they are told.
Makes me think of http://www.schneier.com/blog/archives/2006/07/...
A prank for the future:
Write nasty messages on people's ID with one of those "Spy Pens" that fluoresce under black lights. Writing "TERRORIST" on someone's ID in invisible ink would be an interesting social experiment. (As long as the mark deserved it. Like say, your boss.)
The TSA perfectly gets the point of its role as the operator of America's internal security checkpoints.
Screening for dangerous items is secondary window dressing to the core purpose of being able to harass people who think in unapproved ways (e.g. those who criticize Republican presidents) or who act unexpectedly.
>The ability to travel is a privilege?
That was the prevailing attitude in the Soviet Union and what was known as the GDR or East Germany.
One item in the Red Team story seems like a good idea:
``For starters, every TSA X-ray machine has a Threat Image Projection system, which digitally inserts images of guns, knives and bombs into the X-rays of luggage, to keep screeners alert.''
Seems to me this will give the screeners a better challenge than the ``stare at the screen for days before something significant shows up'' environment, which is precisely the task humans are worst at. This way, they'll get to see something often enough to mitigate the ``eyes glaze over'' factor.
If meticulous screening of IDs will catch terrorists, maybe the IRS should meticulously screen IDs for tax cheaters. There's at least as much correlation.
When are the so-called thinkers in D.C. going to get it? An ID card proves nothing about intention. There might even be a stronger reverse correlation: both tax cheaters and latent terrorists will be VERY CAREFUL to have valid IDs, because they don't want to be caught at the ID-checking station.
When are they going to start screening for fake boarding passes? Those are still simple to forge, because anyone can print one out on their home computer, The bar-codes don't even have to match the text, because none of the security checkpoints I've been through ever look at the bar-codes. They don't even have bar-code readers.
"You did catch that the screener said both "we little screeners at a screening checkpoint will never be told what the background might be" and "Just trust that we must know something that prompts us to be doing something" in the same paragraph, right?"
Yeah, I caught that. I took the 'we' in 'we know something' to be the TSA at large, not 'we' as in 'we little screeners at the coalface'.
@ Terry Cloth
back in the day, my Grandfather took a course on aircraft recognition. This was during the 1940s, and resources in general and repro machines in particular were in short supply. Anyway, the slides used for the course were so old and used that the silhouettes of the a/c were all but unrecognisable. On the other hand, each slide did have a distinctive set of scratches, cracks, smudges, and stains. By memorising those, everyone on the course was able to pass the test (which used the same slides). So they all qualified. Unfortunately the enemy tended not to fly around in scratches, smudges, stains, or cracks ;-)
I wonder what the pool of images in the Threat Image Projection thingy is like, and whether it can scale, rotate and yaw images to provide variety. Otherwise, after a very short time I'd expect the Threat Image Projection system to _reduce_ screener alertness
[internal monologue]"... my feet hurt ... when's smoko ... oh, a gun ... nah it's just a TIP test ... I need to pee ... wait was that a real gun or just a test ... never mind ... what's in this bag ... heh, a dildo *teehee* ... I'm hungry ...[/internal monologue]
Look, if you guys don't like America, you could always move to Alaska.
@Terry Cloth - on the face of it, I'd agree with you, but then it occurred to me: a system that inserts false positives is training the operators that images of guns, knives, etc. are no big deal. After all, the rate at which the "keep alert" images are inserted by the system outweighs by many orders of magnitude the rate at which they'll ever see a real weapon on the screen. Thus, almost every instance of a weapon is a faked weapon - how long do you think it will take before the operators learn that images of weapons are not only not a cause for alarm, but should be ignored even more than anything else they might see, because they're almost certain to be fake?
I fly with an ID that I purchased at the last CCC Camp. It's a valid ID for a pro-democracy project called The First Transnational Republic. ( See: http://www.transnationalrepublic.org/ )
It grants me access to vote in global elections and it identifies me as a citizen of my respective country. It's not a joke but I'm sure not many people take it seriously. Except people who ask for ID.
Generally when people see this ID card, they comment on having never heard of the Transnational Republic and then hand me my boarding pass. Or bottle of wine. Or whatever other stupid ID check nonsense they were trying to show was an effective tool of control.
I should note, none of the information on the card is false. It has even more information about me than my license. It looks to be in the format of German ID card but it doesn't attempt to present itself as a forgery. It even works in (non-magnetic) passport scanners because they took the trouble to encode the information properly.
( As a side note, I understand there was a court case about the use of these specific ID cards in Europe. I can't find a citation but I understand that the court ruled that it was a perfectly legal document for a private citizen to carry and present. )
I think people dislike the TSA because they act like thugs. Just like a thug, if you follow directions, you won't be hurt or have any trouble. You pay both the TSA and the hypothetical thug for that service. Joy.
One of my neighbors who worked for TSA would tell us about how silly things can be at TSA. Today they are told to be alert for people with blue shoes... not told to stop them as that might be 'profiling' but be very alert. The next day it might be chose every 4th person for additional checks and anyone with a red bag. And then there are the various quotas.. its like something out of Big Brother with the poor guys enforcing the rules not sure what or why Big Brother is expecting today.
"Personally, I tend to think that the TSA checking IDs for forgeries is a good thing and not besides the goal of preventing terrorists on flights."
This would be true if it weren't possible to fly without ID. Why fake an ID when I don't need it anyway?
"Having and using fake IDs is a good initial indicator of someone actually being a terrorist or other criminal. At the very least, it would justify further checking and is itself an actual crime."
Agreed - It is a crime, it is an indicator of hokey behavior. It will though, after implementation, waste more time of normal and law-abiding travelers. The reason is, as Joe-Bob Terrorist, I know that the TSA is checking for fake IDs. Well, I'll keep my fake passport in my suitcase until I really need it and just fly without ID. All the while, TSA is taking more time to check the other 99.9% of people who have ID (legitimate ID)
"Assuming they're going to check IDs anyways, having the TSA staffers look for indicators of fake ones at the same time doesn't seem like a bad policy to me (assuming a low false positive rate)."
It's not their job.
"Thus, almost every instance of a weapon is a faked weapon - how long do you think it will take before the operators learn that images of weapons are not only not a cause for alarm, but should be ignored even more than anything else they might see, because they're almost certain to be fake?"
This does actually work because the screeners have a stake in finding the fake images. There are disciplinary actions taken if they miss the images. I think if they miss even one fake image they are taken off the line and required to repeat a portion of their training. (I think?)
It is important though to have a very, very large library of fake images. Otherwise the screeners will begin to look for the images and forget everything else. There must be a lot of diversity to make this work.
I'm wondering if the release of stories like this failure to detect a bomb carried on the person is a sly way of building support for the use of full body xray machines. Spread enough stories which feature sentences like, "He gets through, which in real life would mean a terrorist was headed toward a plane with a bomb" and you'll have people believing the full body xray is a necessity.
Rosin up the bow, we're about to be played like a fiddle again.
"I have no idea why Kip Hawley is surprised that the TSA is as unpopular with Americans as the IRS."
This is an outrage. The IRS performs a necessary job, vital to our National Security, even if GWB thinks you can stage a war without paying for it.
What's more, it does a generally competent job, considering the conditions imposed on it. (I once received a polite note along with a recalculation of penalty for underpayment of estimated tax, remarking that it was pretty much impossible for anyone to get it right.) Every year, some poor bastard at IRS Central has to take the steaming pile of putrid hogshit that the Congress has passed at the last moment and turn it into a set of algorithms that can actually be executed. Did I mention, morally corrupt hogshit? The IRS people virtually always get it right. (Though see above.)
It's a bureaucracy, and there will always be horror stories about its misfeasance and worse, and the stakes are high, being your money and freedom (as in not-jailedness). Still, how much of this can the TSA match?
Well, I'm glad the screener thinks he should be doing his job. That's a step forward.
On the other hand, knowing why you are performing certain tasks might make it a little easier to do your job better. And most of these security measures are becoming like a ritualized mime performance, with a random cavity search to spice things up a bit.
I understand the desire to look like you're doing something, but rushing around in a panic never put out a fire.
I'm not thrilled by the comparison with the military. TSA is part of 'Homeland Security' ("ein Volke" anyone?) which, last I looked, is not part of the Department of Defense, yet. There's lots of good reasons why our domestic policing is not militarized.
When I first went to France in the '80s I was shocked to see uniformed soldiers, with APCs and full weaponry guarding national monuments. I was so proud of the US, that we didn't do that.
I miss the good old days, when most people didn't think that we needed to become a police state.
@Anonymous: "When are they going to start screening for fake boarding passes?"
Getting people to carry identity papers and present them on demand is an old and cherished governmental dream. Boarding passes just aren't very sexy that way, they don't light up the same neurons.
...oh, and I forgot to add: making boarding passes hard to fake would be inconvenient for the airlines, so it's not likely to happen.
I think it's great that the TSA are going after people with dodgy IDs. After all, terrorists are few and far between, so we the taxpayers might as well be getting something for all the TSA is costing us even it it's not specifically what they were set up to do. You're doing a heck of a job, Kippie!
"...scrutiny of passenger IDs is the latest Transportation Security Administration effort to check passengers..."
I am not a number. I am certainly not my ID. The ID says what the government wants, not what a terrorist may or may not want to say with explosives about the government. The TSA can look at IDs until the cows come home, but it won't stop bombs from getting on a plane.
Apparently, enforcing immigration laws isn't what any portion of the US government does.
Assuming that the leaked memo is genuine (which I question): If Kippie really and truly is surprised that the public reviles his agency, he needs to be immediately replaced with someone who is in touch with reality. Kippie also demonstrates his ignorance and incompetence in the whining and condescending tone of the memo. An astute manager writing to his employees would spin the poll results to show that his agency is doing the job it's supposed to do. As he notes, the TSA exists to protect the public from a "high threat environment," which requires appropriate, necessary imposition on each and every passenger. It that didn't generate a certain amount of resentment, something would likely be wrong.
But he's apparently not smart enough to think of that. Instead, he denigrates the public and the "amateur security experts" (i.e., anyone who dares to criticize or point out obvious problems with the TSA) for failing to show the trust, confidence, and respect he apparently believes any government agency with the name "Security" in it inherently deserves. To the extent that Kippie is showing any "leadership," he is letting his employees know that he regards the traveling public as Enemies on the par with terrorists. If that's the example he's setting, is it any wonder that travelers hate the TSA?
(Of course, a truly competent manager would welcome the poll results as an opportunity to examine his operation for possible improvements. After all, if the TSA were really looking to provide effective security they would encourage public cooperation with its difficult task rather than antagonizing everyone as an enemy. But that's a level of competence far beyond what we could ever expect from a loyal Bush appointee.)
Meanwhile, there's this from the TSA agent's piece: "
The federal government has a law in place that was created just after TSA was formed, designed to protect any TSA agent from being verbally and/or physically assaulted or abused. Most people don't know this, but the fines -- depending how far a passenger pushes things -- can be from $5000 - $25,000 and the passenger is placed on a Do Not Fly List."
It does make you wonder just a little how often saying "#$%@%$# ^#$%&$^ Security Theater" a little too loud will get you barred from flying.
@George: "I think it's great that the TSA are going after people with dodgy IDs."
For one thing, they're not going after people with phony ID, they're going after people who don't have genuine ID (or have it and choose not to present it). For another, why should I care about possession of phony ID? If someone tries to impersonate a) me at my bank or b) a police officer at my door or c) a surgeon at my hospital, that's serious. But if someone simply claims to be Zaphod Beeblebrox at an airport, what do I care?
Before you answer, bear in mind that they are NOT checking names against a clean list of fugitives. (They are in fact using a very messy "no-fly" list which is far worse than nothing.)
The mayor (referenced by Rennie at 4:44) was travelling with an expired driver's license. Apparently, the TSA are also now enforcing state DMV paperwork requirements.
The TSA agent had no doubt that the mayor was in fact the guy in the picture on the license. He had no doubt that the license was a legitimate state original, it had simply passed its "use by" date. But somehow, the fact that he wasn't legal to drive also meant that he wasn't free to travel.
Now, the TSA agent knew, deep down, that this made no sense. He was just looking for some excuse to let the mayor fly. So when the mayor showed him a different "official ID" that apparently hadn't expired as it was still from "this month", well. I guess that satisfied his bureaucratic need.
I felt much safer after they insisted on x-raying my unwrapped clear baggie of professional films on my way to a place where they were simply unavailable.
And I did say "#$%@%$# ^#$%&$^ Security Theater" too loudly...
They gave me a compliant form, like I am going to fill that out ? no way!
I checked a roll when I returned and it was fogged. I had to do my work with lo-res 10mp digital as I knew from prior tests of the x-ray machines that the film was ruined for professional use.
Did I feel safer ? Certainly not just violated.
TSA could be disbanded and we would lose little but the agrevation of having a Gestapo chcekpoint at the airport.
>> "That's the kind of resources the TSA can devote to the document-checking that the airlines didn't," says David Castelveter of the Air Transport Association, a trade group of major U.S. airlines.
YOU MEAN MONEY, YOU MURDERING BASTARD (of an industry).
September 11th would not have happened if the airlines had been willing to pay for decent security. Now they're not even willing to pay for the one minimum wage security guard at the checkpoint, pushing this off to the taxpayers via the TSA.
Sorry, pet peeve.
That link to "Confessions of a TSA Agent" explains a lot:
The federal government has a law ... designed to protect any TSA agent from being verbally and/or physically assaulted or abused. [The fines] can be from $5000 - $25,000 and the passenger is placed on a Do Not Fly List.
Government employees are humanly fallible. If you annoy them enough they're likely to take revenge in a way accommodated by their job - they may delay processing your paperwork, or stymie you by following work-to-rule behavior. In most cases there are ways to redress this, by appealing to a superior or the courts. There are agencies that are effectively outside this system (not many of us have the capacity to challenge the NSA or CIA) but few of us will attract their interest. Not so the TSA.
The TSA is different because it operates at a very low level. Anyone who flies - and many people fly several times a week - will encounter perhaps a dozen TSA officers. Of course, it's the people who fly less frequently who are the most likely to anger a TSA agent. With any other government department the matter would end there. The TSA seems to be the only one whose members have an official means of revenge.
The article I quote above says that the powers are intended to stop TSA employees from being "verbally and/or physically assaulted or abused". Now, physical assault is actually illegal, whether committed against a government worker or any civilian. I don't think we're talking about physical assault here - there are too many people with guns near the TSA workers for people to try this sort of thing very often. We're talking about "verbal assault". Being nasty. Cursing. Shouting. That is, swear at a TSA worker and you may find yourself on the "Do Not Fly" list.
This is incredible enough (is there a "Do Not Mail" list, a "Do Not Issue Building Permit" list?) but the implementation of this tool is as shoddy as it is vicious. We know that anyone unfortunate enough to have the same name as someone on the "Do Not Fly List" is effectively on the list themselves. Remember the little kid, five years old, who was searched by a TSA agent with his mother forbidden to comfort him? There's a good chance that it happened because an adult sharing the little kid's name insulted a TSA agent.
At this stage people generally say something like "Wake Up America!" or rage about police states and civil liberties. I think the USA is getting exactly what it wants and deserves. I wouldn't want it myself, but there you go. I don't need to have it. Unless I visit the USA, at which time I will be very, very careful, just as if I were visiting Saudi Arabia.
From a comment in the TSA blog (supposedly by a TSA employee): "Flying is not a right granted under the Bill of Rights and due to the state of the world today, we must all make smart decisions. I am proud of what we do and what we represent."
If this person is representative of the TSA, and they probably are since the current goverment seems to share this view, then they completely miss the point of the constitution and the Bill of Rights. In case any TSA folks are reading this, the constitution is about establishing rights for the federal government. All other rights go to the states and the people. The Bill of Rights is just a list of examples of personal rights that cannot be infringed.
In other words, flying and any other normal activity is absolutely a right. Taking away liberties without the permission of the people (or through deception of the people) is not.
The only thing that surprises me about this is that the USA is happy to accept nearly 30000 gun deaths a year because it sees that as an acceptable risk in allowing its citizens the freedom to own weapons (and I'm not judging here) but cannot accept the risk of losing a couple of hundred people in an aircraft hijack by letting people go about their lawful business without hinderance.
Agreed. They need to re-read the Bill of Rights, with particular attention to the Ninth and Tenth Amendments.
The views expressed above are entirely those of the writer and do not represent the views, policy or understanding of any other person or official body.
I have one of those biometric trusted traveler ID cards that is RFID-enabled and is essentially an electronic passport. It has my photo on it, my passport number, etc. You have to go through an FBI background check and a F2F interview to get one. It is considered a Western Hemisphere Travel Initiative compliant travel document. Apparently the Dept. of State and the DHS don't speak to each other because most TSA screeners have rejected it as a form of government photo ID as they have never seen one.
I wouldn't call the TSA blog interesting. It's just there to make people feel like they "care". There's 3 types of commenters there. The bloggers don't count, as the blog posts simply consist of "tell us your thought on x".
You have your people who want to buy Lisa's tiger rock, going "there hasn't been a terrorist attack since 9-11, praise TSA".
You have your people repeating the security theater meme.
Then you have the TSA employees posting on behalf of their employer. The welcome post emphasizes how they are posting just as normal people, and can say whatever they want. However, their replies in the comments just tow the official TSA line, and completely ignore the human comments and anecdotal situations talked about by other commenters. For instance, in the shoe screening thread, quite a number of people make a point of not complaining about having to take off their shoes, but about how some airports require you to and some don't. And what reply does the TSA employee give?
"Many of you have commented on the shoe removal policy. Since the liquid limitations went into effect in August of 06, TSA has required all passengers to remove their shoes. This makes it much more consistant for all travelers and gives us an opportunity to inspect every shoe. The threat is still real when it comes to IEDs hidden in shoes. While some may wear flip flops or other shoes that make it nearly impossible to hide an explosive device, it is a straight forward rule that has no room for interpretation- therefore you wont find "inconsistencies" from one airport to the other."
Even the TSA posters, whose task for the blog in Kip's words is "...to engage with you straight-up and take it from there" (as per the welcome blog post) are just replying with copy from canned TSA statements. They're talking past the commenters instead of holding any sort of dialogue. It's a fecking publicity stunt to gain some points with critics in the Blogosphere. Don't fall for it.
The TSA is definitely pushing the need for full body x-ray machines on the blog.
Here's a response from a TSA employee to a commenters question about sandals:
"As both a TSA employee and a frequent traveler, I feel your shoeless pain. No one likes taking off their shoes, myself included, but until we get one technology that can get a good look at everything, including shoes, in one shot, all shoes - including flip flops - have to come off. Any shoe can be tampered with, and trust me, the last thing you want is the government trying to classify exactly what a "sandal" is. Yikes."
While travelling home through Akron/Canton (CAK) after Christmas, I saw a poor gentleman humiliated because the TSA decided they didn't like his ID.
The checkpoint was deserted when this gentleman came up, my fiancee and I behind him, and maybe 3-4 people behind us. There were two agents doing the ticket/ID check, and they didn't like this guy's ID. From what I could see, it looked like an old-style laminated-card license, and maybe it had a little bubble under the plastic or something. They call another agent over, and the three of them spend about 5 minutes poring over this guy's ID with a blacklight and magnifier, and they're paging through a binder of procedures.
The poor guy looked mortified. I'm glad I had plenty of time for my flight, otherwise I would've been mad that it took 3 agents to look at this guy's ID and none of them could be bothered to help the group of people waiting patiently in line behind him. After a while, they looked partially satisfied, but not completely. They finally started checking the rest of us through, but the most senior-looking agent took the gentleman aside and I think he got the full secondary treatment.
I'm convinced that the agents were just bored. That's even worse than the time I got "randomly" pulled aside for secondary screening after going through x-ray. As he starts wanding me, the agent says he picked me because I'm tall and that makes it easier. If you're going to be completely non-random, the least you could do is not admit to it.
I deeply appreciate the fact that you are assisting security by raising the visibility of many issues and creating a web site/blog site where security related issues can be discussed. One item of TSA related security that distresses me is that in my work as an Engineer in software I have notice that there is no provision to keep critical software and software secrets in the USA. There is also no provision to limit contracts or contractors to USA born Engineers that pass a security check.
Although I understand many contracts for Airports were in place before and through Sept 11 2001, yet I found that in my work on two major USA airports that most of the higher level software that displays alarm information (like - Unidentified bag in area) to TSA staff, was written by and programed/tested on site by foreign born engineers ( some from India, Pakistan, Bangladesh).
I can assure you that the reason is NOT that the USA was seeking technically qualified individuals from these countries as I have trained several of the ones I worked with. And I certainly do not have a 'grudge' against any of these Engineers, they are simply great Engineers and people and
usually speak better English than most Americans. However, I do believe we are subjecting security to unnecessary risks at this point ( I wonder how many foreign airports would put me on long term (1 year or more) staff there?). One of the Engineers that I was good friends with and worked with at an American Airport was from Bangladesh and he thought the USA was foolish in employing nearly 100% foreign born Software Engineers on sensitive airport projects and in send a good deal of the code writing out of the country to save money. Most of this code can not be 'simply black boxed' to hide its intended use as there are only a certain amount of applications that are sensitive enough for this type of code and it would be recognized and compromised easily.
If engineers are to pass a security check then what difference does it make where they were born?
I submitted the following comment on the TSA blog which, of course,
was never published.
I thought I would share it with you since you mentioned their blog
in your latest newsletter:
In retrospect, what if the 'bad actor', who several years ago
attempted to sneak a knife/box-cutter on board a flight with his
weapon hidden in one of his shoes, had instead chosen a popular
method used by drug smugglers and had hidden his weapon in his body
orifice somewhere 'south of the border'. Applying the TSA's flawed
response 'logic' to a perceived threat, imagine how many millions of
'fanny frisks' that we travelers would have to endure each year. How
long do you think that the public would tolerate body orifice
searches when they fly? No doubt intense political pressure would be
brought to bear on the TSA to bring an immediate stop to the 'fanny
frisks'. Why then do we travelers STILL have to remove our shoes on
each and every flight, slowing down the long lines and producing
virtually NO tangible security results? Are your metal detector
machines not state of the art? Would they NOT be able to detect a
hidden knife in someone's shoe? If not - then fix or upgrade the
machines and stop this useless shoe removal procedure. The only
results of this policy is one of passenger irritation and of
creating the false impression that we are safer now!
As an employee of the TSA I would like to clarify a few items: TSA officers don't make the rules. Just like on any other job either the employee does what they are told, or they get reprimanded or fired. Since TSA officers have no employee rights, the latter is usually the case. This is the reason why stupid rules are enforced. Most of my co-workers don't agree with 99% of the regulations TSA comes up with. The majority of us are trying to get out of TSA. So instead of taking out your frustrations verbal or otherwise on low level employees with no say on how things go, complain to congress. Personally I have sent several emails to congress about the atrocities at TSA. Also TSA officers have no real authority to protect the public or keep you safe. TSA officers are civilians even though we are all sworn personnel. TSA officers are mandated by law to only receive one week of training and one week of OJT. This training only consists of how to operate the equipment, most of which has been in place years before TSA was ever thought of. I have been a active supporter of better training since I came to this agency. Unfortunately Kip Hawley and the republican party doesn't feel that the public is important enough to more adequately train the TSA security force. TSA gets a third of the annual DHS budget, yet none of this is spent on better training or new technologies to keep you safe. And for those of you wondering, it isn't spent on screener salaries either. TSA officers are among the lowest paid federal employees. Most only average $30,000 a year after five years on the job. And although I don't agree with some of my ruder co-workers, I also don't believe that most people could do this job and always be pleasant. I've had airport cops tell me that they felt that my job was more difficult than theirs. TSA officers interact with tens of thousands of people everyday, most cops don't deal with a hundred people a day. Also if you haven't noticed TSA officers aren't armed, and are not allowed to defend themselves per TSA regulations in the event of a physical assualt. This would not be a problem if there was a constant police presence at TSA security officers but, this is not the case. We have to call the police and many times they don't show up. I have known TSA officers who have been punched, kicked, threatened, spit on, and even urinated on. And I have never seen a passenger get arrested for any of these things. Because of this most TSA officers are afraid of the public and therefore act defensively in an attempt to mask it. Remember you can plainly see that we don't have weapons, we don't know that you don't have them until you clear the metal detector.
Just to amplify Polincor's statement above, eventually someone that hates us is going to figure out that a "keester stash" of, say, several ounces of C4 with a detonator is the fatal weakness of our entire airline security system.
In light of all the shoe screening in the aftermath of Richard Reid, I'm frankly stunned this hasn't happened already!
The effects would be devastating.
The TSA would have no choice but to do random orifice searches. And I'm not sure they could simply bow to political pressure to stop.
After all, if they did, every Abu Semtec coming out of the Middle East would be making use of the "fanny pack".
On the other hand almost no one would fly knowing that they were risking an orifice search. That would bring the airline industry down, the travel sector behind it, and a huge chunk of the economy would be laid waste in the ensuing financial implosion.
Which, as I understand it, is the goal of our enemies in the first place.
In other words, it seems to me there is no way for us to win against this attack period: we couldn't do random orifice searches, but we couldn't really not do them either.
And it is probably worth considering that they wouldn't even have to do it here. Doing it on a international flight bound for the US would seemingly be sufficient to get the ball rolling, and they wouldn't even have to deal with the TSA to accomplish that...
This is a topic I find very interesting.
Given all we seem to understand about this situtation, I really struggle to understand why our enemies haven't already done this.
1) They're too dumb to think of it?
2) They're too "ass shy" to carry it out?
3) Something even more sinister?
#1 seems unlikely to me given the way we've been played so far.
#2 also seems unlikely since they could always recruit a female and do vag. I think that would work nearly as well.
So that seems to leave us with #3...
I am really interested in hearing other people's thoughts on this matter.
The TSA and its people, from top to bottom, are tools in the Administration's
creation of a fearful attitude which reinforces military expenditures and wasteful "security" contracts enabling technology companies to market the
devices which incidentally harass the Public and which are not convincing of a foolproof security, in any case. The new administration's first priority should be a return to normalcy at the airports with immediate elimination of "shoe take off" and the other unprofessional requirements made upon the fare-paying passengers. The Airline companies are equally responsible for the disorder and confusion and should be ashamed of themselves, along with all Government officials, Judges and Congressional Committees who are involved. Insurance statistics prove that there is no difference than was the case
seven years ago, before the use of the strange "security" measures. If you can't trust the general public, then you can't trust any of the airline employees or other airport employees who are easily capable of breaking the existing security, in any case-that is, it is quite clear there is no protection against an inside job.
The new administration must recognize that the promised "change" must include a return to free use of the airlines and airports without Government "frisking" of our citizenry. None of what is going on at the airports has been approved by the American People. We are in our right mind, the Government is not.
I likes to fondle the good looking ones + i gets paid for doing just that.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.