Schneier on Security
A blog covering security and security technology.
« Auditory Eavesdropping |
| Cloning RFID Passports in Five Minutes »
December 19, 2006
The New York Times on Airline Security
Good article on airport security and the TSA. Matt Blaze and I got some really good quotes.
BTW, regularly people chastise me for complaining about airline security but not offering any solutions. I generally send those people to the last two paragraphs of this article.
Posted on December 19, 2006 at 2:40 PM
• 41 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
I don't expect any of them will be followed. The TSA is staffed by people who enjoy controling people and making them do their bidding. If they did not have airport security as an outlet for their dominant S&M fantasies, they would have to work in some other, less satisfying, occupation that allows the abuse of the general public. Not very many of those jobs left these days.
Common Sense hits the mainstream? It cannot be!
Oh, never mind, this is just the New York Times.
The thing that saddens me is the people responsible for our security are not interested in the subject from an academic and professional point of view.
When was the last time we saw an industry recognized 'expert' in security placed in a Government security(&policy) role?
Bruce, FYI the "Movie Plot Threat" link at the end of your article doesn't work.
This awareness raising which is now reaching a broader reading base, is the best weapon in the fight against the undermining of civil rights and the bullying of innocent citicens.
Have you ever done a post on "root trust". At my last startup I spent a considerable amount of time building a new microkernel operating system that is capable of ensuring "root trust". I just wondered if you've ever written about it?
I'm surprised to see such a clueful article in the NY Times; it appears that one reason for its cluefulness was that it was not written by a Times staffer, and the author didn't labor under the burden of preserving good relations with the TSA for future stories.
I suspect that the #1 reason that Big Media is so reluctant to call bullshit is that they think they need continuing cooperation from the bullshit artists for future stories.
@Alan: "The TSA is staffed by people who enjoy controling people and making them do their bidding."
What a way to talk about neo-con Republicans!
"I suspect that the #1 reason that Big Media is so reluctant to call bullshit is that they think they need continuing cooperation from the bullshit artists for future stories."
See The Propaganda Model http://en.wikipedia.org/wiki/Propaganda_model
I thint there should be a box of pocket knives at the jetway ramps with a sign that says "Take one or leave one." My guess is that a plane load of potentially armed passengers is much more of a threat to a would-be terrorist than the silly system they have now.
Perhaps the TSA has had too many people trying to cheat the system - where those following the rules are now the exception.
My partner recently flew from New Zealand to Canada, via Los Angeles. She was stopped and searched at LA - the reason proffered was that she (and her luggage) DIDN'T set off the security scanners - which was apparently suspicious.
Tell me, how do I win this game?
(I realise it might just have been a random search - but use that as the reason, not that things are too 'perfect')
We recently flew to Hawaii and the TSA kept us all secure by confiscating our yogurt (for our breakfast while waiting those extra hours needed to get through security) and the frozen gel-pack used in our portable cooler.
But they let us bring our jars of almond butter and blueberry preserves -- they didn't even consider them as far as I could tell.
We all felt much safer knowing that every TSA security test fails miserably with weapons being smuggled through security, but we either increased the landfill or helped feed TSA workers who maybe just wanted some breakfast for themselves.
Liberty is best when it's denied, or so it seems....
"But they let us bring our jars of almond butter and blueberry preserves -- they didn't even consider them as far as I could tell."
That's so unfair. I got a pot of mustard -- good mustard, too -- confiscated by the TSA last month.
Some TSA agent must have had a ham sandwich planned for lunch that day.
The last time I travelled it was international and I was flying with 90% of my worldly posessions and about 10 Liters of booze.Testing the system was not an option.
Has anyone ever been told that you couldn't fly with something (like Rolling Eyes' yogurt) and simply consumed it posthaste right there at the checkpoint?
"I think there should be a box of pocket knives at the jetway ramps with a sign that says "Take one or leave one."
Stop screwing around. There should be a box of .22 pistols at the jetway ramps just to make sure.
"I got a pot of mustard -- good mustard, too -- confiscated by the TSA last month."
They were worried you would use a tube (pen case?) to fire pellets of mustards into people's eyes. If yoghurt is dangerous then mustard is practically a chemical weapon.
BTW, the NYT article does not appear to be accessible to non-subscribers.
except that, given the current cultural climate, a lot of sihks and muslims would get stabbed to death simply for speaking a foreign language.
Better than handing out pocket knives or .22 pistols, aluminum baseball bats -- no sharp edges and no accidental discharges (or running out of ammo).
Imagine a terrorist team trying to scare an enraged mob of several hundred wielding metal clubs.
Of course, the only solution for the "TSA problem" which actually passes the muster of common sense is to get the government heck out of security business. And make airlines and their insurers fully liable for all damages caused by inadequate security provisions in case of terrorist acts.
Only then a reasonable balance between security and convenience will be found - for there will be quite powerful incentive for the airlines to find it; and there will be competition to take care of disposing of those companies who fail to find it.
The root cause of the TSA problem is quite obvious to anyone with minimal training in economics: it is monopoly. And as such it has no incentive whatsoever to improve service (including the actual provisioning of security) and only seeks to increase its revenue by scaring its captive clients with security theater and bogus threats. (Oh, and those of us not suffering from amnesia remember quite clearly that it was precisely FAA-mandated procedures which made 9/11 possible in the first place - like, not letting pilots to carry handguns or insisting on letting the bad guys to have their way).
I'm wondering why the press never seems to mention this trivial solution.
One can only hope that this madness stops soon. Most of the airports in Europe where passengers from non EU countries arrive and transfer to connecting flights have huge problems with the amount of waste that is generated because of these regulations.
The system would breakdown in an instant if every passanger would take a bottle of (coloured) water to the security checkpoint in order to throw it away there. ;-)
Nice article. Makes me happy to see that a big paper like the NYT brings this issue into the light of ordinary citizens who might not read blogs and such.
At the same time I have to ask, how does it feel to be on a potential government (Dubya) hitlist?
Next I plan to learn how to use your solitaire encryption technique, it was mindblowing!
@Leo K: from the article "There's an obligation on the traveler to use some common sense"
Why - the TSA apparently don't recongize such an obligation on themselves - half empty liquids containers anyone.
Only thing all this extra security has caused is sowing more fear
Just throwing an idea out here. Why not create an system of rewards that would make flights more secure instead of punishing everyone?
What I'm suggesting is that a system be put in place that rewards those who can demonstrate that they can and will contribute to make a flight more secure. This can be done by: offer a course that teaches regular people how to spot suspicious behavior and how to appropriately respond to that behavior. Throw in a little bit of Krav Maga training mostly because it's good exercise, but the people will also be more confident.
You complete the course, you get a card that lets you through a pre-911 security screen--scan the bags and go through a metal detector.
Those who can't demonstrate their ability to make a flight safer will lose their precious mustard and need to have their shoes checked for dynamite.
The thing I like about this type of approach is that it doesn't really matter if someone tries to game this system. The more people who participate, and who wouldn't for a reasonable price, the more secure air travel will be. Even if you get a few evil doers, their likelihood of successfully disrupting a flight is now greatly diminished. They don't have a single point of failure in their missions, they now need to worry about their fellow passengers foiling their plans.
Wouldn't the air-traveling public appreciate a system where they feel empowered and not feel that they are one poorly worded answer away from a stay in Gitmo?
"Air travellers should not be "too early" for flights from Heathrow over Christmas because they are causing congestion, British Airways has warned."
You have to get there exactly 2 hours before short and exactly 3 hours before long flights.
If you're early, you're causing congestions if you're late, you'll miss your flight because of the checks.
Re: knives, pistols and baseball bats
Penn Jillette made this suggestion in the Cato Institute's Regulation, Spring 2002, in his article "Make the Terrorists Do the Profiling." http://www.cato.org/pubs/regulation/regv25n1/...
Interesting read. Although it was entirely too radical an idea for its time, after years of post 9-11 airline travel, I think it deserves serious consideration.
I'm a big guy who still sports an Army crew cut, so I would have a good chance of being targeted for the first takedown, but I would be satisfied if, while a terrorist was taking me out, the little old lady with the knitting needles in the next row had the chance for a stab in the back.
That Guardian article you reference seems to focus on the locked door to the exclusion of several other factors which would have averted the disaster:
* adequate communication between the pilots and anyone else (what about an intercom?)
* adequate pilot training
* proper maintenance
* better safety systems
Why is "a stewardess rushing in to tell the pilots to put on their oxygen masks" the only way to resolve such a situation?
@ Paul Wiedel:
Interesting idea, but I see a couple of problems:
1. How do you ensure that the card can't be faked/forged? You'd have to solve the same ID problem the TSA is facing.
2. How do you ensure "terrorists" don't take the class? You'd have to solve the same screening problem the TSA is facing.
One of Mr. Schneier's main points in the article is that creating alternate paths in the system allows attackers to bypass whatever security measures you have in place. Instead of worrying about how to make sure only the "good guys" get to take the easy path, just don't have easy paths at all. And if you want to empower the public so people don't feel that they're just one poorly-worded response away from Gitmo, get rid of Gitmo.
"I got a pot of mustard -- good mustard, too -- confiscated by the TSA last month."
Aha! Are you claiming ignorance of the fact that a good mustard mixed with the right combination of meat, vegetables and bread can produce a horribly toxic gas? If you had been carrying matches, they might have kept you off your flight as well.
"it appears that one reason for its cluefulness was that it was not written by a Times staffer, and the author didn't labor under the burden of preserving good relations"
True, but you might say Randall Stross has other burdens of preserving good relations -- more in line with following and pandering to giants of the Silicon Valley. Call me a skeptic but I'm a little worried about the implied values of this author in his new book called "How Thomas Alva Edison Invented the Modern World".
Sorry for the tangent but perhaps my perspective is blurred by the fact that I grew up reading about how Edison loved to steal ideas, or milk them from hundreds of low-paid immigrants he employed to invent things for him. Thus it seems to me he really should be thought of as the guy who tried try to stifle markets and push shoddy but profitable projects into everyone's lives:
"The U.S. Patent Office had ruled on October 8, 1883 that Edison's patents were based on the prior art of a man named William Sawyer and were invalid. In addition, Swan had already sold his U.S. patent rights to the Brush Electric Company in June of 1882. So why does Edison get all the credit for the invention of the lightbulb? Very simple, he owned the power company - what was to eventually become General Electric."
And the innovation and development of lightbulbs has arguably suffered ever since Edison tried to step in (depends on if you value high efficiency or availability more). Anyway, just to tie this back to the topic, my guess is if Edison were alive today he would be a huge "inventor" or investor of TSA screening technology and thus its biggest proponent. Or maybe not, if he couldn't corner the market. Either way, it's interesting to see a big fan of Gates, Jobs, Edison and Silicon Valley investor-types coming out in opposition to the TSA programs.
1. Does it matter that the card is faked/forged? The goal of my scheme is to increase the level of security by educating and enabling the general public, not through static checkpoints and unreasonable rules. The system is meant to encourage the vast majority of the air traveling public to 'be one of the good guys' and learn how they can help. It doesn't matter how easy it is to fake or forge, most people won't even consider risking it.
2. Let the terrorists and evil doers take the class. There is nothing that they will learn from it that will aid them in their goals. If anything it will make it clear that they no longer have single points of security to defeat, instead they have a continuous and ubiquitous set of challenges to defeat, i.e. their fellow passengers.
The easier path in my suggestion is to turn the people who the TSA is treating as part of the problem into the solution. This works because the overwhelming majority of people are not only NOT terrorists or "evil doers" but people who are willing to do their part to make flying safer. Most people are one of the good guys.
The plan also maximizes the utility of the current system. It's far more effective at being something that people want to avoid than a true instrument of security.
@ Paul Wiedel:
If the goal of your scheme is to "increase the level of security by educating and enabling the general public, not through static checkpoints and unreasonable rules", then why would you retain the current system of static checkpoints and unreasonable rules? Is it so that the inconvenience of not having taken the classes acts as a motivation to do so? If that's how you're going to get people to take the classes, then I think the ease of forging/faking your certification is in fact very relevant. Why take the class if it's easy to buy a forgery or fake your way through? And if it costs money to take the class (or buy a forgery), aren't you basically punishing those who have less money?
You also seem to believe that armed and trained passengers can foil all air security threats. No amount of weapons or training for passengers will stop someone from sneaking a bomb into the plane and detonating it remotely or via a timer. So your solution only addresses, at great expense, a subset of what is already an infrequent threat.
I believe the current system is a very effective disincentive to encourage people to seek an alternative to it. It's an unpleasant and inefficient experience.
Many people would go out of their way to avoid it. Some would even pay as much as $80 a year and subject themselves to a battery of background checks.
The proposed educational route, could cost people $80 or less. It doesn't matter--I think $39.99 is a nice price point, but this could be taught at community centers for free like CPR for all I care.
The goal is to make it a more attractive route to enough people that there is a good ratio of trained passengers to untrained passengers.
The training could be a couple of hours. You really just want to teach how to spot suspicious activity and give people a protocol for reporting.
I'm not suggesting that these people be armed. That would cause serious safety issues.
I'm talking about a minimal amount of training, nothing more.
With that said, I don't think it would be any more expensive or futile than the current system. In fact, I think it would be more effective and much less expensive.
Isn't it obvious that sheer political will works much better than your crappy economics?
Don't you know that if you set up a tax-funded monopoly and allow every cluck get to state his opinion on how it should be done that it would work way better than actually letting people invest their own money and discovering by competitive trial-and-error with full liability what the best course of action is?
Economics only works when we feel like letting it work. Security only works when it is done via compulsory monopoly under unquestionable security experts in industry, government, and academia, and debated among people who presume government solipotence as their central axiom.
The question is WHO all this security theater is for. It would seem that it's all for the TSA, so its employees can impress their stupidvisors with how good they are at their job.
I have a mental picture of the following scenario with yogurt: "We have to confiscate your yogurt as a prohibited substance." Passenger eats yogurt. "I'm sorry, we can't let you on the plane. You have just consumed a prohibited substance."
> Isn't it obvious that sheer political will works
> much better than your crappy economics?
There's a well-known fact that domestication reduces size of species brains (and their intelligence, too). I'm afraid, this works with humans, too.
> The system would breakdown in an instant if
> every passanger would take a bottle of
> (coloured) water to the security checkpoint in
> order to throw it away there. ;-)
I'm afriad that the break-down would look like a real terrorist bringing a real bomb stuffed with nails and blows it up at the security checkpoint - exactly the place where a lot of people are standing around waiting to be groped and poked.
@ Paul Wiedel:
You didn't address my point that better training for passengers addresses only a subset of an infrequent threat. If I understand correctly, your idea is to use the inconvenience of the current system of wasteful and pointless security theater to force people to take classes and receive training that has questionable effectiveness against a subset of an infrequent threat. Please explain how this is a good security trade-off.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.