Bruce Schneier
Schneier on Security
A blog covering security and security technology.
« Adam Shostack on TSA Threat Modeling | Main | Interview with the European Union Privacy Chief »
December 22, 2010
Interview with TSA Administrator John Pistole
He's more realistic than one normally hears:
So if they get through all those defenses, they get to Reagan [National Airport] over here, and they've got an underwear bomb, they got a body cavity bomb -- what's reasonable to expect TSA to do? Hopefully our behavior detection people will see somebody sweating, or they're dancing on their shoes or something, or they're fiddling with something. Our explosives specialists, they'll do something - they do hand swabs at random, unpredictably. If that doesn't work then they go through (the enhanced scanner). And these machines give the best opportunity to detect a non-metallic device, but they're not foolproof.[...]
We're not in the risk elimination business. The only way you can eliminate car accidents from happening is by not driving. OK, that's not acceptable. The only way you can eliminate the risk of planes blowing up is nobody flies.
He still ducks some of the hard questions.
I am reminded my own interview from 2007 with then-TSA Administrator Kip Hawley.
Posted on December 22, 2010 at 12:27 PM • 57 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Brandioch Conner • December 22, 2010 12:56 PM
From the article:
"If they are nuns. That's the question. So how do we verify who that person is?"
And then ...
"So, starting with pilots. Pilots were the biggest group of those I assessed as being low risk to civil aviation. I mean come on, they're in charge of the yoke, they can put the plane down, like the co-pilot in Egypt Air in 990 did."
#1. How do you verify that they really ARE pilots?
#2. What is there to stop even a real pilot from transporting explosives that will be given to a different person on a different flight?
RSaunders • December 22, 2010 1:10 PM
Interesting claims, but ducking the hard questions makes him come across more like a politician than a 27 year law enforcement professional. I'm sure you've offered, but it would be great to have another interview with you. It doesn't need to be real-time, so he doesn't have to feel on the spot, but it would be nice to get all the hard questions out on the table. Maybe you could start with a math quiz on applying the base rate fallacy.
Ryan • December 22, 2010 1:12 PM
I can accept the risk of flying, driving, walking, etc... and understand that death is just another part of life. It is very easy to poke holes in every security situation from the practical situations to the ridiculous ones, but what can truly be done to satisfy the irrational masses? Can the masses ever smarten up and understand that risk is always present and is just another part of life? No matter what is done at the airports, the risk will be present... So why keep giving up liberties? But where is the rational line in the sand?
Its a really complex question and I would never want his job!
Brandioch Conner • December 22, 2010 1:53 PM
@Ryan
"It is very easy to poke holes in every security situation from the practical situations to the ridiculous ones, but what can truly be done to satisfy the irrational masses?"
Simply informing them. The British had a poster from WW2 "Keep calm and carry on". And a LOT more people died in WW2 than have died from terrorist attacks.
The first step is to STOP REMINDING the general population that the terrorists are SCARY.
Every time you have to take off your shoes, you are reminded about the scary terrorists.
Every time you have to toss a bottle of water into the garbage, you are reminded about the scary terrorists.
Every time the TSA pats you down, you are reminded about the scary terrorists.
Simply declare "victory" over the terrorists and roll-back the security check points to 1999 levels. Keep the improved flight deck doors. Use dogs to sniff for explosives. Go on TV talking about how the terrorists can hit us, but they cannot stop us. The only thing we have to fear is fear itself. And so forth.
JJ • December 22, 2010 1:59 PM
Pistole kept distinguishing between law-enforcement searches and "public-safety" searches and stating that the latter need no probable cause. This is absolutely not what is in the fourth amendment which states that all searches by the government require probable cause. I'd say he doesn't know what he's talking about and this makes the TSA very dangerous.
EH • December 22, 2010 2:26 PM
what can truly be done to satisfy the irrational masses
Who are these "irrational masses" who are demanding these policies? My sense is that you're actually referring to those who are making the policies, in which case I don't think anything can be done about them.
JimFive • December 22, 2010 2:27 PM
@JJ
The fourth amendment doesn't say what you assert it does. The fourth amendment says that all searches must be reasonable and that a warrant requires probable cause affirmed by oath. However, not all searches require a warrant to be reasonable.
--
JimFive
carey • December 22, 2010 2:46 PM
"I've had members of Congress say, "Look, I am a member of Congress. I am not a terrorist; This is absurd. Why do I have to go through a physical screening? It's an insult." And I say, "Well, in the legislation that authorizes TSA every year, they specifically include provisions that members of Congress will go through physical screening." By the way, I go through screening every time, I went through AIT three times last week in L.A., Long Beach, and Las Vegas."
And there is the biggest problem with the farce that is TSA. If they can't make the distinction between a Congressman, a nun, a child, their own freaking boss, and a terrorist, then it isn't targeted in any way, shape, or form. It is just blindly stabbing your hand into the hay stack and hoping to pull out a needle.
"Yes, there is a small number where we do 100% staff screening, but to do that for the tens of thousands, hundreds of thousands of airport workers. I mean, people who work in the kiosks, the stores, food vendors, and then the airline employees, the mechanics, and all those people--that's a big lift in terms of additional screening. And other than drug smuggling, we haven't seen terrorists exploit that. They tried to last year, Al Qaeda of the Arabian Peninsula, dealing with some Brits. There's a little bit written about that, but they tried to use a prominent airline insider, an employee, to recruit a couple of other airline employees to do something bad. So we see that as a risk, but it subsides."
In other words, they porno scan and feel up all the passengers, but the 1000's more people working in the shops after the checkpoint aren't checked physically at all. They heard of a plot where someone was going to try to exploit that, but it didn't pan out so they went back to ignoring this HUGE security hole.
He then makes some good points about the need for using real, actual intelligence and screening for behaviors... but goes right back to championing dumb, random, pointless checks by expensive machines.
GregW • December 22, 2010 3:36 PM
(oops, originally posted this in the wrong thread.)
The TSA chief, when faced with fourth amendment concerns in the interview tries to indicate there is a "difference between what most people think of in terms of a reasonable search-and-seizure for purposes of law enforcement, versus a public-safety administrative search. I don't know if people [critics] are drawing that distinction, either, from a legal standpoint or a practical application."
While at first this is an interesting distinction, I am skeptical this distinction in practice is anything more than a rhetorical one.
For example, does the TSA itself make this distinction? If I have drugs in my bag, or loads of cash or whatever, does law enforcement get involved? If so, then is this really just a "public safety" search to protect the plane? Not really; then the argument is just a red herring.
George • December 22, 2010 5:31 PM
Generalissimo Pistole may be "more realistic" when interviewed by a well-known critic (i.e., enemy). But his approach to airport security is absolutely indistinguishable from that of his predecessors. It's still a continual accretion of reactive measures to past breaches, with continually increasing levels of intrusiveness. It's still based on the assumption that the more you hassle every passenger, the more "security" you provide. He has shown no sign of any interest in correcting the well-publicized problems of wildly inconsistent implementation and standards of conduct that have made his agency widely despised. And his agency still operates a propaganda department that reacts to legitimate public concerns (and sufficiently embarrassing criticism or misconduct) by dispensing anodyne spin and lies.
The Generalissimo is a wily politician, which is just what it takes to become head of first the FBI and now the TSA. Considering the FBI's deplorable reputation for respecting civil liberties and constitutional constraints on its authority, it should not be surprising that his TSA would have the same contempt for both of them.
--Andrew • December 22, 2010 5:58 PM
Speaking of realistic, and humor, it's being reported on CNN that the CIA has formed a WikiLeaks Task Force (W.T.F.) to look at what it can do to respond to potential leaks of information.
Dirk Praet • December 22, 2010 6:23 PM
I wonder if Mr. Pistole is not in the process of brokering deals with Facebook and Google yet. That is of course unless Facebook is indeed nothing else than Echelon re-branded, in which case he already has access.
Carl • December 22, 2010 9:05 PM
@Brandioch Connor
""what can truly be done to satisfy the irrational masses?" Simply informing them. The British had a poster from WW2 "Keep calm and carry on". "
Well, you got one part right, they had a poster that said that..
However, you got the really important part wrong. While you would have counselled the British to do nothing in the face of Hitlers advances, advising them that "if we act fearful, Adolph wins!"
Instead, they calmly proceeded to meet the threat, mobilized the entire nation to do so and kicked his butt.
you do remember "we shall fight on the seas and oceans,
we shall fight with growing confidence and growing strength in the air, we shall defend our Island, whatever the cost may be,
we shall fight on the beaches,
we shall fight on the landing grounds,
we shall fight in the fields and in the streets,
we shall fight in the hills;
we shall never surrender"
dont you?
perhaps not...
ted • December 22, 2010 9:31 PM
The TSA must have found some wacky weed since they now think caroling will help their image
carl • December 22, 2010 11:50 PM
if you havent, consider reading BS interview with Kip Hawly.
http://www.schneier.com/interview-hawley.html
The entire article, BS kept making the same two points over and over:
1) "Such and such a security measure has a hole in it, why are you using it at all?" (In other words, if it isnt perfect, it's useless.. layers? what are you talking about?)
2) TSA is a bunch of bozos, the lack of any kind of common civility he shows for Kip is nothing short of stunning, various examples:
"I hope you're telling the truth"
"This feels so much like "cover your ass" security"
"It's "cover your ass" security. If someone tries to blow up a plane with a shoe or a liquid, you'll take a lot of blame for not catching it. But if someone uses any of these other, equally known, attack methods, you'll be blamed less because they're less public."
"You're picking and choosing"
"honestly, bragging about capturing a guy for wearing a fake military uniform just makes you look silly. "
Kip came across as a very professional person doing his best in a tough situation.
layers of security
incorporating behavioral elements in the screening process
sophisticated analysis of the threat
I loved his response to the second "cover your ass" accusation from BS
"Our security strategy assumes an adaptive terrorist, and that looking backwards is not a reliable predictor of the next type of attack. Yes, we screen for shoe bombs and liquids, because it would be stupid not to directly address attack methods that we believe to be active"
His response to the "security theater accusation"
TSA is moving in the direction of security that picks up on behavior versus just keying on what we see in your bag. It really would be security theater if all we did was try to find possible weapons in that crunched fifteen seconds and fifteen feet after you anonymously walk through the magnetometer. We do a better job, with less aggravation of ordinary passengers, if we put people-based layers further ahead in the process—behavior observation based on involuntary, observable muscle behavior, canine teams, document verification, etc"
Response to "security risks of airport workers"
"You could perhaps feel better by setting up employee checkpoints at entry points, but you'd hassle a lot of people at great cost with minimal additional benefit, and a smart, patient terrorist could find a way to beat you. Today's random, unpredictable screenings that can and do occur everywhere, all the time (including delivery vehicles, etc.) are harder to defeat. With the latter, you make it impossible to engineer an attack; with the former, you give the blueprint for exactly that. "
Kip was calm, professional, right on the money.
BS: you came off as long on urban legend accusations and short on any real understanding of the complexity of the situation and the range of actions the TSA is taking..
Dirk Praet • December 23, 2010 5:11 AM
@ Carl
On the WW2 issue, again it's an and-and relation. No one is suggesting we should do nothing. However, IIRC the then British government took a humane stance to German immigrants and folks of German descent, not demonising them and instigating fear among the general public that all of them were possible enemy agents. Which was quite different of what happened in the US, where their Japanese counterparts were locked up in concentration camps after Pearl Harbor and for which undoubtedly they had just as good a justification. Just like 9/11 an event caused by a massive failure of intelligence services, BTW.
As to TSA, what many folks do have a genuine issue with is that what they are doing today is questionable in terms of efficiency, invasion of privacy and erosion of civil liberties. Unless you are assuming a government by definition is always deploying adequate means and acting in our best interest only, they are not above criticism. That is what democracy is all about.
Nobody is suggesting John Pistole or Kip Hawly are complete and utter idiots who haven't got the foggiest idea of what they are doing. Then again, it is quite reasonable to expect very tough questions and an unfriendly demeanour in interviews when you go where they have been going. They may sound like reasonable men, but for as for as I'm concerned, there is to date a huge gap between what they are telling and what is actually happening on the shopfloor. Pretty much like the burger or pizza ending up on our plate being very different than the picture shown on the wall.
Ryan • December 23, 2010 7:45 AM
@ Brandioch
The majority of the nation in my opinion is irrational. I have spoken to numerous people and the typical response:
"If this is what it takes to keep us safe, so be it"
"I am glad we are searched like this"
etc...
They generally do not understand risk and the statistics proving how terrorism should not scare the liberties and freedoms out of us.
Paul • December 23, 2010 9:54 AM
Check out this link to see a pilot's perspective on airport security. http://www.pixiq.com/article/...
David Thornley • December 23, 2010 9:56 AM
@Carl: About WWII, what the British Government was trying to do was increase effectiveness. Working hard at your job, whatever it was, was good for the war effort. Growing your own food was, also. Panicking was counterproductive.
Similarly, the change in passenger attitudes and strengthening of the cockpit doors were effective changes, greatly reducing the chance that the aircraft itself could be used as a weapon, and also overall reducing the danger to passengers. One could add the use of sky marshals, although so far their net impact seems to be negative.
Terrifying passengers into agreeing that they should be groped is hardly effective in reducing terror, and it isn't going to increase safety noticeably.
Ryan • December 23, 2010 10:01 AM
He definitely deserved to get into some trouble from his company, but don't understand how the local sheriff could remove his firearms and carry license.
Brandioch Conner • December 23, 2010 10:35 AM
@David Thornley
"Panicking was counterproductive."
And it was an actual existential threat. England's existence as a sovereign state was at stake.
If the British government can encourage their people to "carry on" in those circumstances then our government can in these far less extreme circumstances.
You're more likely to be killed by someone in your own family than by a terrorist.
Dirk Praet • December 23, 2010 10:56 AM
@ Paul
It's just symptomatic for the reactive approach of TSA. There haven't been any occurences yet of airport personel involved in a strike, so it's not going to happen. Perhaps they are not paying enough attention to what's happening at airports abroad. About a week ago, about ten luggage handling staffers in Brussels were arrested over smuggling out cocaine for a Columbian kartel. They got about 30k euro per suitcase. ( http://www.standaard.be/artikel/detail.aspx?... ; Dutch language only ) According to police, this had already been going on for quite some time. Now if organised crime can infiltrate airport staff, so can jihadi networks.
Carl • December 23, 2010 11:20 AM
@Ryan
"The majority of the nation in my opinion is irrational. I have spoken to numerous people and the typical response:
"If this is what it takes to keep us safe, so be it"
"I am glad we are searched like this"
They generally do not understand risk and the statistics proving how terrorism should not scare the liberties and freedoms out of us.
My point EXACTLY. The only people being "terrorized" by security checkpoints is you few "libertarians".
Ryan • December 23, 2010 12:09 PM
@ Carl
Your point is so exact, no one understands what you intended.
ToddW • December 23, 2010 12:28 PM
@Carl
I'm not a libertarian. If by "terrorized", you mean creating fear, then, I am far more terrorized by security checkpoints than by terrorists. I feel betrayed by the people who are supposed to be upholding my freedom. Imagine the difference between getting punched by a drug addicted mugger and getting punched by your dad when you were a kid. I've had neither happen to me but being hurt, even a little bit, by someone close to you is much worse than being hurt by a bad guy. That is what I'm trying to convey.
Carl • December 23, 2010 2:27 PM
For the longest time, I couldnt understand why Bruce was making these crazy, non logical arguments wrt airport security.
He's one of the top 100 crypto guys in the world (probably), inarguably wrote the best technical book ever written (Applied Cryptography), yet there he was, making these nonsense arguments.. it didnt make sense.
Then it struck me. security in algorithms is much different than security in networks, is much different from physical security in the real world.
You wouldnt hire Michael Jordan to advise you on good lawn maintanance.. A great many folks dont get that.. security is security, right? wrong..
Some of the key differences between crypto security and real world physical security.
Cost:
-crypto has a one time design/review cost, it's ongoing operational cost is only really only related to upgrading systems in the field.
-real world physical security has design cost, but it's overwhelming cost is the ongoing implementation cost. Unlike crypto, the relative expenditure on ongoing cost dwarfs the original design cost and impacts the design in a major-major way.
Constraints on system design
- in crypto one might argue that being able to run fast in SW, or being able to run on low power, low memory devices for example impacts crypto design a bit, but in reality there arent any constraints, if it works, it works. The only ease of use constraint that I can think of that might parallel real world, is the impracticality of one time pads. Basically minimal constraints on design.
.- in real world secruity the contraints are astronomical. Everything has to be weighed against the impact on travelers, the impact on the airlines and the reaonableness of the ongoing operational costs.
How security is obtained:
- in crypto, good security is in the key, not the obscurity of the algorithm. Open review of the algorithm details ensure a better end result, and since the security is in the key, security is not compromised by doing so, nothing is revealed.
- in real world physical security there is no "key". The security MUST be in the algorithm, so security thru obscurity isnt a bad thing, it's a good thing. Not knowing what they are up against provides a significant deterrant for bad guys and increases the overall security of the system. Constrain yourself to building a keyless encryption protocol and you'll get a sense of the challanges of real world physical security.
The requirements:
- in crypto, the requirement is straight forward. Build something that is "hard" to break. ("hard" is it is used here is a term with very specific meaning, crypto guys will know what I am talking about, it basically means you cant crack the system in any kind of practical manner...)
- in real world security, it's impossible to build a system that is "hard" to break. The requirement is very nebulous, there really is no clear bar.
as a crypto guy, when Bruce finds a flaw in some part, his reaction is "that's it, game over, your system is broken", because that's the way it is in the crypto world. One problem tanks the algorithm.
in real world physical security however, it's much different. Total security isnt possible, EVERY thing has a flaw in it. You build up the security of the entire thing by adding together these little flawed peices.
So Bruce, your problem is that you're attempting to apply your crypto chops to real world physical security. If you were to devote your life for a couple of years to the problem of network security for example (intrusion detection, malware, etc..), you would have a much better basic understanding of the problem the TSA faces and the solutions they design. The problem set is vastly different, the solution set is vastly different. Apples and oranges.
Brandioch Conner • December 23, 2010 3:39 PM
@Carl
Read Bruce's work on "attack trees".
http://www.schneier.com/...
"The security MUST be in the algorithm, so security thru obscurity isnt a bad thing, it's a good thing. Not knowing what they are up against provides a significant deterrant for bad guys and increases the overall security of the system."
I don't think you understand that.
1. The terrorists in this attack expect to die in the attack. There is no deterrent as long as they can kill some of the "enemy".
2. Once the obscurity is revealed, the entire system collapses. If you keep a door key under your door mat, that's "security through obscurity". It doesn't improve your security. It bypasses your security.
Carl • December 23, 2010 5:39 PM
@Brandioch Conner
"terrorists in this attack expect to die in the attack"
precisely, so getting caught by the screening process before they assemble the bomb on board is a failure for them.
"if you keep a door key under your door mat, that's "security through obscurity""
the classic example of cryptography (lock and key). thanks for making my point about you guys not understanding the difference between that an real physical security.
Try building a house secrity system that doesnt make use of a lock or a key. That's the situation TSA faces..
David Schwartz • December 23, 2010 7:13 PM
GregW: ""If so, then is this really just a "public safety" search to protect the plane? Not really; then the argument is just a red herring.""
No. It doesn't matter whether or not the search is "just" an administrative search to protect the plane. It matters whether every part of the search that actually searches something (and would therefore be a 4A violation if not justified by the administrative search rule) is reasonably necessary, under a very deferential standard, to meet the special needs that justified the administrative search.
There is no rule in common sense or at law that says that those executing an administrative search have to ignore evidence of a crime should they stumble on it.
IMO, there have been cases where the TSA has crossed this line. Hopefully, courts will hold them accountable, but I'm not holding my breath.
amused • December 23, 2010 7:32 PM
"Our protocols on the breast have been the same for years now."
- John Pistole
Carl • December 23, 2010 11:00 PM
@Brandioch
I read the bit on attack trees, it's good stuff but nothing ground breaking. People have been assessing the probability of various attack scenarios and spending time/money accordingly for 10,000,000 years..
I think the problem is with Bruce's approach, is that he's still thinking binary.. you either stop an attack vector completely, or dont bother at all with it.
I see it again and again in his stuff. He pokes a hole in something which in his mind renders it useless.. He doesnt seem to grasp the way all of these little flawed things add up to overall security.
Either that, or his libertarian bent causes him to argue agianst good security, because it "infringes liberty", making it "bad security". I see that a lot of that here as well..
Q. How do you get good airport security
A. Well, we know that the govt is evil, and that evil things reduce security, so if we stop them from doing what they are doing and oppose them at every turn, we will increase security.
A strange argument to say the least..
A Nonny Bunny • December 24, 2010 12:43 AM
@Brandioch Conner
> The British had a poster from WW2
> "Keep calm and carry on". And a LOT
> more people died in WW2 than have
> died from terrorist attacks.
That poster was from before the actual outbreak of the war, and it was also never used.
A Nonny Bunny • December 24, 2010 12:54 AM
@Carl
I think you're seriously misreading what Bruce writes. He _always_ says that the time and money spend on security theater would be more effectively spend on actual security, as in, intelligence and policing.
All that TSA fluff costs a lot of money, and _doesn't deliver_ . All those little flawed things? They _don't_ actually add up to much overall security, yet they cost a fortune.
Bruce is all about getting the most actual security bang for your security buck. Unlike politicians which are just about the biggest show of "security" and covering themselves.
GreenSquirrel • December 24, 2010 3:00 AM
My take is that Carl is deliberately misreading what Bruce writes because he (Carl) wants to frequently, and publicly, support anything the US Government does in the War On Terror (no matter how nebulous) and that he (Carl) is more than willing to let strawmen be the crux of the debate.
The quote about sacrificing liberty for security is so well known I see no point in repeating it here, however the principle is still sound.
The idea that public funds are spending vast sums on ineffective security measures should offend everyone, not just "libertarians."
Implementing measures which *only* combat the last method of attack may appear sound but this is an illusion. This illusion will do nothing but feed public fear (because each new attack will be headline worthy). Saying that those involved in this reactive security are "doing the best they can" is pretty much meaningless. If this is really the best they can do then we need new people.
Resources are finite. Spending them on ineffective things is not "good security." Saying ineffective things are effective to show support of the system/nation is not good security.
Carl • December 24, 2010 10:35 AM
@nonny squirrel
"He _always_ says that the time and money spend on security theater would be more effectively spend on actual security, as in, intelligence and policing."
as if, they arent currently doing that? As recent successes demonstrate clearly? Bruce must realize that screening is only a part of the security they are doing, yet it's 100% of what he focusses on.. why?
Bruce: "I've long thought that most of airline security could be ditched in favor of well-trained guards, both in and out of uniform, wandering the crowds looking for suspicious behavior."
good example.. TSA security _is_ currently doing this.. Bruce apparently thinks they arent? not sure how that belief would even be possible.. so why did he say it? naiveté of just trying to find something, anything to criticize?
"The quote about sacrificing liberty for security is so well known I see no point in repeating it here"
here, since you dont know what the _actual_ quote is, I'll give it to you. Please attempt to quote the _real_ version, not the watered down inaccurate one(delete "essential" and "temporary") that better fits the libertarian POV.
“They that can give up _essential_ liberty to obtain a little _temporary_ safety deserve neither liberty nor safety.”
Carl • December 24, 2010 10:42 AM
@squirrel
"Implementing measures which *only* combat the last method of attack may appear sound but this is an illusion"
Bruce definately expends a lot of energy trying to make it seem as if that's _all_ they are doing. Which of course is nonsense.
Someone builds a bomb based on treating the fur of a teddy bear somehow.
TSA in response has chemists analyze the attack and implements 10 new screening procedures, one of which is a ban on all stuffed animals.
Bruce in response, announces that this is "security theater" and "cover your ass" security.
If the threat still exists, wouldnt the TSA be incredibly stupid not to address it?
Brandioch Conner • December 24, 2010 1:04 PM
@Carl
"the classic example of cryptography (lock and key). thanks for making my point about you guys not understanding the difference between that an real physical security."
I don't think you understand cryptography. Or physical security. Hiding your door key under your door mat only works as long as no one looks under the door mat. No matter how good your home defenses are, you are relying upon no one looking under the door mat.
"I think the problem is with Bruce's approach, is that he's still thinking binary.. you either stop an attack vector completely, or dont bother at all with it."
I'm not seeing where you are getting that from. From what I see, it's all about raising the cost of each attack to a point higher than the gains from the target.
If it costs you $10 million to crack a single safe containing $10,000, then most of the people interested in getting to that $10,000 aren't going to be interested any more or be able to afford it.
"He pokes a hole in something which in his mind renders it useless.. He doesnt seem to grasp the way all of these little flawed things add up to overall security."
Again, read up on attack trees. As long the total cost of each of the steps needed to crack the target is higher than the value of the target then that path probably won't be chosen by the attacker.
But looking under the door mat has zero cost. So putting a flawed system into the path adds zero cost to that path. Therefore, a flawed system (security through obscurity) is not "secure" in this context.
I think you're conflating "deterrence" and "security".
Security stops an attacker from getting to the target.
Deterrence stops a potential attacker from ATTEMPTING to get to the target.
moo • December 24, 2010 1:10 PM
I think the yearly intelligence budget (CIA, NSA etc.) in the U.S. is something like $26 billion dollars? And the TSA's budget is something like 7 billion dollars. Note that the cost of airport screening approximately quadrupled between 2000 and 2002 (http://www.usatoday.com/news/nation/2002/04/11/airport-security.htm). I don't know if it has increased even more since then; it seems unlikely to have declined.
Now lets compare the usefulness of the entire intelligence community with the usefulness of the TSA. The TSA harasses millions of passengers every month, throwing out their little shampoo bottles and taking away their nail clippers. As far as we know, the TSA has not foiled a single terrorist attack in the past 10 years. (Though alert passengers have foiled a couple of them, such as the shoe bomber and the underwear bomber).
Imagine if we went back to the level of passenger screening we had in 2000: metal detectors and occasional random or targeted searches of passengers and bags, and maybe the occasional explosives swab or bomb-sniffing dog. Send back the expensive, invasive and ineffectual nudie-scanners, stop doing the aggressive pat-downs, and go back to treating passengers with dignity and respect (and of course, still scrutinizing them carefully for signs of odd behaviour).
Assume that by rolling back the screening level, we could save $2 billion per year. Now imagine how much good that $2 billion dollars would do if redirected into other pursuits that are more useful for security! Some of it could be added to the investigative budgets of the FBI or DHS or NSA or even local police forces. It could be used to educate passengers about how to spot and disrupt a terrorist attack. Hell, if you just want to save some lives, you could use it in a campaign to crack down on cell phone use while driving.
The point is, that we are spending a lot of money on nearly-useless security theatre. Yes, the nudie-scanners can detect some things. No, they won't stop a determined terrorist who is willing to stuff a couple pounds of PETN up his ass. We might as well stick with the simple metal detectors that were in use 10 years ago and are still installed at virtually all of the airports.
Another bogus statistic: NASA's budget is something like 17 billion dollars per year. If we could somehow take half the budget of the TSA and redirect it into NASA funding, the long-term benefits would be huge.
Really, spending that money on just about anything would be better than spending it on harassing all air passengers (virtually all of whom are NOT terrorists). Even if we used it specifically to fight terrorism, a few billion dollars can pay the salaries of a lot of investigators, and can supply them with a lot of equipment and support.
Carl • December 24, 2010 3:07 PM
@Brandioch
"the classic example of cryptography (lock and key). thanks for making my point about you guys not understanding the difference between that an real physical security."
"I don't think you understand cryptography. Or physical security. Hiding your door key under your door mat only works as long as no one looks under the door mat. No matter how good your home defenses are, you are relying upon no one looking under the door mat."
LOL
look this is crypto 101, lock (encrypt/decrypt), key (key). it's the classic example.. I've been working in computer security for decades.. lol
I guess I should have been a bit more clear for those new to the issues. by "real physical security", I'm talking about TSA screening, which I equated with virus scanning, intrusion detection, malware detection. These 4 types of "security" are _vastly_ different than crypto (symmetric/asymmetric) security.
Security thru obscurity when applied to crypto is a bad thing.
Security thru obscurity when applied to "real physical security" (as I defined it above), is a good thing.
Brandioch Conner • December 24, 2010 3:55 PM
@Carl
"LOL
look this is crypto 101, lock (encrypt/decrypt), key (key). it's the classic example.. I've been working in computer security for decades.. lol"
And yet you don't seem to understand the issue there. Without knowing the exact key you should not be able to crack the encryption (or door lock).
Finding the door key is hidden under the door mat means that you now have the key. With a zero cost.
That's what "security through obscurity" means.
"Security thru obscurity when applied to "real physical security" (as I defined it above), is a good thing."
No it is not and I've given you the classic example. Hiding the key under the door mat does not improve your security at all. All it does is provide an additional path to the target (read "attack trees") with zero cost.
Adding an additional zero-cost path cannot improve security.
Carl • December 24, 2010 9:07 PM
@Brandioch
ok, one last time
The key is always private (yes, I am well aware of public key cryptosystems, however, there is a private portion there as well, and the private key is kept private)
once again: the key is _always_ private.
the phrase "Security thru obscurity" doesnt have anything to do with the way you maintain your key, be it good or bad, that is the domain of key management.
That phrase has everything to do with the design of the lock. If the locks design was published, and publically reviewed. Then that's good as it presumably led to a more robust design. If the locks design is a closely guarded secret (read - proprietary), that's what we call "security thru obscurity", as the design is presumably iffy.
If you want to keep the key in the lock all the time, that's just crappy key management. It has nothing to do with the lock design.
"Security thru obscurity" pertains to algorithm design, not the key selection (or protection).
get it? geeze, take a course will ya?
In airport security, there is no "key", there is only an algorithm (the screening procedure). that is why it is much more similar to virus scanning & intrusion detection who likewise have no "key", and rely on algorithms to ferret out the bad guys.
Carl • December 24, 2010 9:11 PM
Security thru obscurity, there's even a wikipedia entry on it..
http://en.wikipedia.org/wiki/...
Brandioch Conner • December 25, 2010 12:29 PM
@Carl
"The key is always private (yes, I am well aware of public key cryptosystems, however, there is a private portion there as well, and the private key is kept private)"
Except, as I have pointed out, when you believe that hiding the door key under the door mat is a good idea because no one knows it's hidden under the door mat.
Which is why I've been pointing out Bruce's work on "attack trees" for you.
Allow me to quote from your previous post:
"So Bruce, your problem is that you're attempting to apply your crypto chops to real world physical security."
Seems that you were wrong on that.
ZabLilly • December 26, 2010 2:58 AM
Not re this article, but security theater in general. Playmobil has produced a toy airport security checkpoint for the little ones. Beloved by gungho TSA management moms and dads, and possibly a few helicopter mothers who want to prep their little ones in detail before the flight...
Brandioch Conner • December 26, 2010 1:40 PM
@Carl
You do realize that the book you linked to is written by Bruce, right? With the title "Applied Cryptography".
Hadn't you earlier posted:
"So Bruce, your problem is that you're attempting to apply your crypto chops to real world physical security."
Isn't that 100% contradictory to your original statement?
Sakshale • December 26, 2010 4:31 PM
I firmly believe only two things have made flying safer.
1 - The rules of engagement for the flying public have shifted from "passively cooperate" to "actively engagement" when faced with a threat.
2 - The pilots are behind a locked door and possibly armed.
Those two changes, by themselves, will prevent another 9/11 attack.
All the rest of this so called security system, setup by the TSA, is aimed at suicide bombers. Sorry, if I hurt anyone's feelings, but it is a multibillion dollar waste of money.
Sakshale
I see everyone has been having a restful holiday.
Carl:
Since you arrived here, you've been doing a lot of misreading. Not all of that is your fault; some commenters are amazingly bad at communicating with anyone who doesn't share certain background knowledge and beliefs. Also, some of them have misread you in turn. Sometimes, though, you are so bizarrely off base that it's hard to believe you're not doing it on purpose. Case in point:
===
Bruce: "I've long thought that most of airline security could be ditched in favor of well-trained guards, both in and out of uniform, wandering the crowds looking for suspicious behavior."
good example.. TSA security _is_ currently doing this.. Bruce apparently thinks they arent? not sure how that belief would even be possible.. so why did he say it? naiveté of just trying to find something, anything to criticize?
===
In the 2007 interview that you are quoting, Bruce actually says: "Let's talk about behavioral profiling. I've long thought that most of airline security could be ditched in favor of well-trained guards, both in and out of uniform, wandering the crowds looking for suspicious behavior. Can you talk about some of the things you're doing along those lines, and especially ways to prevent this from turning into just another form of racial profiling?"
After that, Kip Hawley talks for a while about behavior detection, and Bruce responds by describing it as "really good news." There is no way for an honest person who is paying the slightest attention to read that as indicating that Bruce doesn't think the TSA does behavior detection.
If this really is an error, you need to start reading more carefully. More importantly, you need to acknowledge the error, and if possible explain how you came to make it. I am very close to concluding that you're *not* making honest errors, but trolling.
Carl • December 28, 2010 11:13 AM
@Brandioch Conner
------------------------
You do realize that the book you linked to is written by Bruce, right? With the title "Applied Cryptography".
Hadn't you earlier posted:
"So Bruce, your problem is that you're attempting to apply your crypto chops to real world physical security."
Isn't that 100% contradictory to your original statement?
---------------------
1. Applied Cryptography is the best technical book ever written
2. I referenced it, because you seem to have an extremely limited understanding of the crypto world, as illustrated by your inability to grasp what they crypto community means when they say "security thru obscurity". Namely, that the details of an ALGORITHM (not key) should be publically vetted to ensure no holes.
Reading Applied Cryptography would give you a much better grasp of the issues in the CRYPTO world.
3. Now, when we're talking about intrusion detection, malware, virus checking (which I equate with "real world physical security", i.e. airport security and counter terrorism, in terms of the type of problem set), we're talking about something DIFFERENT.
Different problem, different solution.
Bruce is top of the heap in the crypto world, deservidly. His solutions are universally appreciated for what they are, solid crypto. Outstanding math.
Bruce is NOT top of the heap in the "real world physical security" realm, his solutions are (in my opinion) extremely naieve. The chops in one space arent translating to the other space.
So, my statement is not contradictory at all..
read the book
Carl • December 28, 2010 11:46 AM
not to double post, I responded to the moderators question here:
http://www.schneier.com/blog/archives/2010/12/...
Brandioch Conner • December 28, 2010 2:56 PM
@Carl
"1. Applied Cryptography is the best technical book ever written"
And stating that in no way supports your statement that Bruce does not understand physical security.
Since the issue was whether or not you could support your statement about Bruce's ignorance, referencing Bruce's expertise contradicts your stated position.
averros • December 29, 2010 2:36 PM
Carl is most likely a TSA/DHS employee.
They have been caught - repeatedly - trolling in the air travel and security blogs pushing pro-TSA demagoguery.
BF Skinner • December 29, 2010 4:27 PM
@averros "trolling in the air travel and security blogs "
They need to recruit clearer thinking people.
Ben • December 30, 2010 11:14 PM
Easy. Post a guard at the door. No need for lock and key.
The problem isn't that the guard does not stop roobberies. He does that very well. The problem is that the guard insists on groping everyone, including long, loyal customers. Repeatedly. Without reasonable cause.
And a stupid little kid sneaked unnoticed through the back delivery door.
richard • January 24, 2011 9:04 AM
John Pistole is a pathological liar like the the rest of the Government. This jerk took Lying 101 at the FBI Academy. He does not have to submit to an pat down as he holds a pass card as do Congressmen and Senators. While Gramma & Grandpa are being searched who is screening the baggage handlers,mechanics,caterers,ground crew. These people are not screened! What's it going to take America? Just don't fly. TSA Sigmoidscopys are next! Do you really want some illiterate HUD TSA employee probing your rectum?
richard • January 24, 2011 9:13 AM
If you feel that you have been touched inappropiately by an TSA clerk, stand up for your rights, summon the Airport Police and have the TSA employee arrested! The police have to comply if you swear out an arrest warrant. Also, don't carry a large amount of money or wear expensive watches and jewlery, TSA clerks can and will rob you! Better yet, just don't fly. Take a train,bus,boat,or drive to your destination.
Subscribe to comments on this entry
Post a comment
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.
|
| Subscribe |
Subscribe via Kindle |
| Blog Menu |
SearchPowered by DuckDuckGoBlog Home Page
Archives by Date2013 J F M A M J
Tags  |
| Latest Book |
more books by Bruce Schneier |
Comments