Schneier on Security
A blog covering security and security technology.
« Cloning an RFID Passport |
| The Difficulty of Profiling Terrorists »
March 13, 2007
Airport Credentials Manipulated to Commit Crime
Some airport baggage handlers used their official credentials to bypass security and smuggle guns and marijuana onto an airplane.
This kind of thing is inevitable. Whenever you have a system that requires trusted people -- that is, every security system -- there is the possibility that those trusted people will not behave in a trustworthy manner.
But there are ways of minimizing this risk.
Posted on March 13, 2007 at 3:30 PM
• 23 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
This is an ancient question. Quis custodiet ipsos custodes?
>>>...... a duffel bag containing 14 guns and drugs on a commercial flight from Florida....
The rest of us have enough trouble with a tube of toothpaste or some cologne!
This brings up a good point that I don't see much in the Security debate these days:
Trusted vs. Trustworthy
@McGavin: true, but?
Trusted: a label you apply to someone/thing before you know for sure (or before you know better)
Trustworthy: a label you can only apply with hindsight
"Whenever you have a system that requires trusted people -- that is, every security system -- there is the possibility that those trusted people will not behave in a trustworthy manner.
But there are ways of minimizing this risk."
Exactly. Thats why my passwords are a secret even to me.
You'd be amazed at you productivity when you've locked yourself out of your email account.
I've talked to a luggage handler on Amsterdam airport; he gets a metal detector and bag X-ray treatment like the passengers. (As a passenger I've watched it happen to apron personnel.) Copying this to the US would close a security hole.
That's only until hygiene issues surpass terrorism in media attention. Maybe we should stop bathing and brushing our teeth at least one week before flying.
I'm just wondering where they got 14 guns and 8 pounds of weed for 1800 bucks. It's a mystery.
Where are the Arisians when we need them?
"Trusted: a label you apply to someone/thing before you know for sure (or before you know better)
Trustworthy: a label you can only apply with hindsight"
Yes, if we assume you are talking about people.
"Whenever you have a system that requires trusted people -- that is, every security system -- there is the possibility that those trusted people will not behave in a trustworthy manner."
This perfectly describes government itself. I wonder if anyone has done a detailed analysis of the types of security failures that can occur within government itself?
(i.e. - Analysis of the government as if it was a computer operating system.)
...And how many people here believe that the government of the USA currently has multiple trojans/viruses/worms/rootkits in it?
"And how many people here believe that the government of the USA currently has multiple trojans/viruses/worms/rootkits in it?"
If they're smart? The same people who believe that of EVERY government...
From the "Evil Overlord List" http://www.eviloverlord.com/
147. I will classify my lieutenants in three categories: untrusted, trusted, and completely trusted. Promotion to the third category will be awarded posthumously.
"I've talked to a luggage handler on Amsterdam airport; he gets a metal detector and bag X-ray treatment like the passengers. (As a passenger I've watched it happen to apron personnel.) Copying this to the US would close a security hole."
That's a good start but if it's your partner in crime doing the X-raying ...
I just went thur OIA mar 3 & returned mar 9, and this comes as no surprise. Some of the tsa people looked like america's most wanted- ie sleazy and on my return they took 2 spare rechargeable camera batteries along with a small bottle of colonge, and a bottle of beer> Westvleteren '98. The were there when I went thur Customs... as I had the fun of having all my bags gone thur and yet they were gone when I picked them up later.
This was AFTER flying and being approved by the Custom's agents.
This also brings up another beef I had with tsa, I had to do the xray/metal det./shoes before I could leave! Theres no reason or need to be checked as you have never been exposed to a unsecure location after coming thur customs- and yet they give you a final search to retrive baggage? Thats just a waste of our tax $$$ , the baggage pickup is open to the street and yet the people coming in from the street haven't been checked, yet flyers who just went thur Customs,ect. need to be rechecked? B*^$%@!%*^#
Lets not go into how my wife gets the shaft- they cut open her tampons each & every last one! They are made to be sterile and now .... My wife is a federal worker , flying on tickets bought by the gov. using gov. CCard, ect and yet each & everytime she flies she gets the special treatment.
Its all a bunch of crap and a waste of time & money- OUR TAX $$$$
Screening of passengers for risk analysis is primarily performed by examining reservation data and no-fly lists. However matching of passengers to ID is performed independently at the screening checkpoint, without reference to the reservation data.
Mr. OnNoflylist wishes to fly to a meeting within the USA. He simply makes a reservation and purchases a ticket in the name of Mr. SafetoFly. He then prints a boarding pass, and modifies digitally it on his computer to reflect the name OnNoflylist. (quite a trivial operation).
At the checkpoint, he presents his valid ID as Mr. OnNoflylist, together with his modified boarding pass. Then he simply boards the flight using his Mr. SafetoFly boarding pass.
There are many refinements to the technique, but the main point is that NoFly lists have little meaning for flights in the USA (and most other countries). [If unlucky enough to have been selected for special screening, Mr. OnNoflylist will of course have removed that SSSS indication from his boarding pass too]. [Even at some locations where international passengers have identity checked before boarding, this is manual and not crosschecked to reservation or INS data, so that any old fake ID with a fake boarding pass will do nicely]
It is a good example of the futility of the present approach to airport security.
Make sense to me. Smuggling is good money for a few minutes work. The credentials are worth more than the salary in cases like this.
"But there are ways of minimizing this risk."
Not if it's in the hands of a compulsory monopolist.
@quincunx: "Not if it's in the hands of a compulsory monopolist."
Security is ALWAYS in the hands of a compulsory monopolist, at least at the local level - otherwise they couldn't even pretend to enforce security.
X the Unknown --
> Security is ALWAYS in the hands of a
> compulsory monopolist,
This is just plainly untrue. Walk in a mall. See the private security guards. Which emphatically do not have monopoly on security services, even at the local level.
Are you claiming they do not provide security or are you claiming police have no powers in shopping malls?
The problem with government-provided security is precisely in the fact that it is monopolistic. The basic economics tells us that monopolies always deliver crappier and more expensive goods than competitive market. Production of security is no different.
Looks like airport security still neither have money incentive
to stop incidents like that nor any fines to pay for their mistakes.
Bruce, I guess you're either not a smoker, or you smoked so much you forgot how to spell "marijuana". :^)
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..