Schneier on Security
A blog covering security and security technology.
« E-Mail Interception Decision Reversed |
| Terrorists, Steganography, and False Alarms »
August 15, 2005
Secure Flight News
According to Wired News, the DHS is looking for someone in Congress to sponsor a bill that eliminates congressional oversight over the Secure Flight program.
The bill would allow them to go ahead with the program regardless of GAO's assessment. (Current law requires them to meet ten criteria set by Congress; the most recent GAO report said that they did not meet nine of them.) The bill would allow them to use commercial data even though they have not demonstrated its effectiveness. (The DHS funding bill passed by both the House and the Senate prohibits them from using commercial data during passenger screening, because there has been absolutely no test results showing that it is effective.)
In this new bill, all that would be required to go ahead with Secure Flight would be for Secretary Chertoff to say so:
Additionally, the proposed changes would permit Secure Flight to be rolled out to the nation's airports after Homeland Security chief Michael Chertoff certifies the program will be effective and not overly invasive. The current bill requires independent congressional investigators to make that determination.
Looks like the DHS, being unable to comply with the law, is trying to change it. This is a rogue program that needs to be stopped.
In other news, the TSA has deleted about three million personal records it used for Secure Flight testing. This seems like a good idea, but it prevents people from knowing what data the government had on them -- in violation of the Privacy Act.
Civil liberties activist Bill Scannell says it's difficult to know whether TSA's decision to destroy records so swiftly is a housecleaning effort or something else.
"Is the TSA just such an incredibly efficient organization that they're getting rid of things that are no longer needed?" Scannell said. "Or is this a matter of the destruction of evidence?"
Scannell says it's a fair question to ask in light of revelations that the TSA already violated the Privacy Act last year when it failed to fully disclose the scope of its testing for Secure Flight and its collection of commercial data on individuals.
My previous essay on Secure Flight is here.
Posted on August 15, 2005 at 9:43 AM
• 13 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Has anyone else noticed the little holographic stickers that TSA attaches to some (all?) checked bags? It's not clear to me what "cleared" by TSA means. Does it mean that the bag was opened and inspected?
Here is a scan of one of the stickers:
Some of them are just "pass through the kickass scanner".
I got flagged (the cursed SSSS) on my last flight. The skycap walked my bag over to the TSA tunnel with me next to it, I watched the bag go in the machine, get pulled out on the other side by a TSA person who slapped a sticker on it and tossed it onto the baggage conveyor.
If DHS does not want anyone else looking into what they are doing, then they need to take full responsibility for what happens. If something bad happens with this new system, then I want Michael Chertoff to be in the hot seat for it.
Just saw this story, about babies being caught by no-fly lists. There is a pretty good quote by the mother of a 1 year old who was stopped last Thanksgiving: "I completely understand the war on terrorism, and I completely understand people wanting to be safe when they fly," Sanden said. "But focusing the target a little bit is probably a better use of resources."
The baby story makes me think the TSA doesn't trust its own staff in the field, these supposedly trained personnel who protect air travellers.
OK, so a bureaucracy doesn't want people to twist the rules, but they can have sets of rules which allow people to make a decision, and even require that decision to be recorded. They can have a chain of command and responsibility.
But from this, it looks as if they don't.
What is interesting in the baby story is that it says that TSA tells airlines not to deny boarding, or select for additional security searches, children under the age of 12, even if their names are on the list.
For whatever reason, though, the checkers at the airport are not doing this (I can think of 2 reasons -- either this information isn't being passed all the way down to the checkers, being blocked somewhere between TSA policy creators and those at the bottom of the ladder doing the checking, or the checkers have decided that TSA is wrong and they need to go full out on every name that is on the list, no matter who it is).
I recently flew from Milwaukee to Baltimore and back. Initially I left my double-edge shaving razor blades at home, thinking they'd cause me trouble if found in my carry-on (my only luggage). They are loose blades, not contained in a cartridge, and I confirmed that they are listed as a prohibited item on the TSA website.
One of my companions is an illustrator and had a blade from a utility knife in his art supplies, also in his carry-on. He wasn't stopped in Milwaukee, so on the way home I left my newly purchased (in Baltimore) double-edge blades in my carry-on. Neither of our carry-ons raised any alarms, nor were they inspected in either airport.
In Milwaukee we were told to remove our sneakers for a pass through the scanner. In Baltimore when I repeated that charade, I was told that next time I don't have to bother removing them.
I'd like to know just how exactly we're safer now, when the very items used in the 9/11 hijackings are given a free pass, and there are inconsistent "shoe policies" in Milwaukee and Baltimore.
I am a former passenger screener and I would like to comment on some of the things I am reading here. First, the very notion that Congressional oversight should be removed from TSA is rediculous. In fact, TSA needs be brought under even more scrutiny than ever! Everything needs to be made public. As for the terrorists, there are so many ways around the so-called "security procedures" that a dedicated terrorist has only to do a little work and planning. The head of Israeli security once told a local reporter that the US does not have a real security structure, we have a system for annoying people. This, however, is of little concern to TSA. Management has made it clear in the time I was there that they have themselves to take care of.
The problem is that given the speed with which the organization was brought online, too many corners were cut, too many exemptions made to get it going. Now, three years into it, TSA leadership enjoys the fact that many laws you and I have to live with do not apply to them. This runs all the way down to the airport level. I am not saying the screeners themselves, they are doing the best they can with what they have to work with, which isn’t much. Three years ago, TSA was about security, now it is about keeping and augmenting power at the expense of...well...anyone, everyone. They will do what they need to do to accomplish this and the White House, where this little brain-child was born, will back them up.
The shock of TSA deleting 3 million records is, in my mind, dwarfed by the shock that it was ONLY 3 million and no, Mr. Scannell, it wasn't housekeeping. They were covering their respective SSI classified butts.
Congressional oversight is a must with both TSA and the administration that spawned it. It is time to expose TSA to the light of day, whether they like it or not!
TSA is in an infant stage of developement compaired to many administrations and when there is a mistake or problem, it will be a big one due to the fact that this is a very large organization. Many people will be effected by a minor problem, which makes it seem bigger than it really is in some cases.
The baby on the no fly list is probably due to his/her name being spelled exactly the same. Someone or a machine didn't take in the birth date of that individual. BIG DEAL!
Find something else to cry about and get someone to change your diaper.
They are trying to do a job that a lot of passengers don't like or understand well enough to be complaining as much as they do. The people trained and are continuously being trained are trying to keep everyone safe from being a victom of terrorism to put it extremely simply. Rules are still being adjusted to try to make people feel more comfortable with the process of boarding an airline. One thing all you "Americans" should relized as well is, flying is a privilege just like drive is. Do you know someone that has had their drivers license taken away or suspended? Your privileges of flying can be taken away. It's not your right to fly. I'd rather get to the airport earlier to take on the inconvenience of being searched than take the chance of being blown up or being a victom of terror in some other way. Do you know the reason behind why they search "Little old ladies?" Think about it and you will come up with a couple reasons if you are smart enough and not locked into a narrow, ignorant, uninformed mind set.
I feel ignorant myself thinking someone actually took over a flight with a freakin' sheetrock knife. What were they, too scared of getting cut, but willing to crash?? That flight should have been saved if there weren't so many "born to be victoms" out there, but I don't know the true circumstances of the flight. If the terrorist had the knife up to a persons throat, would you attack him/her anyway to save the rest of the passengers.....damn straight I would. One death compared to televised captions of many slaughtered is not newworthy enough for terrorists to try that way again.
No one is saying that TSA is not fighting the good fight against terrorism. They are and there is no question of it. The problem is one of abuse and deceit. TSA management abuses its screeners, they lie to the public, manipulate the system and convince themselves that they are doing all of this in the name of airline security and public safety. TSA has a long way to go to earn the trust of a skeptical public.
Granted, there are some problems, lots of problems with the way things are run. Some take advantage of their cituation while others get stepped on.
Middle management can use a serious cleaning.
Where's Donald Trump when you need someone to say,"YOUR FIRED!" LOL
I've looked into TSA out of curiousity since I've been searched so much when I fly.
It seems procedure over rides common sense. From what I've heard, that tends to create friction among the more intelligent screeners. Maybe keeping judgment out of the screeners hands keeps liablility off of the individual screener?? Abuse of the screeners can be delt with by taking action going through the chain of command until something is done, or leave them with their motley crew that allows themselves to be abused and find better employment on another carreer path.
There are some good people wanting to do their job while others only use the job as a stepping stone to get elsewhere. That doesn't help matters when someone doesn't care for the job in the long run. I've experienced the, "I'm a college student I don't care about this job" attitude enough in other lines of work. I don't need it at the airport. Maybe one of these days the airports will be back to a smaller group of law inforcement to guard our flights. I'm sure there's more TSA employees than needed at this point in time. They just aren't very efficient right now. Maybe if their budget was cut back, they might find a better way to do the job and keep people happy.
I just shook my head. "A =name= list? These people are trying to identify terrorists by building a centralized list of millions of =names?="
I submit that you cannot fight terrorism by building a list of millions of =anything.= You cannot fight a de-centralized enemy by using centralized, hierarchial, bureaucratic techniques. Criminals know this and effectively conceal their intentions using a combination of stealth and noise.
The fact that Senator Kennedy found his own name on "the list" is proof alone of how pointless that strategy is, and the fact that TSA wants to exempt itself from oversight is also proof that =they= know it's pointless, too.
What =will= work? How about "ten thousand eyes?" How about creating the means, using off-the-shelf internet technology, whereby law enforcement officers around the country can share information .. not in a top-down hierarchical way, but across? Things like VPN, wiki, blogs. Instead of sending terabytes of information to government contractors on the Beltway to be disseminated like little nuggets of gold to the officers in the street who actually know what's going on in their precincts ... let those officers communicate among themselves using the technology you merely provide.
I am soon to be an ex screener 6/06 I image it to be like being let out of prison, the entire organization should be abolished, it is at best an illusion of security.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.