Schneier on Security
A blog covering security and security technology.
« FBI's New Cryptanalysis Contest |
| The Best Capers of 2008 »
January 6, 2009
Kip Hawley Is Starting to Sound Like Me
"In the hurly-burly and the infinite variety of travel, you can end up with nonsensical results in which the T.S.A. person says, 'Well, I'm just following the rules,'" Mr. Hawley said. "But if you have an enemy who is going to study your technology and your process, and if you have something they can figure out a way to get around, and they're always figuring, then you have designed in a vulnerability."
Posted on January 6, 2009 at 5:51 AM
• 32 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Makes you wonder what Kip could accomplish if he wasn't roped into the TSA's mission statement.
Maybe he was finally able to take the time to learn about security. Too bad it's so close to the end of his tenure.
Was he a political appointment? Is there any other qualification for the job then to have worked on a sucessful campaign?
The current administration was big on outsourcing. They believe Gov't employees should only manage the contracts that authorize the work. They've destroyed the "professional federal" class of employee and ridiculed the idea that civil servants are anything but lazy second or third raters.
Maybe it is a quote from you, Bruce, and the press is getting you and Kip confused with each other.
My favorite Kip quote was the last one:
"And our own rigidity can itself be a vulnerability."
Off-topic: Freedom to Tinker has their review of their predictions for 2008 up - there was an interesting point about election security.
Felten: "The problems that did occur tended to be ignored because the presidential election wasn't close."
So, you're saying that to hijack an election safely, you need lots of small attacks that cause the total vote to not be close. I guess that means you think not-close elections are more likely to have been manipulated?
Rigid rules (and the unthinking drones who follow them) are a bitch, eh?
What Kip "If you know what I know" Hawley sounding like Bruce "Chuck" Schneier...
He must want to keep his job or something...
Seriously though the TSA as seen through many commentators eyes is failing and or expensive.
I feel sorry for the Presedent Elect after all when "the elephant in the room" has a heart attack what do you do...
Re-sus only goes so far, and if you let it die. Then what do you do let it stink the place up or carve it into chunks and push the bit's into other peoples rooms?
Someone who is thinking and taking initiative will always be more effective than someone who just follows rules, no matter how good the rules are. Rules take time to formulate and distribute, and as such are always reactive, and therefore will not really protect against new threats.
@Clive Robinson: The white elephant didn't get elected, so we don't need to worry so much about the heart attack... the brown donkey got in!
Opps I'd forgoton about the US "Political animals"
In England "Elephant in the room" is used to indicate it's a subject everybody is painfully aware of but nobody is willing to talk about out of politness (and no we use "more tea vicar" for that one ;)
Speaking of Elephants I was once told that on coming to the U.S.A by boat the "lady with the Torch" (anbody know the French name) is not the first thing you would see,
No the first is a building in the shape of an Elephant that was a house of "moral turpitude"...
And every time I came to the US after that and filed in the immigration card the thought made me smile. And in my head I would hear words once said in a movie "Son, it pays to advertise, hang your shingle above your door".
Some people only learn from the hard lessons. ;-7
TSA Officials And JetBlue Pay $240,000 To Settle Discrimination Charges
Resident Was Kept Off Plane For Shirt With Arabic Writing
FOR IMMEDIATE RELEASE
January 5, 2009
CONTACT: Rachel Myers, (212) 549-2689 or 2666; firstname.lastname@example.org
NEW YORK – In a victory for constitutional rights, two Transportation Security Authority (TSA) officials and JetBlue Airways have paid Raed Jarrar $240,000 to settle charges that they illegally discriminated against the U.S. resident based on his ethnicity and the Arabic writing on his t-shirt. TSA and JetBlue officials prevented Jarrar from boarding his August 2006 flight at New York’s John F. Kennedy Airport until he agreed to cover his shirt, which read "We Will Not Be Silent" in English and Arabic, and then forced him to sit at the back of the plane. The American Civil Liberties Union and the New York Civil Liberties Union filed a federal civil rights lawsuit on Jarrar’s behalf in August 2007.
"The outcome of this case is a victory for free speech and a blow to the discriminatory practice of racial profiling," said Aden Fine, senior staff attorney with the ACLU First Amendment Working Group and lead attorney on the case. "This settlement should send a clear message to all TSA officials and airlines that they cannot discriminate against passengers based on their race or the ethnic content of their speech.
On August 12, 2006, Jarrar was waiting to board a JetBlue flight from New York to his home in Oakland, California, when he was approached by two TSA officials. One of them told Jarrar that he needed to remove his shirt because other passengers were not comfortable with the Arabic script, telling him that wearing a shirt with Arabic writing on it to an airport was like “wearing a t-shirt at a bank stating, ‘I am a robber.
Jarrar asserted his First Amendment right to wear the shirt, but eventually relented to the pressure from the TSA officials and two JetBlue officials who surrounded Jarrar in the gate area and made it clear to him that he would not be able to get on the plane until he covered up his shirt. Terrified about what they would do to him, Jarrar reluctantly covered up his shirt with a new t-shirt purchased for him by JetBlue. The lawsuit later revealed that JetBlue and the TSA officials did not consider Jarrar to be a security threat. Nevertheless, even after he put the new shirt on, Jarrar was allowed to board the plane only after JetBlue changed his seat from the front of the plane to the very back.
"All people in this country have the right to be free of discrimination and to express their own opinions," said Jarrar, who is currently employed with the American Friends Service Committee, an organization committed to peace and social justice. "With this outcome, I am hopeful that TSA and airlines officials will think twice before practicing illegal discrimination and that other travelers will be spared the treatment I endured.
"As last week's refusal by AirTran Airways to allow a Muslim family that posed no security risk to fly shows, what happened to Mr. Jarrar is not an isolated incident," said Reggie Shuford, senior staff attorney with the ACLU Racial Justice Program. "Transportation officials have the important responsibility of ensuring that all flights are safe, but there is no reason that safety can't be achieved while at the same time upholding the civil rights and liberties of all airline passengers. We hope this lawsuit and its successful result will serve as a powerful reminder that discrimination is against the law.
TSA and JetBlue agreed to settle the case for $240,000 late last month and delivered the settlement to Jarrar on Friday.
In addition to Fine, attorneys in this case are Nusrat Choudhury of the ACLU Racial Justice Program and Palyn Hung of the NYCLU.
Raed Jarrar is available to speak with members of the press.
More information about the case, including a video featuring Jarrar, is online at: www. aclu. org/wewillnotbesilent
@: "Kip Hawley Is Starting to Sound Like Me"
Both are smart men, and I don't think Hawkley and Schneier were ever as different as most thought. They look at the same thing from different perspectives.
The world may never know, but I suspect that if Schneier were in Hawkley's shoes, we may be surprised at how much like Hawkley he would sound.
All I'm prepared to grant is that he's figured out that saying that sort of thing plays well with the crowd. When the TSA's actions reflect that thinking, that'll be another matter.
I'm still trying to parse the last paragraph into a coherent idea:
“These are not dark, shadowy forces,” he said. “They are named individuals, with cells and know-how and training camps and active plot lines. We’re in an everyday multiple-stream world. And our own rigidity can itself be a vulnerability.”
alien vs. predator
Ahab vs. white whale
Luke vs. Darth
Bruce vs. Kip
Bruce, are you trying to take credit for someone you agree with?
This quote actually sounds to me more like Texas Tech football coach Mike Leach.
Perhaps at this point Kip feels he can get away with some thoughtful analysis rather than the mindless obeisance expected of a Bush appointee. Much of the TSA's problems reflect the incomptence and arrogance of the Bush administration that created it. An administration that emphasizes effectiveness rather than mindless loyalty, and that respects the rule of law, may well implement a better TSA.
Hawley sidesteps the point that following a stupid rule blindly, forbidding any exceptions, is still stupid, and not only does it not make us any safer, it makes us less safe. Stupidity is undermining our security and should be ruthlessly purged. Spending resources on something stupid is stealing resources from things that would be smart, which means any such policy is a designed-in vulnerability.
More interesting to me was this quote from the article:
Congress and the news media regularly set up howls on those occasions when some reporter sneaks a box cutter through security. But no security expert today believes — given reinforced cockpit doors and vigilant passengers ready to pounce — that an airliner might ever again be hijacked by some deluded soul armed with a box cutter.
Box cutters and lots of other things are still prohibited contraband, **of course**. [Emphasis added.]
In other words, we're still at the stage where "of course" we have to ban things that cannot be used to hijack an airplane. Bottles of water, too, are still banned, "of course."
The presidential election wasn't close, but there were thousands and thousands of elections conducted in November. The senate election in Minnesota was very close (225 votes out of 2.9 million) and I bet that a lot of local mayors and whatnot were even closer.
Perhaps the presidential election is more important to the nation as a whole, but the mayor is pretty important on a local level and any problems in *any* election (federal/state/local) should be addressed.
"Stupidity is undermining our security and should be ruthlessly purged."
Too true. America is a country of innovation, and so a rise in stupidity (or a decline in education) will in fact completely undermine it's security in more ways than one. Not sure if I agree with the "ruthlessly purged" sentiment, but something should be done to ensure education is treated as a serious security issue.
@Bruce: Given Hawley's performance to date, it seems far more plausible that that [i]is[/i] you, wearing a Mission Impossible-style latex mask. What, sir, have you done with Kip Hawley?
On second thought, I don't think I care. Carry on.
"In other words, we're still at the stage where "of course" we have to ban things that cannot be used to hijack an airplane. Bottles of water, too, are still banned, "of course.""
Bingo. And no one understands how those are failures of the security process.
They are dangerous and the people carrying them need to be treated as terrorists ...
They are no threat and should be allowed on board.
They recently allowed butane lighters back on board flights. But only because it was costing the TSA to much to legally dispose of all the captured lighters it had collected.
Hawley is an idiot.
So the inconsistent, irrational, arbitrary, nonsensical incompetence of the TSA isn't a bug; it's a _feature_.
Oh, dear Bog. Homeland Security has been out-sourced to Microsoft.
I'll be the first to agree that there's too much broad, vague, repetitive political rhetoric on this blog, most of it about George W. Bush. Actually, "rhetoric" may be too kind, since much of it is more like posturing. When you have to read all the comments here, it gets old pretty fast.
There are also at least two people on this thread who tend to repeatedly push threads a little further toward politics; I wish they'd both refrain from doing that.
That said, George's original comment is at least on-topic. Predictably, attacking him for it produced an immediate swerve toward pure politics. I'm going to roll back that digression. If someone wants to make a substantive response to the original message--keeping it relevant to TSA and airport security--that would be OK.
"...it seems far more plausible that that [i]is[/i] you, wearing a Mission Impossible-style latex mask."
Supporting this theory, Bruce was quoted yesterday as saying that Kip Hawley was "doing the best job he could with the bad hand he was dealt."
Perhaps they've switched?
Someone needs to out Bruce's Moderator.
We all want to know who is the (wo)man in charge of sweeping up the litter around here.
@ George, Moderator,
"... An administration that emphasizes effectiveness rather than mindless loyalty, and that respects the rule of law, may well implement a better TSA."
Irrespective of the hows and whys of the TSA and DHS etc coming into existance, they exist.
As a percentage of GDP the budgets of these and other post 9/11 organisations cannot be supported without causing further harm to the US. This makes it a National Security issue on more than one front, so it needs to be addressed as a matter of urgancy.
Boader security is not something that can be left to the private sector or payed for by either the transport companies or their customers as an increase in fares. As this would deter the flow of people and trade across the boarder which would likewise be detrimental to the longterm nationak security of the US.
As has been noted in the past security has no ROI it's all sunk costs and normaly that would dictate it should be cost minimised. However to be effective security cannot be "efficient" in the broad "shareholder value" "cost minimised" sense, that would ensure it is nothing but "theater".
One of the reasons the TSA comes in for so much bad press is it is an easy target. It's mission is effectivly impossible to carry out at any level of reliability due to the weight of numbers. And it is intimately in contact with the public when they are engaged in what traditionaly has been a fraught and stresfull activity.
Therefor it could easily and incorectly be argued that it should be got rid of or down graded to a token organisation.
The question that nobody is realy asking is "what is effective" as far as these organisations are concerned?
Most have responsabilities / mandates that are excessively broad. However cutting back an organisations mandate especialy one which is politicaly charged is going to be extreamly difficult.
With regards the TSA and the law actualy a lot of what they are accused of doing was actually happening in one way or another prior to the TSA's existance, and no doubt will continue. The solution I suspect is simply going to be a change in legislation not in what is done.
Some years ago now I posted to this blog about the likley outcomes of excesive expenditure on "watching the people" in both open and closed societies from the historical perspective. And I noted back then that in a closed society the costs tended to rise to the point where it brought about abrubt political change, and in an open society the costs tended to normaly decline only rising due to specific events to decay away again (saw tooth behaviour).
The US UK and some other countries are at cruicial point where political imperative is still trying to drive expenditure up but the will of the people is starting to turn as they can see it is hurting them.
However crucialy two things have changed from past occurancies of this type. Firstly for what are ostensibly Orwellian reasons governments have chosen to "talk up" the events and they have developed a life of their own. And secondly the effective cost of technology is being driven down by demand limiting the overall rise in cost.
These two aspects are alowing what are considered open societies to behave like closed societies.
Like it or not there are questions that people need to be asking and answering before things progress to far and the issues develop sufficient weight that the cost of stopping them progressing is to great.
Unfortunatly this is a political issue (not party political) and like the more minor issue of the credit crunch it needs to be addressed quickly.
But the questions must come before the actions otherwise it will only be by luck we get it right.
Unfortunatly the questions are not being asked due to the fact we don't know what we should be asking. And we are effectivly prevented from working them out due to the political "talk up".
Therefore we are "sleep walking into a situation" that will soon be beyond reasonable control of politicians and society.
If this happens then history gives little guidance on the likely outcome being anything other than one involving the sort of abrupt political change usually caused by civil unrest.
Therefor we should encorage polititions not to "talk up" the situation and start a reasoned debate to try and formulate the questions that need to be asked. Then hopefully we can move forward not backward.
@ Clive Robinson: "Irrespective of the hows and whys of the TSA and DHS etc coming into existance, they exist."
Indeed. And had they been implemented thoughtfully, with oversight, accountability, and respect for civil liberties, they may well have improved America's security. But as we well know, they were implemented sloppily and incompetently, without oversight or accountability, and with the belief that civil liberties were a vulnerability that needed to be eliminated. The result is damage not only to America's security, but to the very things that define "America."
The stated goal of the DHS was to unify and coordinate the disparate agencies involved in various aspects of "homeland security." It was supposed to end the turf battles that hampered effectiveness and promote communication and sharing of information and resources. Not only didn't that happen, we ended up with an even bigger, more uncoordinated mess with more bureaucracy and larger turf battles. And the lack of accountability and oversight, along with appointees chosen for loyalty rather than competence (e.g., "you're doing a heck of a job, Brownie") only encouraged the mess and snarled communication, and probably harmed security significantly. The idea of unifying and coordinating the agencies may have been a good one, but (unavoidable political comment) the Bush administration thoroughly farkled it to the detriment of security.
"With regards the TSA and the law actualy a lot of what they are accused of doing was actually happening in one way or another prior to the TSA's existance, and no doubt will continue. The solution I suspect is simply going to be a change in legislation not in what is done."
The TSA's basic approach to security is exactly what existed on 9/10/2001. The only difference is that the minimum-wage private flunkies have been replaced by government employees wearing spiffy uniforms and barking orders at the unruly crowds of passenger/prisoners. And those employees (inconsistently) implement a patchwork of vaguely-defined rules and procedures always intended to react to past publicized failures and breaches. The "improved" airport security screening is undeniably more inconvenient and costly (in terms of civil liberties as well as dollars); and audits and testing consistently show that it's highly ineffective (even though Kip insists that we believe otherwise "because he said so"). But underneath all the new hassles, it's the very same system that failed on 9/11/2001.
The TSA may be successful at convincing members of the traveling public that the government is reacting to 9/11. Presumably many people actually believe that if the "security theater" is intrusive and inconvenient enough it surely MUST be effective. A cynic might suggest that the TSA has has some success in acclimating Americans to meekly submitting themselves and their belongings to search and seizure upon the request of any uniformed official who invokes "9/11." But there's absolutely no reason to believe that any of it actually makes aviation safer, or particularly that we're actually getting something useful for what it's costing us (in civil liberties as well as dollars). Just because Kip or Chertoff repeatedly insist that it's effective (while urging us to "think about 9/11" and be afraid) doesn't make it so.
Getting back to the unavoidable political commentary, the Bush administration has done everything possible to avoid and discourage questions about the cost-effectiveness, value, and effectiveness of what they're doing in the name of "security." The answer is always "remember 9/11-- we're protecting the Homeland from enemies who are trying to kill us!" To me that can only suggest that someone is quite aware that it's a useless waste of money, but they're duty-bound to prevent anyone from actually noticing that. Fear does nothing to improve security, and most likely only damages security.
So indeed, DHS and TSA are here to stay. And they can add value to our nation's security when they're part of an administration that is sensitive to matters of cost-effectiveness and civil liberties, and that values oversight and constructive criticism as essential to improvement rather than as an "unpatriotic" threat to be smothered with fear and lies.
"when "the elephant in the room" has a heart attack what do you do"
When my freezer died one summer, I had 200 lb's of meat that were going to spoil.
Invite the neighbors over and Barbecue
@ Old Guy:
Alien vs. Predator: "HISSSSSS."
Ahab vs. White Whale: "To the last, I shall grapple with thee."
Luke vs. Darth: "I'll not leave you here, in this place. I've got to save you.:"
Bruce vs. Kip: ?????
@ BF Skinner,
"I had 200 lb's of meat... ...Invite the neighbors over and Barbecue"
!!! You sure have a lot of neighbors that's enough meat for 400-600 hungry people.
The most I've ever cooked for was 150 and it took two days of prep (digging a barbecue pit for a whole hog is hard work, as is filling it with wood).
To steal an acronym that must have been the Mother Of All Barbecues (MOAB).
Kip's no idiot; he just has no incentive to do a good job. If Kip saves money, his budget gets smaller and his power is reduced. If Kip does a better job reducing risk at lower cost, does he get a bonus? A medal? Nope, there is no reward.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.