Schneier on Security
A blog covering security and security technology.
« The Skein Hash Function |
| Movie-Plot Threat: Terrorists Using Twitter »
October 29, 2008
Item 1: Kip Hawley says that the TSA may reduce size restrictions on liquids. You'll still have to take them out of your bag, but they can be larger than three ounces. The reasons -- so he states -- are that technologies are getting better, not that the threat is reduced.
I'm skeptical, of course. But read his post; it's interesting.
Item 2: Hawley responded to my response to his blog post about an article about me in The Atlantic.
Item 3: The Atlantic is holding a contest, based on Hawley's comment that the TSA is basically there to catch stupid terrorists:
And so, a contest: How would the Hawley Principle of Federally-Endorsed Mediocrity apply to other government endeavors?
Not the same as my movie-plot threat contest, but fun all the same.
Item 4: What would the TSA make of this?
Posted on October 29, 2008 at 2:27 PM
• 37 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
They say they'll be able to detect threat from non-threat liquids with their "Advanced Technology XT" xray machine? Yes, it can tell densities. Are you telling me the terrorists aren't smart enough to figure out an explosive with the desnsity of water?
Maybe its just an effort to keep the illicit liquors out of the concourse so we have to pay their high dollar for our whiskey!
Airports have very different sets of technologies available; the perhaps reasonable idea that detection technologies can influence what's allowed on-board just doesn't apply unless those rules vary based on what's true at the point where someone goes through the security line. (And No, that's not a great line of demarcation, either, but at least it's a starting point.)
Not that terrorists would ever use a smaller airport in Maine, say, compared to LAX, or (since the world is probably the oyster of anyone who truly wants to bring down a plane, for now and the reasonably forseeable future) Berlin, Moscow, Seoul ...
Just curious, will the TSA stop you from bringing ice through security?
Of course this is not in response to "diminished threat". The threat cannot be less than zero.
I would be far more interested in Kip Hawley telling us exactly how many actual terrorists his organisation had detected, arrested, prosecuted, found guilty and were currently serving time in jail.
We could all then divide that number into the cost of the TSA and determine value for money.
And no, scaring them away doesn't count. If the threat is real, the threat must be eliminated, not diverted.
The "Out-Lame the TSA" contest is like shooting fish on the floor... oh, yeah, that's what they're doing...
Sometimes I think that the TSA gets a bad rap. It's an airline industry thing - it's unbelievable how safe airline flying is. They moved past worrying about known problems many years ago, and now they actively plan to avoid movie plot safety issues. Now they look at terrorism as just another safety issue, and do their best to treat it the same way. Of course, it won't work, but looking at it this way helps make a little more sense of what they do
When I first read the line
"the TSA may reduce size restrictions on liquids."
I was confused.
At first glance it sounds like the liquids would have to be less than three ounces to an even greater extent.
You can't divide by zero. You can be pretty sure the number is zero else we would have heard about it since the government proudly trumpets even the most minor 'success.'
At least they stopped the guy with a home-made battery pack for his portable DVD player though!
No-one seems to have remarked on how striking it is that they're engaging in open dialogue about their policies in blogs. That's not usual. And it's very much not usual about agencies whose policies seem not very well advised.
Am I the only one to find it striking?
I don't care if it's striking or not how and whether they publically discuss their totally ineffective policies. When are they going to fix the policies?
(And by "fix" I mean "eliminate".)
How would the Hawley Principle of Federally-Endorsed Mediocrity apply to other government endeavors?
I think a look at our Election System says it all.
@Paul Crowley: No-one seems to have remarked on how striking it is that they're engaging in open dialogue about their policies in blogs. That's not usual. And it's very much not usual about agencies whose policies seem not very well advised. Am I the only one to find it striking?
I have wondered about that myself, having spent some time reading the TSA's blog. The dialogue is pretty open and free-wheeling, and (as far as I can tell) only very lightly moderated. The TSA officials of course ignore the substantive questions, which means they get continually repeated. But it's still amazingly frank for an administration obsessed with concealing everything it does behind a black "national security" curtain, but has made no secret of having Zero Tolerance for any sort of criticism.
It's obvious that the TSA has a severe credibility and public relations problem (entirely of its own making), and the blog seems to be a way to put a human face on a reviled agency and perhaps enhance its standing. The fact that the TSA's official posts often contain blatantly bogus and condescending spin, and that they consistently ignore or deflect the questions and suggestions they claim to solicit, suggests that the blog is as much a failure as anything else the TSA has done. But I do have to give them half a mark for at least giving the appearance of interest in improving their public relations.
But on second thought, perhaps the blog (and the apparent openness) is a form of psychological warfare against a domestic enemy (i.e., the unappreciative and skeptical public) that they consider as threatening as al-Qaeda. Soliciting public comments and criticism is a way to know what the domestic enemy is thinking, and thereby devise better approaches to spinning their official message more effectively. So the blog and Kip's apparent willingness to discuss their policies are just another way to mislead the domestic enemy with smoke and mirrors.
It may also be that they intend the blog as a kind of "designated protest zone," where the domestic enemy feel free to rant and rave at each other in a safe place where nobody will hear them. Having safely spent their bile and vinegar, they'll be more docile when they get to the airport. If that's giving them too much credit, maybe they just enjoy seeing the enemy get angry (just as they do at airports). Toss 'em some official bovine excrement, then sit back and watch the show as they tear it apart (and hopefully devour each other in the process).
Well, it's weird. Actually, the whole blog is weird, note eg the "delete-o-meter"; I'm sure it's not a first but it's not usual either, and that suggests there's someone smart driving this openness process. But it still seems pretty much impossible to believe that the policies are smartly chosen. So what's going on there?
Information theory states that the least expected events carry the most information. This is unexpected. Though, of course, information theory makes no promises that such events bear on what you care about, it doesn't seem implausible that understanding what's going on here might be useful in effecting change.
Your viewpoint is didactic and if followed to it's logical conclusion one should remove all forms of security mechasims -- because all of them are flawed in more than one way - clearly something you are not advocating.
So in the context of liquid rules -- which I personaly dislike - Can't you see (any)logic behind illogical rules?
I still think a far more effective strike would be to ignore the security screen altogether and, instead, to drive your bomb-laden vehicles into the terminal on the *outside* of security. Have you seen O'Hare at 6am on a weekday? It's packed. There must be 2,000 people milling about, checking bags, waiting in line, etc.
I read on the blog where it explains the reason you sometimes hear 3.4 oz of volume verses 3 oz of volume are allowed (how the message needed to be consistent with Europe and so they say 3 oz, i.e. 100 ml, but allow up to 3.4 oz). However, what it doesn't talk about is that for containers in the US the oz on the container is quite often weight, not volume. In the English system of measurement, the word ounce is used for both volume and weight but they are not equal (something that weighs 3.4 ounces can have a volume much more and much less than 3.4 ounces of volume).
I fly on business at least every other week and I routinely carry shaving gel that has 4.0 ounces net weight on the can. When security checks the container, they look for a number. From what I can tell, they have no clue that 3.4 ounces net weight has nothing to do with 3.4 ounces of volume. One of these days I'm going to be questioned about it and then we'll see if they know the difference. I'll let you know what happens (who knows, maybe I'll make the national news).
The last item is just the Xmas prezzi for a down at heal Bond girl.
> Item 4: What would the TSA make of [an expensive new high-heel shoe in which the heel looks like a small semiautomatic pistol]?
I don't know about the TSA's policy, but in some jurisdictions in Australia, realistic replicas are controlled the same as firearms. The reasoning is pretty obvious, if not entirely sound.
I wouldn't call that a "realistic replica"
> I wouldn't call that a "realistic replica"
Yeah, but in the states that restrict them in Australia, you don't get to say; the Commissioner of Police does. The usual standard is supposedly "ANY possibility of being mistaken for a real firearm" (my emphasis.) Persons concerned about whether an article might be considered a replica firearm, are officially advised to take the article to a police station, so that it can be submitted to Ballistics Section for an expert opinion. I kid ye not.
x-rays are going to be used to work out the chemical composition of the liquids at a distance (without opening the bottle) rather than a density. So water will look like water and bad stuff will show up as molecules it's made of.
@Keith: "Of course this is not in response to "diminished threat". The threat cannot be less than zero."
If you think the threat is zero, then your IQ can't be much higher than that. You'd probably be the first person to screech about how it should have been stopped if a threat (that you say doesn't exist) is materialized.
I think the threats are exaggerated to, but to say they don't exist is incredibly foolish.
@skip: I think the threats are exaggerated to, but to say they don't exist is incredibly foolish.
I'm sure the threat is real. The question is whether it's sufficient to justify the cost (in dollars and inconvenience) of the measures they've instituted in reaction to it (and also whether those measures effectively reduce the threat). The TSA's only response to the question is the usual "it's classified, so trust us."
@George: "I'm sure the threat is real. The question is whether it's sufficient to justify the cost (in dollars and inconvenience) of the measures they've instituted in reaction to it (and also whether those measures effectively reduce the threat). The TSA's only response to the question is the usual "it's classified, so trust us." "
I agree with that. I think they spend too much and accomplish too little. I work in government, so in a way I understand the "classified" problem since it is a very tough balance between the need for transparency with the need to keep information out of the wrong people's hands.
But I do agree with you. I wasn't taking issue with the belief that we exaggerate or spend too much on the wrong threats. But I was taking issue with Keith's downplaying of them--"zero threat" is an even more foolish understatement than some of the measures are overstatements.
I think the Hawley Mediocrity Principle might have been originated by the lobbyists who take an interest in the funding of the IRS. Catch the small-time, stupid tax cheats, and let the big ones help write the code.
If only the xrays could figure out the density of the terrorists instead of liquids they carry.
But how will this xray distinguish dense terrorists from ordinary dense people ? It could end up making it very difficult to be stupid...
Actually. Forget I said anything. Carry on.
@skip:I work in government, so in a way I understand the "classified" problem since it is a very tough balance between the need for transparency with the need to keep information out of the wrong people's hands.
Yes, it's a tough balance. The problem here is that the Bush administration has done away with that balance. They believe that anything they decide is relevant to "national security" (which is practically everything they do) belongs behind locked doors in undisclosed locations. Their concept of "transparency" is that if they think we need to know something they'll go on Fox News and tell us the Official Party Line. Anyone who questions or doubts it, or who asks for more information, is obviously a Liberal Who Hates America.
While there's clearly a genuine justification for keeping truly sensitive information "out of the wrong people's hands," the Bush administration's obsessive fetish about classifying everything in sight can only suggest that they're mainly interested in shielding their own incompetence and abuses of power from scrutiny. They of course fail to realize that this strategy ultimately undermines genuine national security because it obstructs legitimate cost-benefit analysis.
In the case of the TSA, many people who endure the screening process can see for themselves what clearly appears pointless and unduly burdensome. But Homeland Security officials invariably respond to legitimate questions about value and cost-effectiveness with "If you knew what we know you'd surely agree that everything we do is a necessary, appropriate, and effective response to threats we all need to be very very afraid of. But all that information is classified intelligence that would aid the enemy if we released any of it. So you'll have to accept on faith and trust us that it's all necessary, appropriate, and effective." Despite the best efforts of the Bush administration, Americans still consider themselves to be a free people. So that kind of stonewalling behind "national security" is most likely to make the public distrust and despise the TSA based on what they know and observe. And that's exactly what we have, to the point where every statement that Kip and Chertoff make will be ridiculed no matter how much they exhort us to trust them (and to be very very afraid).
That can't be good for national security. I suspect even Kip realizes that the TSA can be most effective if the traveling public has confidence in it and is eager to cooperate in what should be the common goal of preventing terrorist attacks on aviation. But I also suspect that as a loyal Bush appointee, he's constrained by the obsessive secrecy of his bosses and thus can only repeat the Official Party Line about threats, layers, and fear.
Totally ineffective policy, if liquid is really a major threat then they should restrict all liquid. How did they figure that three ounces is not a threat but four ounces is a threat? This is hypocrisy, when the TSA will take away liquid bottle from a kid and throw it away and when inside the terminal charge you 10 times more for the same bottle. This seems to be an effective policy to make money but pretty ineffective as far as security is concern.
Why doesn't the TSA just change their name to the Keystone Gestapo and have done?
If the US government has anybody with either the brains or the right attitude to catch real terrorists, it isn't the TSA (and the government is to be congratulated on successfully keeping the real anti-terror agency a complete secret, up to now at least).
"Standard X-Ray is deployed everywhere and can effectively identify the presence of liquids and their containers. It is not reliable in differentiating all threat liquids from non-threat liquids. It is effective in the 3-1-1 environment by identifying whether there are liquids hidden in a bag – thus it is useful as a compliance tool."
So in other words, I can stuff 1 quart of 3 oz bottles of , and if I take it out of my bag and put it in a ziploc baggie, so they can see it's in a bottle marked "Shampoo", that's perfectly acceptable?
New 2009 TSA Rules: You can now carry on liquids up to 3.4 oz.
It's about time! A common worldwide package size for toiletries is 100ml, which translates to 3.38 oz (NOT 3.0 oz). Finally, the TSA caught up with the rest of the world.
The official TSA web site with new 2009 3.4 oz liquid carry on rules: http://www.tsa.gov/311/index.shtm
The following TSA article clarifies that as of 2009, liquids up to 3.4 oz are allowed to be carried on all USA planes and how the TSA 3.4 oz / 3.0 oz. liquid policy confusion happened:
We manufacture a very popular men's grooming line of shaving, skin and hair products (http://www.men-uusa.com) that is 3.38 oz and we've been explaining to our customers that they can carry on these products. The TSA has not done a very good job communicating this 2009 change allowing 3.4 oz liquids in carry on luggage.
@ Shave man,
Your link to the TSA "blog" what a load of "13U11 5H1T" from "TSA BOB".
To quote from it,
"When TSA rolled out 3-1-1, the European Union was not on board yet."
That's the usual US / UK Governmental excuse "Blaim the European's" we even use it in Britain, and guess what we're supposed to be part of Europe (but not quite)...
Back to TSA BOB's comment above, guess what like all the best sounding sound bites it's actually not true when you investigate.
If you look at the history you will find 3-1-1 was a rush job due to a significant pasanger backlash via the airlines and the US Government was putting out mixed and confusing messages (they still where even after 3-1-1). When the US Gov in all it's bit's got it's act together Europe had given up on it.
What you need to remember is that the EU did not have a liquid ban like the rest of the world, it was just the US and UK who insisted that EU airports with flights into their air space had to ban liquids...
Which gives rise to TSA BOB's next little sound bite,
"When the EU decided to lift the ban and allow liquids to travel, the amount permitted was 100ml."
Again this is actually not true people where quite happily flying around the EU and the rest of the world with the same amount of liquids they always had.
US personel flown into some EU airports where implementing the partial ban on liquids on flights that at some point went into US airspace in 3 ounce (not fluid ounce) lots.
With regards flights into US/UK air space Europe took a pragmatic view on what are international standards that even the US have signed up to and picked 100ml which is a volumetric measure appropriate to containers.
3 ounce is actually a measure of weight (mass in an assumed constant gravity) "fluid ounce" is a conversion bassed on the volume of a "selected liquid" that has that weight...
TSA BOB goes on to say,
"Well, as those of you who like me had to learn metric conversion in grade school, youmight remember that 100ml = 3.4oz. not 3 oz."
For those who care to check BOB's grade school was wrong (by the way this idiocy has caused aircraft to run out of fuel in flight so there is no excuse for it).
TSA BOB's starting to get it right,
"In order to align with the EU, we decided to allow liquids in containers up to 3.4oz."
But "god forbid" the mighty US Gov would admit it had got things wrong so another TSA BOB sound bite,
"We also decided to keep our signage the same to maintain consistency."
Oh and when in doubt throw in the usual "Marketing" excuse,
"(Besides, 3.4-1-1 just doesn’t have the same ring to it.)
From a marketing perspective, 3 ounces was easier to remember than 3.4... ...So, behind the scenes, we’ve been allowing up to 3.4 ounces, but it hasn’t been reflected on the web or in signage."
And hav'nt all you traveling public just loved this inconsistancy. Like so many TSA rules it is compleatly arbitary and down to TSA personel to decide on the spot...
Guess what and now so many of the "traveling public" have made complaint about arbitary TSA rulings, the TSA have had to come clean as TSA BOB admit's,
"We’ve read your concerns here on the blog, so from now on, we’ll use 3.4 on the blog when talking about liquid limits, and also make changes (as soon as possible) to the TSA web site. I worked with Lynn on this and she has crafted a new response for the contact center to use when communicating with the public. We are also going to send a message to the workforce as a reminder."
Ah and now for a classic bit of "Double Speak" from TSA BOB,
"Some people have asked why we don’t convert the net weight of the toothpaste to volume since they are different. Good question. The 3.4 container/volume rule was created to make it simple and streamlined for both passengers and our officers."
So TSA BOB uses 3.4oz (a measure of weight) and surupticiously converts it to a volume (3.4 fl oz) by leaving the unit of measure off... Why does TSA BOB not be honest and say "we only read what's written on the container".
And so onto TSA BOB's admission that TSA workers cannot even manage to do what the most junior of shop workers can do,
"As you could imagine, taking weight into consideration would be a wrench in the spokes."
And then blaiming guess who... YOU with,
"I’m sure the public doesn’t want our officers using scales or conversion charts, etc."
So there we have it folks TSA BOB has admited it's all for marketing and TSA staff are less capable than the least qualified shop worker...
But then we guessed this all along, but still it's nice to have it "from the horses mouth" (or have I got it the wrong way around?).
My toothpaste, weighing 5.2 ounces, was just confiscated by the TSA because the officer felt it violated the volume rules. We spoke with three supervisors before we found one that knew the difference between volume and weight. He acknowledged that I was correct but went on to say that because the officer felt it was a violation, he had to support her.
The fact that the officer and two of the supervisors did not understand the difference between weight and volume was very disconcerting.
Just to chime in with another experience, a TSA screener this morning repeatedly threatened to prohibit me from flying because I explained to him the difference between weight and volume (of, yes, toothpaste). Apparently they're still not teaching these petty bullies the most basic facts before setting them loose on the flying public.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.