Schneier on Security
A blog covering security and security technology.
« What to Worry About |
| Protect Your Macintosh Copies Available »
May 2, 2008
Sky Marshals on the No-Fly List
If this weren't so sad, it would be funny:
The problem with federal air marshals (FAM) names matching those of suspected terrorists on the no-fly list has persisted for years, say air marshals familiar with the situation.
One air marshal said it has been "a major problem, where guys are denied boarding by the airline."
"In some cases, planes have departed without any coverage because the airline employees were adamant they would not fly," the air marshal said. "I've seen guys actually being denied boarding."
A second air marshal says one agent "has been getting harassed for six years because his exact name is on the no-fly list."
Seriously -- if these people can't get their names off the list, what hope do the rest of us have? Not that the no-fly list has any real value, anyway.
Posted on May 2, 2008 at 7:14 AM
• 54 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Buried deep within the article is another disturbing fact: The No-Fly list now contains over 500,000 names.
500,000?! How does anyone not get snagged by this list?
it's not sad, it's an artifice.
how is it that a sky marshal can be held off a plane by an airline employee? that's not even remotely possible. i call bullshit.
i know dozens of police officers, from city to federal levels. no one can bar them entry from any place, public or private, to which they are entitled to access. federal marshals do not require permission from airline folks to fly.
this is bogus.
""In some cases, planes have departed without any coverage because the airline employees were adamant they would not fly,""
" no one can bar them entry from any place, public or private, to which they are entitled to access. federal marshals do not require permission from airline folks to fly."
Because as we all know, if the airline won't fly, the air marshalls are also empowered to seize the controls and fly it themselves...no wonder they end up on no-fly lists.
There's a positive perspective to this: the airlines are implementing the security policies confidently and not respecting the uniform. This is exactly what we ask any security to do to prevent social engineering attacks.
My favorite reference to the no-fly list was on an episode of Boston Legal in which Daniel Crane, one of the lawyers in the firm, was on a no-fly list, and sued to be removed instead of going through the TSA process. He won after finding all the people named Daniel Crane in the state and putting them in the audience, then at a dramatic moment asking all the people named Daniel Crane to stand up. His final point, made with the help of an iPod, was that if we can fit 20,000 songs into this tiny thing, maybe we can figure out some slightly more accurate way of keeping terrorists off of airplanes.
Mike hit the nail on the head. As bad as things have gotten with the TSA loonies running the air travel asylum, it would be worse if there were a subclass of people able to wave a get-off-the-list-free badge. Of course, the "fix" is likely to be giving them a get-off-the-list-free badge, instead of abolishing this idiotic, ineffective, pointless list. Or the TSA, for that matter.
The department of homeland chickenlittles is just bad opera, without carmen singing an aria.
Where do I go to have people put on that list, I got some people I want treated like terrorists. Obviously there is no penalty for false reporting. Just tell the guy with the lobotomy scar on his forehead what names you want harrassed.
I wish all sky marshals were on the No-Fly list. For that matter I wish all government officials were. Airline pilots too, while we're at it.
excuse me for asking, I'm not an American so maybe you'd be able to explain -
why do those lists go by *names*?
Don't you have anything better? such as ID number / Social security / Passport ...
No, we don't have something better. You might as well ask, why does the U.S. have to conduct an official Census every 10 years to figure out who lives here (for allocating Congressional delegations, allocating entitlements, etc.).
The reason is that unlike most Western nations, we do not have a national Identity Registry, to which we are checked in at birth and from which we are checked out at death. It is felt that this is too intrusive and abusable. So instead we rely on ad-hoc, low-fidelity identifiers like Social Security numbers and drivers' licenses and telephone/electricity/banking statements for all kinds of identification. This creates a soup of inappropriate and insecure and unverifiable ID forms that is --- you guessed it --- intrusive and abusable.
In the absence of any substantive privacy laws (we have nothing like the European privacy statutes here), the result is a growth medium for paranoia and error, and a paradise for fraudsters. Bureaucrats get to harass people based on their names. But at least the government doesn't know who we are. Unless they ask the credit bureaus, that is.
The sky marshals are on the list for the same reason the 9/11 hijackers are on the list - can't remove them because then terrorists would know to use one of their names to get around the list.
Five hundred thousand names.
Let's do an experiment. How many common first names can you come up with in five minutes? You know, John, Andrew, Liz, Robert, etc. At most, a hundred.
Now, how many common LAST names can you come up with? Smith, Kennedy, etc. That might be what, 200? So we have just generated a whopping 20,000 combination; and that probably covers something like 1/4 to 1/2 of the population.
Their list is THIRTY (30) times bigger than that. The question is not, who's on the list, but who is not? And, for bonus points, do they even believe their own BS?
The problem isn't that we don't have a national ID system.
The problem is that lists such as these are useless because the bad guys would not feel compelled to use their real name.
In fact, that is how some of the names end up on this list. Those names are the ALIASES that the bad guys have used in the past.
The "ad-hoc, low-fidelity identifiers" are great for less important uses. The library does not need your SSN, for example.
These lists are "Security Theatre" because they only annoy the law-abiding citizens. They do nothing to stop terrorists.
Just a thought,
Let us assume you are a person who has flown from another country that does not directly boarder the US and has no sensible means of direct connection to the US other than by air travel.
Let us assume you want to stay in the US, just get your name on the no-fly list then how do they deport you back to your point of origin...
The entire point of a National ID system is that it is _not_ keyed to a name. It is keyed to a unique identifier -- a number -- which is designated by the government, and which the government (a) guarantees to be unique, and (b) certifies for you by issuing you with difficult-to-forge identification. The names on the list don't matter.
Identity guarantees are, or should be, core functions of government. In a civil society, everybody needs a way to prove that they are who they say they are, and that somebody else isn't. If you can't do that, you are not secure in your property or your liberty. The government should be the natural guarantor of identity. If it were, we wouldn't even have this stupid list in the first place. The fact that in the U.S. we informally outsource identity management to the private sector, and don't even bother to police the results, is the root of the problem, not an epiphenomenon.
@Christopher asks: "how is it that a sky marshal can be held off a plane by an airline employee?"
Pilots have absolute authority over their flights. Under U.S. law, a (civilian) pilot could keep the president of the US off his flight if he wanted to. They also are ultimately responsible for anything that happens on their flight including, for example, drug smuggling (assuming the real culprits aren't found). The balance makes sense: ultimate responsibility and full authority.
@David asks about how a person on the list is identified.
Ideally yes, there are a number of different identifiers: name, gender, age, ID number. These are not always available; having only a name is fairly common but sometimes a list has only other identifiers (such as a photo) and not name at all. Then you add the problems of non-Roman alphabets without one-to-one transcription conventions and the names multiply. Then you add incomplete names - am I the same John Smith as that John J Smith? - and the list multiplies out of control.
Which is only one reaons why it's such a bad idea. It's not only useless, it's sucking up resources that could be used for something useful.
"(b) certifies for you by issuing you with difficult-to-forge identification."
Anything can be forged. Even assuming forgery is difficult, you still have the problem of valid IDs created inappropriately - staff mistakes, staff bribes, fraudulent "I've lost my ID, I need a new one" claims, whatever. The harder it is perceived to be to get a false document, the harder it will be to undo the damage when a false document IS created.
Try convincing the bank you didn't just sell your house, buy another one, and default on your new mortgage when they've been assured by the government that the ID they used to verify the transactions is unforgable. Try convincing the FBI you didn't buy tickets for hijackers when your unforgable ID was shown. Is that really an improvement?
The list of names is not just "terrorist aliases". It is also those who have challenged the current administration in print and other political enemies, people who were once considered terrorists but after winning the Nobel Peace Prize were left on the list, random names of people assumed to be guilty of something, economic criminals, and anyone who complained about bad service by the airlines and/or the TSA. Given name collisions, most of the country is either on the no-fly list or will be soon.
We are ruled by the insane who go unchallenged because we are afraid of what their madness will do to us if we do.
In particular, Nelson Mandela is on the list, as is most of the senior ANC leadership. They were apparently on one of the bad-guy lists that was combined to form the no-fly list, and they still haven't taken it off. Their offense was that the Reagan administration decided that they were Communist terrorists.
"The entire point of a National ID system is that it is _not_ keyed to a name. It is keyed to a unique identifier -- a number -- which is designated by the government, and which the government (a) guarantees to be unique, and (b) certifies for you by issuing you with difficult-to-forge identification."
Yes, I understand that.
The problem is (b). When we have something that "guarantees" that the person holding it is the person they claim to be ... criminals will be all over it.
All it would take is to find someone who processes the applications who has a drug / gambling problem and leverage that to get fake ID. Organized crime would make a HUGE profit on this.
"Identity guarantees are, or should be, core functions of government."
Why? Where is the incentive for the government to do a good job?
"The government should be the natural guarantor of identity."
"The fact that in the U.S. we informally outsource identity management to the private sector, and don't even bother to police the results, is the root of the problem, not an epiphenomenon."
No, the root of the problem is that the government values "Security Theatre" over improving security.
Which is EXACTLY why I do not want the government "guaranteeing" my identify.
I still don't understand what a person on the no-fly list could do?
To determine identity you have to "stamp them when they are small". What about all those who have no real records? We live in the computer age *now*, but we have not lived in it for very long. Before the 1980s much of the records were still on paper. Paper burns. What was not on paper was on magnetic tape. Much of what was on 9-track magnetic tape is no longer readable because people either don't have the tape drives anymore or forgot to preserve the data layouts.
How does an 80 year old woman prove she is a citizen when all the records of her birth were destroyed or lost years ago? What about those who were born in places where records were not kept or were wrong? What about people who believe they have those record and then are told that what they thought was a birth certificate was only a document issued by the hospital and not an "official record"?
BTW, that last one happened to me personally. After having it accepted for 20+ years they started to refuse to accept it because it was not from the proper agency.
If someone has a birth certificate how do they prove that it is actually them? There are no photos. (Not that it would help.) Matching baby prints to adults would be interesting, especially if the adult had lost a limb along the way. People age and change. If I record biometrics for a child, they will not be the same when that child grows into an adult.
When it comes to IDs, we have a faith based system when it comes down to it. We assume at some point that the person's paperwork actually belongs to the original person and not someone switched at birth or forged at an early age to gain the privileges of citizenship. At a certain point you cannot know unless you chipjack everyone and hunt down anyone who has not been chipjacked and you can ensure that the records cannot be altered or destroyed by those with unauthorized access. The larger the population, the harder the problem becomes and the more tyranical the regime has to become in order to enforce it.
As heinous as biometric IDs and stuff are seen, an ideally simplified system for corroborating that YOU are YOURSELF only would be composed of the following:
a) A UID given to you on birth and expired on your death, and
b)DNA samples and fingerprints tied to your UID and secured inside an as-safe-as-money-can-pay.
Then, when, say, the law enforcement grunts need to verify your identity, you give them your UID and, say, a thumbprint, which has to match with what's on the above named data vault.
If the portable system doesn't see a proper pairing, then you get swabbed and stuff so a CODIS equivalent identifies you as either who you claim to be or maybe as whoever your really are.
Now you have a UID that you can make a list of and couple its entries to specific people regardless of their name, look, age, or whatever, and don't inconvenience me just because my name sounds a lot like an etarra.
Just my 2c.
Damn, I wish I could edit
"as-safe-as-money-can-pay" = "as-safe-as-money-can-pay data access facility"
And to complete, the main point of the system would be that it's not a fully searchable index of all your biometric data, but instead that it can only be used to prove you're there, and that what we have of you is a superset of what you carry on yourself (that way if you get mugged and your ID copied it's not relevant, because other data might be used to uniquely identify you).
"...air marshals, like all travelers, are occasionally misidentified as being on a watch..."
However, unlike FAMs, the rest of us misidentified people do not have magical supervisors who can force the airline to get us on the flight. Or any other flight, for that matter.
Don't put absolute faith in DNA identification. Identical twins do not have identical DNA (as was recently found out). Chimeras can have two or more sets of DNA in their bodies. And, with age, changing circumstances, and lifestyle changes, genes can be switched on or off.
DNA identification is based on reducing the entire genome to a small number of sequences which are known (i.e., assumed) to be constant from birth through old age. This assumption has never been tested.
Now, imagine a 'perfect' DNA identification system, and 20 years later it says you are not the person you were born as. How does this get fixed? Why should some innocents have their citizenship sacrificed just because some ideologues insist every system is perfectible?
To the person who understandably asked whether some identifier other than names might be more accurate... I once testified before the Virginia General Assembly about the use of the Social Security Number in transaction identification. (It has become a de facto national identifier in the United States, despite the fact that it's poorly engineered as an identification number.
The Delegates asked the representative from the Virginia State Police whether they cared if it was present on the face of the Virginia Driver's License.
I nearly burst out laughing when the rather stern senior police official said,"Nah, we arrested one guy who was using 50 different ones."
At that point, I was enlightened.
... and I have to fly to the US this year again. I'm allready looking forward to the security check procedures they have now in place... thats so ridiculous
You don't think that terrorist Ahmed can figure out that if they simply use a name like Bill Johnson or Tom Smith on their fake IDs that they can't get onto a plane ?? LOL
"Don't put absolute faith in DNA identification. Identical twins do not have identical DNA (as was recently found out). Chimeras can have two or more sets of DNA in their bodies." --Roy
And it's possible to make artificial chimeras. For example, I'm a bone marrow* donor. That means that there's a woman out there who will now look like me rather than her (pre-transplant) in a blood-based test. I wouldn't expect anybody to undergo a bone marrow transplant just to avoid identification- there are too many problems for any sane person to consider it seriously- but it could certainly cause problems when it happens for medical reasons.
"And, with age, changing circumstances, and lifestyle changes, genes can be switched on or off."
This isn't an issue. Genes that are switched off don't disappear from the genome any more than appliances that are switched off disappear from your house. That's why it's theoretically possible to make a clone or stem cell from any cell in the body.
*Actually a PBSC transplant, but they're identical from the standpoint of the discussion.
It isn't just Bone Marrow transplants. Blood Transfusions can give the same result, although conventional wisdom is that the effects disappear within fifteen days. However at a recent conference, I was told of a case in Canada (Why is it always Canada? - I bet it's those people from Quebec) where the "wrong" DNA had appeared in a blood test six months after transfusion. It's not my field so I did not ask for references, but this might be an area where research (grants) would be valuable.
Read recently about some false identification using dna, it appeared that the lab allowed the dna in question to be adulterated with the dna they hoped to match. DNA should never be considered unquestionable evidence. It should always be questioned, because as mentioned previously large parts of the whole theory of this identification is not actually proven. Authorities are typically people who enjoy power and narcissistically hate anyone who questions their assumptions.
About the older person who has had records destroyed in the fires tornados and hurricanes during their lives,
Something like this is bushs excuse for being considered "fit to be president".
haveing served in the armed forces in that period, I know that congressmens priveleged sons were treated with corrupt deference by the pentagons lackys. If bush had showed up at the alabama national guard meetings, someone would have remembered him, also there are more records that should have shown his name, not just the personel files, but the units records in that state and many more. I firmly believe that he did desert, in the face of a drugs test on the flight physical. To hear scottmccllelan say that he "didn't take the flight physical because "he" determined it wasn't necessary" is an example of how the military regards orders when the person is flagged as a congressmans precious son. Now he has a trillion dollar hobby war to fill out his "texas macho" profile with his chickenhawk party. this administration should be held to the law and tried for its many crimes. the listing of half a million americans in an illegal no fly list is only one of them. We are ruled by criminals right now, no doubt.
With regards to DNA it is actualy quite easy to forge the results of a DNA test if you think about it.
The test process is as follows,
1, Lab gets DNA sample.
2, Some part or all of sample is used.
3, The DNA is broken down into pieces by a known method.
4, The parts of the DNA are then multiplied many thousands of times by another known process.
5, The replica pieces of the DNA are then used in a known test to produce the DNA result.
If you think about steps 1-3 do you see any safeguards there?
So if you obtain somebodies DNA and perform steps 1-4 you could end up (literaly) with bucketfulls of their DNA pieces.
As you do it by the same known process the lab uses how does the lab tell the difference at step 4 that they are not looking at the results of somebody else doing steps 1-4 instead of real DNA at step 1...
Several years ago I made enquiries of people who use DNA for bio-research they confirmed that it could well be a problem but that they where not aware of anybody having tried it.
When subsiquently making enquiries with people who where involved with using it for identification work their response was somewhat different. It was as though I was a heritic determined to kill the golden goose, they refused to even acknowledge that it was a posibility. When you chalendged them as to why you effectivly got the old "because I say so" response. When further chalenged about if there was any reliable research to back up their view they had nothing to offer.
A couple of years later a biologist in Australia made the same deduction and told an ABC program about it and it caused quite a stir at the time.
However it appears that the question is still unresolved.
So next time you hear somebody going on about "reliable DNA evidence" think "yeah right and now show me real evidence to back up your claim".
I am still looking for research that does back up the argument either way and would be very interested to hear of any and the processecs behind the research.
With regards to my post above,
The biologist in Auustralia is Dr David Berryman.
And he did carry out some tests along with others. If you want a quick overview of what was done have a look at,
I think he also applied for a grant for 99000 AUD to do further reasearch.
Notice that all the comments here are dead certain that air marshal was guiniune and the list was at fault. If the list had any validity at all, the airline was absolutely correct in assuming that any terrorist worth being on that list could forge some credentials to bring a gun on board an aircraft.
I curious on the spin the TSA puts on this. Any indication that the airline wasn't absolutely right shows how the list's only marginal utility is to harass political opponents and act as security theater in the "look how painful air travel is! it must be so much safer!" sense.
What puzzles me is how those people got jobs as air marshals in the first place. Doesn't the TSA use its own list for its own security checks?
I'm no medical professional, but red blood cells don't contain a nuclei (or mitochondria) once they're out in the blood stream. You couldn't use them for DNA tests regardless of transplants.
>> i know dozens of police officers, from city to federal levels. no one can bar them entry from any place, public or private, to which they are entitled to access.
Baloney. The Constitution of the United States has this bit called the Fourth Amendment.
Exigent circumstances aside, I know of several situations where security has trespassed police and made it stick. We hate doing this -- bad agency relations, retaliation, and serious risk of legal entanglement among the reasons -- but a badge is not a universal access card, nor should it be.
They can always come back with a warrant, although subpoena is the preferred tool in corporate bun fights.
Military facilities are a particular case in point. If the installation commander has closed an area and issued use of force orders, the place for civilian police to argue the point is in front of a judge. Not by attempting to make entry, as this can result in ugliness.
Private homes have special protection under the law. NEVER resist unlawful police entry, just state your objection and call your lawyer.
Aircraft are a whole different category, much like ships and for many of the same reasons. I recall one case where a pilot refused to board a Secret Service agent ...
To those who think that the government should use some other form of ID instead of a name, what about foreigners? They don't have social security numbers? Names are really all they have to go with. The list is a waste of time.
I have the feeling many airline agents are sick of this no-fly-list business too; they have to tell their (mostly innocent) passengers. I can imagine "water cooler" talk about how strictly one can apply this rule to federal officers that are in a better position to argue for abolishing it.
Doesn't anyone remember that this so called no fly list that we are repeatedly told is consistently updated, still has Nelson Mandella on it???
The TSA is the biggest waste of space ever and the current government is going to do nothing about it.
re: those comments about Nelson Mandela being on the watch list: let's not forget that he was a terrorist and did kill people. Admittedly, he was fighting an inhumane and unjust society, and he's unlikely to be much of a risk now, but still.
No-fly list is a nice tool for *real* terrorists. First, perform a statistical analysis of phonebooks, choose a bunch of the most common names and use them as aliases. Send a wave of (already tagged) cannon fodder with forged papers and make sure those common names appear on the No-fly list. The bottom line: the innocent victims won't be terrorised by you, but by state agencies!
The escalating transportation "security" madness is a good reason to get private pilot license... I'm getting one for myself. Walking onto the field, pre-taxi, taxiing, doing run-up and taking off takes all of 15 minutes. No thugs with guns and leaden stares of power-crazed morons are involved.
Up to 500-600 miles flying basic Cessna 172 is faster than flying commercial jet if you factor in time wasted at the airports, and costs about as much as a first-class ticket (it can carry three passengers, too). Flying clubs rent them for $110-$150/hr Hobbs (time of engine running), flying 600 statutory miles takes about 5 hrs. There are cheaper A/Cs to rent, too.
My god, terrorist is a funny tag. You can stick it to practically everyone, it will be there forever, but you can get rid of it if you simply rename yourself, governments act in total panic...
...all this talk is hilarious...
It's really time that the US regains consciousness from this nightmare it's sleeping in.
The maybe all their vassal states (Germany, UK etc.) regain their sanity as well...
@christopher: "how is it that a sky marshal can be held off a plane by an airline employee?"
Says the pilot to the marshal: "If you board the plane, I won't."
> I'm no medical professional,
In that case, perhaps you'd be interested to learn that there is more to blood than just red blood cells.
> His final point, made with the help of
> an iPod, was that if we can fit 20,000
> songs into this tiny thing, maybe we
> can figure out some slightly more
> accurate way of keeping terrorists off
> of airplanes.
Wait... Wait... I think I know this one...
I got it! If the passenger is lighter than a fully loaded iPod, he's a witch!
It's true that red blood cells (and platelets) don't have DNA. White cells do, though, and marrow transplants replace all of your blood cells, red, platelets, and white. That's how they can do blood-based DNA tests in the first place.
With proper security, maybe everyone should be no-fly by default and would need to be on the "fly list".. :-)
I love Boston Legal too, but how can you watch a whole episode and not have heard it's "Denny Crane!" "Denny Crane!" "Denny Crane!" ;-)
The point is... If the Air Marshals can't get off the list, who can?
I know one who is on the list and travels by his middle name now to avoid getting hassled.
Couldn't a terrorist do the same?
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.