Schneier on Security
A blog covering security and security technology.
« Al Qaeda Secret Code Broken |
| Norbt »
November 23, 2009
Decertifying "Terrorist" Pilots
This article reads like something written by the company's PR team.
When it comes to sleuthing these days, knowing your way within a database is as valued a skill as the classic, Sherlock Holmes-styled powers of detection.
Safe Banking Systems Software proved this very point in a demonstration of its algorithm acumen -- one that resulted in a disclosure that convicted terrorists actually maintained working licenses with the U.S. Federal Aviation Administration.
The algorithm seems to be little more than matching up names and other basic info:
It used its algorithm-detection software to sift out uncommon names such as Abdelbaset Ali Elmegrahi, aka the Lockerbie bomber. It found that a number of licensed airmen all had the same P.O. box as their listed address -- one that happened to be in Tripoli, Libya. These men all had working FAA certificates. And while the FAA database information investigated didn't contain date-of-birth information, Safe Banking was able to use content on the FAA Website to determine these key details as well, to further gain a positive and clear identification of the men in question.
In any case, they found these three people with pilot's licenses:
Elmegrahi, who had been posted on the FBI Most Wanted list for a decade and was convicted of blowing up Pan Am Flight 103, killing 259 people in 1988 over Lockerbie, Scotland. Elmegrahi was an FAA-certified aircraft dispatcher.
Re Tabib, a California resident who was convicted in 2007 for illegally exporting U.S. military aircraft parts -- specifically export maintenance kits for F-14 fighter jets -- to Iran. Tabib received three FAA licenses after his conviction, qualifying to be a flight instructor, ground instructor and transport pilot.
Myron Tereshchuk, who pleaded guilty to possession of a biological weapon after the FBI caught him with a brew of ricin, explosive powder and other essentials in Maryland in 2004. Tereshchuk was a licensed mechanic and student pilot.
And the article concludes with:
Suffice to say, after the FAA was made aware of these criminal histories, all three men have since been decertified.
Although I'm all for annoying international arms dealers, does anyone know the procedures for FAA decertification? Did the FAA have the legal right to do this, after being "made aware" of some information by a third party?
Of course, they don't talk about all the false positives their system also found. How many innocents were also decertified? And they don't mention the fact that, in the 9/11 attacks, FAA certification wasn't really an issue. "Excuse me, young man. You can't hijack and fly this aircraft. It says right here that the FAA decertified you."
Posted on November 23, 2009 at 2:36 PM
• 26 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
"algorithm-detection software"? That's clever...
Elmegrahi and Tereshchuk did not have pilot's licenses. Elmegrahi was an aircraft dispatcher, while Tereshchuk was a student pilot, which is quite different from being a certified pilot.
Tabib did have a pilot's license, but I don't think his offense of export control violation qualifies as terrorism.
So in none of these three cases did they actually revoke a terrorist's pilot license.
@Mark: Certainly, without their software it would take weeks sifting through data to determine if an algorithm is present...
I once turned down a job at a company that was hot to hire - they were trying to crowd source leads on terrorism and get a DHS grant for this stuff.
The idea was this: any time anyone reports anyone as being suspicious, the suspect's information goes in the database, and the suspect's precedence is upgraded. Needless to say it's an idea that was conceived by a bunch of white guys who spent their whole lives in the suburbs.
I sat for 15 minutes and then asked the man funding it what the world would be like if we put a tail on him every time some white lady felt uncomfortable around a man with dark skin.
"Uncommon" means "foreign-sounding"
SELECT name FROM certifiedPilots WHERE address='PO Box. 1234' ORDER BY likelyhoodToHijackAnAirplane DESC;
See 14 CFR 61.18 for "security disqualification" if the TSA says someone is a threat.
I would imagine it to be like the Bar Association, where there is enough discretion in the organisation to serve the public good in this matter.
"It used its algorithm-detection software to sift out uncommon names such as Abdelbaset Ali Elmegrahi, aka the Lockerbie bomber."
Okay, so they search fo that name. Strange how Google only turns up 263 hits for it and almost all of those hits seem to refer to that article.
Meanwhile, searching on the name "Al Megrahi" gets you a lot more hits.
"Elmegrahi, who had been posted on the FBI Most Wanted list for a decade and was convicted of blowing up Pan Am Flight 103, killing 259 people in 1988 over Lockerbie, Scotland."
So they searched on that name and found that name and he's a bad guy ... who's been in prison for a while but was recently released because he probably only has 3 months to live.
Yes, this is a press release. And not a particularly good one, either.
> "algorithm-detection software"? That's clever...
It detects names which sound like Abū ʿAbdallāh Muḥammad ibn Mūsā al-Khwārizmi
Maybe we should just arrest anyone who applies for a pilot's license? Or redirect their check flight to Gitmo?
I wonder if their "algorithm-detection" software can distinguish a hash digest from a random oracle.
I mean, that's "algorithm-detection", right?
Unfortunately, the airman security branch is allowed to do whatever it wants to do, with very little recourse...and any appeal you might eventually get is to an FAA administrative 'judge.'
There really is no due process when dealing with the Administration.
For instance, when those hapless pilots overshot MSP a few weeks ago, despite already being suspended by their employer, they felt the need to rush out and revoke their ATP certificates.
Completely useless, of course, as they weren't going to be flying anyway, and they could have followed the normal disciplinary procedures.
Generally, when the Administration (which is barely capable the rest of the time) does something like this, it's only a reaction to bad press, or the possibility of bad press, and they're trying to avoid having to explain themselves to Congress again.
It's all for show (but we must "do something"), and almost never for security. Of course, a hijacker or bomber is never going to be ramp checked.
Heh:) The only part missing is to start checking for FAA pilot license every time somebody climbs into cockpit.
It's not even security theatre. It's security comic club.
The pilit licenses are not much different from drivers licenses... having no license does not prevent somebody from getting into a car and driving. (And FAA plastic is quite simpler to forge... it doesn't even have photo).
The only use of that "FAA de-certification" is to tell airlines not to hire these people. As if they'd be hiring Lybian guys without verifiable resume and hundreds of hours logged in US - and forgo security checks needed to issue them passes to sterile zone.
As for GA... nobody checks your pilot license when you get into a/c. Few places renting GA a/c would bother to check if the plastic card is valid.
"The Lockerbie bomber" claims he's innocent, and he has some arguments. I won't get into this, except to say that there's a doubt. I think the software company could have found a better example.
>As for GA... nobody checks your pilot
>license when you get into a/c. Few
>places renting GA a/c would bother to
>check if the plastic card is valid.
Good for me, but I got a chuckle once when I rented a car and the rental agent let me know my license was expired as he handed me the paperwork and keys.
>I won't get into this, except to say that
>there's a doubt.
There is always doubt. The question is whether it's reasonable or not.
Justice, like security, will always be fallible, because it deals with and is dealt by humans.
So some people who were already in prison or otherwise completely visible to a criminal background check got noticed when their data was in an FAA database? How useful.
What would be more interesting to me is unravelling the history of those database entries, to figure out if the paper in question was legitimately acquired by the actual baddies pre-conviction, or shows some holes in the data-entry process.
I'm glad to see somebody else remembered where the word 'algorithm' actually came from.
"It detects names which sound like Abū ʿAbdallāh Muḥammad ibn Mūsā al-Khwārizmi"
But officer it's only SPELLED S-M-I-T-H it's PRONOUNCED Abū ʿAbdallāh Muḥammad ibn Mūsā al-Khwārizmi it's PRONOUNCED."
More security theatre...it's embarrassing (and equally worrying) that the FAA thinks that this makes the skies "safer"
You really start to question the collective intelligence of some agencies...
"detection software to sift out uncommon names such as Abdelbaset Ali Elmegrahi"
... Or people like Massoud Simnad who developed fuel rods for General Atomics, or Massad Ayoub who is a well regarded law enforcement officer and defensive firearms expert and instructor, or General John Abizaid, or President Barack Hussein Obama.....
..Or my wife, who was born in Pakistan and has an "unusual name" and flies both the US and Gadsen flags, and screams things like "WHY DO THEY WANT TO MAKE THIS COUNTRY LIKE FRANCE" at the television, more often than not....
Actually its "Throat Warbler Mangrove"...
>>I won't get into this, except to say that
>>there's a doubt.
>There is always doubt. The question is
>whether it's reasonable or not.
In the Pan Am 103 case, there is a lot of doubt. Many of the British families of the deceased have very substantial doubts that the right person - indeed, the right country - is on trial.
Unfortunately, that sounds like a conspiracy theory, but the doubting families, led by Dr. Jim Swire, are not your usual bunch of whackjobs.
The other thing to note is that the diversity of Islamic names is substantially less than that of Western names, especially for a country like the US which has several naming traditions. In much of the Muslim world, you hardly *have* a family name (a tradition shared with that well-known terrorist haven, Iceland). So false positives are way more likely.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.