Schneier on Security
A blog covering security and security technology.
« Nice Article on Personal Surveillance |
| MI5 on Terrorist Profiling »
August 21, 2008
They break planes:
Citing sources within the aviation industry, ABC News reports an overzealous TSA employee attempted to gain access to the parked aircraft by climbing up the fuselage... reportedly using the Total Air Temperature (TAT) probes mounted to the planes' noses as handholds.
"The brilliant employees used an instrument located just below the cockpit window that is critical to the operation of the onboard computers," one pilot wrote on an American Eagle internet forum. "They decided this instrument, the TAT probe, would be adequate to use as a ladder."
They harass innocents:
James Robinson is a retired Air National Guard brigadier general and a commercial pilot for a major airline who flies passenger planes around the country.
He has even been certified by the Transportation Security Administration to carry a weapon into the cockpit as part of the government's defense program should a terrorist try to commandeer a plane.
But there's one problem: James Robinson, the pilot, has difficulty even getting to his plane because his name is on the government's terrorist "watch list."
It's easy to sneak by them:
The third-grader has been on the watch list since he was 5 years old. Asked whether he is a terrorist, he said, "I don't know."
Though he doesn't even know what a terrorist is, he is embarrassed that trips to the airport cause a ruckus, said his mother, Denise Robinson.
Denise Robinson says she tells the skycaps her son is on the list, tips heavily and is given boarding passes. And booking her son as "J. Pierce Robinson" also has let the family bypass the watch list hassle.
And here's how to sneak lockpicks past them.
EDITED TO ADD (8/21): Ha ha ha ha:
Even though its inspector's actions caused nine American Eagle planes
to be grounded in Chicago this week, the Transporatation Security
Administration says it may pursue action against the airline for
And a step in the right direction:
A federal appeals court ruled this week that individuals who are blocked from commercial flights by the federal no-fly list can challenge their detention in federal court.
Posted on August 21, 2008 at 9:12 AM
• 63 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
With security officers like that, who needs terrorists?
This is what happens when you apply a lowest-bidder security mentality to a governmental agency. We should privatise the TSA (with serious sanctions for getting it wrong, something a government agency simply can't do to civil service employees- I can't even imagine what kind of a freaking nightmare firing an incompotant TSA agent must be), empower TSA agents (or at least, front line managers) to make decisions instead of doing EVERYTHING by the book, and rethink the terrorist watchlist.
The ONLY story I don't have (much) of a problem with was the TSA guy who broke the plane. Sure, he did who knows how much money worth of damage, put countless lives at risk, and generally behaved like a reckless moron, but at the very least he was being proactive about security. Find someone with that kind of initiative and an an IQ of higher than 73 and make HIM in charge of the TSA.
> And booking her son as "J. Pierce
> Robinson" also has let the family bypass
> the watch list hassle.
Omg, you did NOT just write on the internet how to circumvent the terrorist list! What if terrorists read your blog?!
These damages happened in Chicago... and if you've ever encountered any of the TSA personnel in our fair city, you wouldn't be at all surprised to read the article above.
I thought the 'Bumbling' in the title was far too forgiving, but made up for nicely with a stern note from the editor. Kudos! Too bad it falls on deaf ears.
Good ole' MixMaster Hawley and the Bush Brigade...
Like so many other facets of life... religion, politics, business, et al... they aren't dangerous because they're stupid, they're dangerous because they're ignorant of that fact, instead believing themselves to be doing the right thing.
"The ONLY story I don't have (much) of a problem with was the TSA guy who broke the plane. Sure, he did who knows how much money worth of damage, put countless lives at risk, and generally behaved like a reckless moron, but at the very least he was being proactive about security."
I'm gonna assume your comment here was tongue-in-cheek. If the guy doesn't know which parts of an aircraft you can put some weight on, and which parts you shouldn't, then what business did he have climbing on those planes in the first place? He probably would not have been able to find anything amiss anyway.
I've been saying for a long time that as long as they're allowing those telescoping handles onto planes, they aren't serious about security. This just spells it out in nice, easy to understand, words and pictures. They need to do something about the metal frame on a lot of suitcases, while they're at it. They really should only allow duffel bags, without wheels and tow bars, onto airplanes, if they're seriously trying to stop contraband.
Better yet, how about they just strip us nude, handcuff us crucifix-style, and dose us with Rohypnol?
That'll make things a lot safer on the plane. Easier on the flight attendants too I'm sure.
I have a similar problem to ax0n (the lock pick guy). I'm planning to fly with no checked luggage, but I have a bike multi-tool I need to bring. It's no more dangerous than a pen, but of course danger is the eye of the TSA. The real problem is that you can't get a decision on such things that you can rely on. In fact, I could be permitted at one airport, and denied at the next.
I was only half kidding. I admire his enthusiam and dedication to his job, but I think he needs an explanation of how planes work before we let him climb around on one:
"Big metal flying-thing fall down and go boom! Uh-oh, big boo-boo! No make boo-boo airplane! No break airplane! bad, bad TSA man!"
@bobsec: are you sure that's not an octopus?
I am not sure that privatizing would be good... since the government would just give it out to the lowest bidder and then wave any fines etc found against the company. The issue is that
1) People want security.
2) People don't want to pay for security.
So you end up with lots of theatre because well you are getting your moneys worth.
I'll bet you could privatise the TSA if you manadated sanctions against the managment and against individual agents (ie you screw up and you get fired and your boss has to pay a fine).
I agree that security thater is all we're likely to get.
To me, this is a classic example of a bad security perimeter. If you're concerned about the planes' safety when nobody is on them, you need to keep people away from them. Securing the plane itself does very little good, since a knowledgeable person can do a *huge* amount of hidden damage to a plane if they have unsupervised access to it, even if it's all locked up.
Have you seen how much money we (as tax payers) spend on the TSA Show? $6.5 Billion
per year and growing.
We aren't getting a semblance of our "money's worth". Investing in plummeting dummy-corp stock would be nearly as cost-effective, and probably would do equally as much good keeping us 'safe' on our flights.
I have a small leatherman that goes on my keychain. I usually forget until I go through security. It goes into my laptop bag, which is easy to do inline while removing the laptop. Still in the bag is an all aluminum cooler, which prevents it from showing up, provided it's on top of the tool.
Totally Stupid and Asinine
TSA trying to be like the defunct TIA, Total Information Awareness program, you really are going to have problems.
Commonsense is seriously lost in the USA.
"Commonsense is seriously lost in the USA."
Not so much lost as knowingly, zealously trampled upon.
I read that article about the James Robinsons on the watch list.
What I don't understand is---the "no fly" list was such a collossally stupid idea to begin with. It was freaking *obvious* that this sort of thing would happen, and happen *a lot*, from the day I first heard about it. Yet they persist in these ineffectual measures, for reasons I cannot guess. (Maybe just bureaucratic inertia?)
This is what happens when you let unaccountable bureaucrats set policy, and let them shroud it in secrecy. Its positively dystopic.
Do you need the tool the day before the flight? If not, just fedex the tool to the hotel you're going to be staying at. Just make sure the hotel reservation is confirmed and the hotel knows the package will be arriving. A lot of people send their luggage by carrier so it doesn't get lost by the airlines.
“Thank God we don’t get all the government we pay for!” – Will Rogers
He never met the TSA.
It's about risk management.
As I understand it, airports have been able to switch away from the TSA since 2006. The key there is that nobody wants to - not because they can't get better security than the TSA from a private company, but because if another incident ever did happen, it would give every single reporter in the world a clear and ready spot to point the finger at the question of, 'How did this happen?'
There's also the risk of civil litigation - even if they could legally prove that they did everything the TSA does and more, at a better quality, the costs involved in such a trial, the PR hits, and losses due to everything else tallies up to the TSA being the primary choice.
Kevin Mitnick's lockpick business card can easily get through the TSA, even on international flights. Just keep it in your wallet with other cards like your credit card, Barnes & Noble card, etc. and they either don't notice or don't care.
Also, a friend of mine asked the TSA what's required to be able to bring lockpicks on domestic flights. The answer? A business card stating that you are a locksmith. That's right. A business card. Not a locksmith license. Just a you-can-make-it-at-home business card. And so that friend made himself a business card with the word "Locksmith" under his name.
@Shane: Dont forget hizzonner sneaking in on April Fools day at midnight and trashing the coolest airport in the country, then claiming it was for "security" (when in fact removing a functioning control tower DECREASED security in Chicago).
Wait, so the watch list is just a list of *names* ? Not a list of people?? How many James Robinsons are there in the country?
I don't understand why there are not riots in the streets demanding the disbanding of the TSA and a refund of their budget.
It seems to me that a few pilots, authorized to carry weapons should be able to deal with unknown people attempting to breach security on their aircraft.
I suspect Pilots are fully authorized to shoot suspicious persons, and SomeDood climbing on thier plane definitely falls in the suspicious category.
Shoot a few of the idiots and i bet incidents of this type drop waaaay off.
What I'd like to know is why aren't we banning CDs and DVDs from airplanes?!?! The other day I was destroying a CD, and I shattered it. I noticed one of the pieces was rather thin pie that could easilly kill someone by slicing their neck or puncturing their jugular. BAN CDs NOW! I DON'T FEEL SAFE FLYING WITH CDs on BOARD!
By the way, what's a good way to securely destroy CDs/DVDs and their data?
What worries me is this statement in the story on the Spanish air crash, in the light of what the TSA has been climbing on. "The jetliner that crashed in Madrid abandoned a first takeoff attempt because of an air gauge that showed overheating, but experts said it was unlikely the gauge was a factor in the accident that killed 153 people." You don't suppose it's that same TAT gauge?
Thanks, but it's not so much that I need the tool as that I don't have an easy way to lock it with my bike at the airport overnight, so I just don't want to leave it. And I will need it the next day when I ride home again, so I can't mail it from the airport.
What I really need is a storage locker at the airport like they have in bus and train stations.
Airport security should be run by the airports; airline security should be run by the airlines.
How and why the government got into the commercial security business is a bit of a mystery. The fact that they are still there after seven years is a result of empire building within government agencies.
At a time when government is outsourcing all kinds of security work to companies such as Blackwater one has to wonder why the TSA continues to survive.
re: dangerous CDs
I know how to kill somebody with a rolled-up sheet of paper.
I used to concern myself with travel through the "third world", but now America's system is slipping below the sorry state of security found elsewhere.
I applaud Intel's chairman for highlighting the real cause of the decline -- backward and short-sighted leadership.
"'What's the great formula to ensure economic success?' he asked a crowded hall. 'You need smart people, a good education, you need to invest in R&D. R&D is how you move forward in the world's economic system. For that, you need the right environment, and the government dictates the business environment.'
'Every country in the world knows this,' he lamented, drawing on Intel's extensive relationships with technology manufacturers worldwide. 'Every country except one. This one.'"
Same for security. At a time when America could have risen to new challenges through innovation in democratic/soft security it instead started goose-stepping backwards and alone; ignorant of lessons from history. The TSA problems are just a symptom of the whole.
This is how a MBA (mostly talented at escaping his own business traps) was supposed to make things better:
And this is how things have turned out:
The effectiveness of a TSA entity, and protection of the country from genuine harm, requires leadership skills and an understanding of success that the current administration seems to sorely lack.
"By the way, what's a good way to securely destroy CDs/DVDs and their data?"
It's off topic and has been covered on this blog before.
However very briefly, the lable side of a CD/DVD is very thin and is the side the data is realy stored on.
If you turn the CD/DVD lable side down on a rough stone or equivalent and by rubbing back / forwards / side to side untill you get to clear polycarbonate then it is reasonably certain the data spiral has been removed.
If you need to do it very quickly then one third fill a glass of water put it a microwave put the CD/DVD on top and nuke on full power for a minute. The fireworks etc in the oven are quite spectacular and you most certainly do not want to breath in the fumes they have toxilogical disadvantages. Oh and you don't want to be cooking food in their again (death by cancer is not most peoples idea of the way to go).
The TSA response is amazing - I guess they figure the best defense is a good offense. "We @#$%ed up royally, so blame it on the airlines".
Well, if there are no holds barred on what the "inspector" can do, why doesn't he just use a jackhammer and chisel a man-sized hole in the fuselage - then every airframe on the airport will be in violation in just a few hours and he can go home satisfied at having done a good days work!
This post reads like the australian airplane service people that responded "non reproducible on airplane in hangar" to a complaint about the plane loosing altitute while on autopilot :)
Seriosly, such blunders are actually quite frequent. In a similar situation, one security agency of a european country tested airport security personnel whether they can put a bomb on a plane, they managed and then forgot the bomb, so it flew with the flight across Europe
I'd suggest that TSA charges you $2.50 every time you go through a checkpoint. In cash. Just to remind people what a bunch of wankers they are.
Or organize a "fake boarding pass day" where 10,000 people print out fake boarding passes and have parties in airport bars.
@ nomen publicus
"How and why the government got into the commercial security business is a bit of a mystery."
Who would you suggest people turn to for representation of their concerns in "commercial security"?
Do you honestly believe that a company is going to care about you as an individual? What loss of revenue will they fear when they can just blame you or brand you a fool?
How do you explain the change in commercial security behavior before and after breach notification laws? Would commercial security ever have achieved the same end without the laws?
Also, consider the current debate over cruise ships.
Most people have no idea about the enhanced risks they face when going to sea, and that is not by accident (no pun intended).
As with other industries the problem is the owners who obscure far higher risks than necessary or expected when they believe harms are externalized and they can escape accountability.
Would TSA charge an airline for a security violation if they were able to smash through the windshield or a window of an aircraft and gain entrance that way? If the objective is to gain entrance regardless of damage or destruction of the aircraft, I'm sure a motivated "agent" could succeed every time.
@TS, you ride your bike to the airport???? That is VERY suspicious somehow.
"What I really need is a storage locker at the airport like they have in bus and train stations." Hah! You're out of luck. Storage lockers are disappearing. My wife was on a trip to the East coast and had a one day stopover in NYC. We couldn't find any lockers (at least searching online) in all of NYC. Security reasons, I'm sure. What if the terrorists place their nuclear bomb on a locker, huh? They always need to store them for at least 12 hours, so that the LED digits can count down to zero.
"Or organize a 'fake boarding pass day' where 10,000 people print out fake boarding passes and have parties in airport bars."
You are my new hero... seriously!
If only they *were* the lowest bidder. Private security personnel can be sued or arrested if they misbehave. Government agents are immune.
That is why our system is broken. Make cops answerable when they needlessly scare an innocent person or deprive him of his flight, and then we'll start to see theater replaced by real security.
Well, it shows one difference between civil and military equipment that civil aviation assumes that whomever might be working on the airplane (i.e., gets close enough to touch the outside) will know what they are doing.
Military planes would have a bright yellow sticker next to the probe that reads "NO STEP."
Of course, this highlights how little most people we put in charge of our security know about the systems they are guarding.
@Larry "How many James Robinsons?"
There is a web-site "howmanyofme.com" that has US census data on the number of people with each first and last name, from which it attempts a statistical guess on how many people have a combination of first and last name. With 5 million "James" and 710,475 Robinsons, their guestimate is 11,822
Perhaps a class action status is needed for every case for removal of a name when there are >1,000 people sharing a name?
@TS. I have sometimes left small objects with the airport's lost & found facility, to be picked up when I return. At several airports I know, they charge a nominal fee for this service.
They even eat airplanes. Found: a TSA employee was caught chewing on a 767's wing. The employee's reason, was 'I needed my vitamins for the day, I forgot my multivitamin in the morning.'
April fools, but still. I wouldn't be surprised if this happened.
All one has to do is hack a TSA employee's home computer, put a false breakthrough study of used aircraft alluminum health benefits. Sure enough, on break, some cheap skate TSA would be licking an airplanes wing or maybe even a small bite.
Group think would even make it easier.
Which such a perverse country, anything is possible in the name of security and health.
>Also, a friend of mine asked the TSA what's required
>to be able to bring lockpicks on domestic flights.
>The answer? A business card stating that you are a locksmith.
>That's right. A business card. Not a locksmith license.
>Just a you-can-make-it-at-home business card.
>And so that friend made himself a business card
>with the word "Locksmith" under his name.
Unfortunately, I'm on the terrorist watch list.
But when I gave my name as J.Q. Locksmith, I had no problems...
>Also, a friend of mine asked the TSA what's required
>to be able to bring lockpicks on domestic flights.
I wonder if I could just get a business card with 'bike mechanic' on it...
I used to have a solid locking trailer that would have worked, except I wouldn't trust them not to treat it with suspician and blow it up. You know how bike trailers can hold bomb, while car trunks are just car trunks.
The lost and found is a great idea, thanks Canadian.
TSA: Thugs, @#$!heads and @#$holes
No seriously, I cant blame the TSA for sucking up money freely thrown at it anymore than I blame welfare bums for having unwanted children when the government pays them cash for every child they crank out. Its OUR fault for letting the government piss away this money with both hands. They should pile all that money up in a parking lot and burn it - at least then we could toast marshmallows on the bonfire and thereby get some return on our investment.
I believe the gentleman who posts of hiding a lockpick is overzealous.
I regularly carry lockpicks onto domestic and international flights. I use the Southard Jacknife set (http://www.southord.com/images/fullsize/JPXS-6.jpg) and leave it clearly displayed in the front mesh pocket. I've been questioned about it twice, but never had it confiscated. Lockpicks don't qualify as a weapon and aren't otherwise prohibited per TSA's published rules.
Furthermore, why should a profession matter? If I carry a business card stating "carpenter" can I carry a hammer? If I carry a business card stating "Firearms Dealer" can I bring my Glock? Shouldn't a citizen be allowed to carry non-prohibited items regardless of profession?
@clyrmnky Commercial planes have "NO STEP" in big letters next to the probes as well. Still, this doesn't help since TSA agents can't read.
Even if he'd been able to read, I'm betting his logic would go something like:
"I used it as a hand-hold to hoist myself, not as a step, therefore it's still the airlines fault."
Profession matters because in many states possession of lockpicks without being a registered locksmith is illegal. If you're flying to or from one of those states, you could have a problem.
"By the way, what's a good way to securely destroy CDs/DVDs and their data?"
Medium-capacity document shredders usually have this feature. Visit a Staples or OfficeMax and take a look.
My personal favorite is to shoot them with my .357 and watch all the sparkly pieces go flying, but in an office environment, not so much.
My first and last names are on the watch list. I finally started booking under my middle name, like the person cited in the story. No further problems.
I'm embarassed it took me so long to realize that would fix the problem. Did I really believe that TSA knew what it was doing?
IANAL, but I believe it's only illegal to possess lockpicks if you have intent to do bad things.
Look, why not do what the pilots originally asked for? Arm the flight-crews! If a bunch of unarmed passengers could subdue Richard Reid and the Crotch-Bomber, some stews with guns should be able to do the job even better.
The way to keep planes from being sabotaged on the ground is to not let anyone but the ground-crews near them.
The way to keep bombs in check-on baggage from damaging the plane is to stick the baggage compartment far away from any of the plane's vital equipment and put on blow-out doors; explosive gasses too take the path of least resistance. This will result in losing a lot of baggage if a bomb explodes there, but the rest of the plane -- and the passengers -- won't be harmed.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.